auth remote-role
auth remote-role(1) BIG-IP TMSH Manual auth remote-role(1)
NAME
remote-role - Creates remote role information in a file that an LDAP,
Active Directory(r), RADIUS, or TACACS+ server reads to determine the
specific access rights to grant to groups of remotely-authenticated
users.
MODULE
auth
SYNTAX
Configure the remote-role component within the auth module using the
syntax shown in the following sections.
MODIFY
modify remote-role
options:
description [string]
role-info [add | delete | modify | replace-all-with] {
[group-name] {
options:
attribute [string]
console [disabled | tmsh]
description [string]
deny [enabled | disabled]
line-order [integer]
role [acceleration-policy-editor | admin | fraud-protection-manager |
application-editor | auditor | certificate-manager |
firewall-manager | guest | irule-manager | manager |
no-access | operator | resource-admin | user-manager |
web-application-security-administrator |
web-application-security-editor]
user-partition [all | Common | [name] ]
user-partition [%string]
}
}
role-info none
DISPLAY
list remote-role
show running-config remote-role
options:
all-properties
non-default-properties
one-line
DELETE
You cannot delete the remote-role defaults, you can only modify the
values of the options.
DESCRIPTION
You can use the remote-role component to grant access to a specific
group of remotely-authenticated users without creating a local user
account on the BIG-IP(r) system for each user in the group.
Users assigned the role of Administrator can modify remote roles. Users
assigned all other roles can view remote roles.
You can use the variable substitution feature to assign access rights
for a group of remote users by specifying a text string variable that
is preceded by a leading % character for the options attribute,
console, role and user-partition. For example, if you define the remote
role for the groups DC1 and DC2 as follows:
remote-role {
role info {
dc1 {
attribute "F5-LTM-User-Info-1=DC1"
console %F5-LTM-User-Console
line-order 1
role %F5-LTM-User-Role
user-partition %F5-LTM-User-Partition
}
dc2 {
attribute "F5-LTM-User-Info-1=DC2"
line-order 2
}
}
}
The BIG-IP(r) system attempts to match the value of the attribute
option, F5-LTM-User-Info-1=DC1, and then pulls the value of the
console, role and user-partition options from the other variables.
Note: If a variable includes an incorrect value, the system does not
authorize the user. Additionally, if you have not defined the
variables, as with the group DC2 above, the system authenticates the
user with the following access rights:
console = disabled
role = none
user-partition = none
EXAMPLES
modify remote-role role-info add { my_managers { attribute
"memberOF=cn=BigIPmanagerGroup,cn=users,dc=mydept,dc=mycompany,dc=com"
console disabled line-order 1000 role 100 user-partition all } }
Configures a remote role, named my_managers, for LDAP authentication,
by creating the 1000th line of the /config/bigip/auth/remoterole file,
and granting the Manager role (100) in all partitions to the remote
users assigned this role.
modify remote-role role-info add { my_admins { attribute "NS-Admin-
Privilege" console tmsh line-order 1000 role 0 user-partition all } }
Configures a remote role, named my_admins, for LDAP authentication, by
creating the 2000th line of the /config/bigip/auth/remoterole file, and
granting the Administrator role (0) in all partitions to the remote
users assigned this role.
modify remote-role role-info add { my_managers { attribute
"manager_group=manager" console tmsh line-order 3000 user-partition all
} }
Configures a remote role, named my_managers, for RADIUS or TACACS+
authentication, by creating the 3000th line of the
/config/bigip/auth/remoterole file, and granting the Administrator role
(0) in all partitions to the remote users assigned this role:
OPTIONS
description
Specifies a user-defined description.
role-info
Configures the access rights for a specific group of remotely-
authenticated users. You can configure the following information
for a role:
attribute
Specifies an attribute-value pair that an authentication
server supplies to the BIG-IP system to match against entries
in /config/bigip/auth/remoterole. The specified pair
typically identifies users with access rights in common. This
option is required.
Alternatively, you can use the variable substitution feature
(described in the Description section above), and specify a
text string variable that is preceded by a leading %
character.
console
Enables or disables console access for the specified group of
remotely-authenticated users. The default value is disabled.
When using variable substitution, as described in the
Description section of this man page, the variable for the
console option must be: tmsh.
deny Enables or disables remote access for the specified group of
remotely-authenticated users. The default value is disabled.
description
Specifies a user-defined description.
group-name
Specifies the name of the remote role that you are
configuring. This option is required.
line-order
Specifies the number of the first populated line in the file,
/config/bigip/auth/remoterole. The LDAP, Active Directory,
RADIUS, and TACACS+ servers read this file line by line. The
order of the information is important; therefore, F5 Networks
recommends that you set the first line at 1000. This allows
you, in the future, to insert lines before the first line.
This option is required.
role Specifies the role that you want to grant to the specified
group of remotely-authenticated users. The default value is
no-access. The available roles are:
admin
fraud-protection-manager
application-editor
certificate-manager
firewall-manager
guest
manager
no-access
operator
resource-admin
web-application-security-administrator
web-application-security-editor
user-manager
When using variable substitution, as described in the
Description section above, the variable for the role option
must evaluate to one of these values: 0 (admin), 20 (resource
admin), 40 (user manager), 80 (auditor), 100 (manager), 300
(application editor), 350 (advanced operator), 400
(operator), 450 (firewall manager), 500 (certificate
manager), 510 (irule manager), 700 (guest), 800 (web
application security administrator), 810 (web application
security editor), 850 (acceleration policy editor), 900 (no-
access).
user-partition
Specifies the user partition to which you are assigning
access to the specified group of remotely-authenticated
users. The default value is Common. This option is required.
Alternatively, you can use the variable substitution feature
(described in the Description section above) and specify a
text string variable that is preceded by a leading %
character.
SEE ALSO
auth remote-user, auth user, list, modify, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2009-2011, 2013. All rights
reserved.
BIG-IP 2015-12-04 auth remote-role(1)