auth remote-role
auth remote-role(1) BIG-IP TMSH Manual auth remote-role(1)
NAME
remote-role - Creates remote role information in a file that an LDAP, Active Directory(r), RADIUS, or TACACS+
server reads to determine the specific access rights to grant to groups of remotely-authenticated users.
MODULE
auth
SYNTAX
Configure the remote-role component within the auth module using the syntax shown in the following sections.
MODIFY
modify remote-role
options:
description [string]
role-info [add | delete | modify | replace-all-with] {
[group-name] {
options:
attribute [string]
console [disabled | tmsh]
description [string]
deny [enabled | disabled]
line-order [integer]
role [acceleration-policy-editor | admin | fraud-protection-manager |
application-editor | auditor | certificate-manager |
firewall-manager | guest | irule-manager | manager |
no-access | operator | resource-admin | user-manager |
web-application-security-administrator |
web-application-security-editor | web-application-security-operations-administrator]
user-partition [all | Common | [name] ]
user-partition [%string]
}
}
role-info none
DISPLAY
list remote-role
show running-config remote-role
options:
all-properties
non-default-properties
one-line
DELETE
You cannot delete the remote-role defaults, you can only modify the values of the options.
DESCRIPTION
You can use the remote-role component to grant access to a specific group of remotely-authenticated users
without creating a local user account on the BIG-IP(r) system for each user in the group.
Users assigned the role of Administrator can modify remote roles. Users assigned all other roles can view
remote roles.
You can use the variable substitution feature to assign access rights for a group of remote users by
specifying a text string variable that is preceded by a leading % character for the options attribute,
console, role and user-partition. For example, if you define the remote role for the groups DC1 and DC2 as
follows:
remote-role {
role info {
dc1 {
attribute "F5-LTM-User-Info-1=DC1"
console %F5-LTM-User-Console
line-order 1
role %F5-LTM-User-Role
user-partition %F5-LTM-User-Partition
}
dc2 {
attribute "F5-LTM-User-Info-1=DC2"
line-order 2
}
}
}
The BIG-IP(r) system attempts to match the value of the attribute option, F5-LTM-User-Info-1=DC1, and then
pulls the value of the console, role and user-partition options from the other variables.
Note: If a variable includes an incorrect value, the system does not authorize the user. Additionally, if you
have not defined the variables, as with the group DC2 above, the system authenticates the user with the
following access rights:
console = disabled
role = none
user-partition = none
EXAMPLES
modify remote-role role-info add { my_managers { attribute
"memberOF=cn=BigIPmanagerGroup,cn=users,dc=mydept,dc=mycompany,dc=com" console disabled line-order 1000 role
100 user-partition all } }
Configures a remote role, named my_managers, for LDAP authentication, by creating the 1000th line of the
/config/bigip/auth/remoterole file, and granting the Manager role (100) in all partitions to the remote users
assigned this role.
modify remote-role role-info add { my_admins { attribute "NS-Admin-Privilege" console tmsh line-order 1000
role 0 user-partition all } }
Configures a remote role, named my_admins, for LDAP authentication, by creating the 2000th line of the
/config/bigip/auth/remoterole file, and granting the Administrator role (0) in all partitions to the remote
users assigned this role.
modify remote-role role-info add { my_managers { attribute "manager_group=manager" console tmsh line-order
3000 user-partition all } }
Configures a remote role, named my_managers, for RADIUS or TACACS+ authentication, by creating the 3000th line
of the /config/bigip/auth/remoterole file, and granting the Administrator role (0) in all partitions to the
remote users assigned this role:
OPTIONS
description
Specifies a user-defined description.
role-info
Configures the access rights for a specific group of remotely-authenticated users. You can configure the
following information for a role:
attribute
Specifies an attribute-value pair that an authentication server supplies to the BIG-IP system to
match against entries in /config/bigip/auth/remoterole. The specified pair typically identifies
users with access rights in common. This option is required.
Alternatively, you can use the variable substitution feature (described in the Description section
above), and specify a text string variable that is preceded by a leading % character.
console
Enables or disables console access for the specified group of remotely-authenticated users. The
default value is disabled.
When using variable substitution, as described in the Description section of this man page, the
variable for the console option must be: tmsh.
deny Enables or disables remote access for the specified group of remotely-authenticated users. The
default value is disabled.
description
Specifies a user-defined description.
group-name
Specifies the name of the remote role that you are configuring. This option is required.
line-order
Specifies the number of the first populated line in the file, /config/bigip/auth/remoterole. The
LDAP, Active Directory, RADIUS, and TACACS+ servers read this file line by line. The order of the
information is important; therefore, F5 Networks recommends that you set the first line at 1000.
This allows you, in the future, to insert lines before the first line. This option is required.
role Specifies the role that you want to grant to the specified group of remotely-authenticated users.
The default value is no-access. The available roles are:
admin
fraud-protection-manager
application-editor
certificate-manager
firewall-manager
guest
manager
no-access
operator
resource-admin
web-application-security-administrator
web-application-security-editor
web-application-security-operations-administrator
user-manager
When using variable substitution, as described in the Description section above, the variable for
the role option must evaluate to one of these values: 0 (admin), 20 (resource admin), 40 (user
manager), 80 (auditor), 100 (manager), 300 (application editor), 350 (advanced operator), 400
(operator), 450 (firewall manager), 500 (certificate manager), 510 (irule manager), 700 (guest), 800
(web application security administrator), 810 (web application security editor), 820 (web
application security operations administrator), 850 (acceleration policy editor), 900 (no-access).
user-partition
Specifies the user partition to which you are assigning access to the specified group of remotely-
authenticated users. The default value is Common. This option is required.
Alternatively, you can use the variable substitution feature (described in the Description section
above) and specify a text string variable that is preceded by a leading % character.
SEE ALSO
auth remote-user, auth user, list, modify, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2009-2011, 2013. All rights reserved.
BIG-IP 2019-01-06 auth remote-role(1)