Vous êtes sur la page 1sur 15

F5 Global Services Newsletter

F5 Global Services Training | QuickLabs Lab


Guide

Administering Local User

Introduction
The following QuickLabs are designed for the learner who has completed
the Administering BIG-IP instructor-led training course and wants to
continue learning about administering local user roles. The labs
complement the learning concepts and tasks performed in the User Roles
and Admministration Partitions portion of the training course.

Local User Administration Overview

About User Roles


Every BIG-IP system has a root and admin user account. These accounts
have full access to all BIG-IP system resources. These accounts cannot be
deleted, and their roles cannot be changed (although admin can be disabled,
and the admin users access to the command line interface can be
changed).
For details on root and admin accounts, refer to BIG-IP
System: User Account Administration on
https://support.f5.com.
You can access all the user roles listed with a brief description
of each at: https://support.f5.com/kb/en-us/products/bigip_ltm/manuals/product/bigip-user-account-administration-120-0/4.html#referenceid

An important part of overall BIG-IP management is the creation and


management of user roles for BIG-IP administration. The purpose of these
accounts is two-fold:

Authentication Verify the identity of users logging in to the


BIG-IP system

Authorization Control access to the BIG-IP system


F5 Networks Education Services

www.f5.com/training

F5 Global Services | Getting SmartED Series Checklist

Authentication is achieved through the accounts username and password


credentials. Authorization is achieved through the accounts assigned user
role. User roles are a means of controlling access to BIG-IP system
resources. You assign a user role to each administrative user and, in doing
so, grant the user a set of permissions for accessing BIG-IP system resources.

F5 Global Services Training | QuickLabs

F5 Global Services | Getting SmartED Series


Checklist

Local User Accounts


Local
Managing local user accounts refers to the tasks of creating, viewing,
modifying, and deleting user accounts that reside on the BIG-IP system. The
BIG-IP system stores local user accounts (including user names, passwords,
and user roles) in a local user-account database. When a user logs into the
BIG-IP system using one of these locally-stored accounts, the BIG-IP system
checks the account to determine the user role assigned to that user account
for each partition to which the user has access.

If you are using remote authentication, you can create all of your standard BIG-IP user a
This QuickLab lesson will only cover Local User Accounts.

Lab 1A: Create Local Users and Assign Roles

Lab Preparation: Restore UCS file on BIG-IP System


1. Click the Firefox web browser icon in the toolbar to access your BIG-IP
system. The icon automatically opens a browser session to the BIG-IP system
at https://192.168.1.31.
2. When prompted, log in with the credentials: Username: admin and Password:
admin.
3. Navigate to System Archives.
4. Click Upload, then click Browse and select the Downloads folder.
5. Select QL_basic.ucs and click Open, then click Upload.
6. Click QL_basic.ucs.
7. Click the Restore button.
The restore process will take about a minute or two. Please wait until the
Operation Status message indicates Full configuration has been loaded
successfully. Be patient.
8. Click the OK button.
F5 Networks Education Services

www.f5.com/training

F5 Global Services | Getting SmartED Series


F5 Global Services Training |
QuickLabs

F5 Networks Education Services

www.f5.com/training

F5 Global Services | Getting SmartED Series


Checklist

F5 Global Services Training | QuickLabs

Create Auditor, Manager, Operator, Resource Administrator, and


User Manager Roles
1

Navigate to System Users and click Create.


9. Create an auditor with the following properties:
a. If using the Configuration utility:
System Users: User List New User
Account Properties
User Name
Password
Confirm
Role
Partition
Add
Terminal Access
When complete,
click

auditor1
auditor1
auditor1
Auditor
All
Click Add
Disabled
Finished

b. If you prefer using TMSH, click on the Putty SSH Client icon and
open an SSH session to 192.168.1.31 and log in with the
credentials: Username: root and Password: default. Enter the
following:
tmsh create /auth user auditor1 {partition-access add { allpartitions {role auditor}} shell none password auditor1}

10. Create a Manager, Operator, Resource Administrator, and User Manager


with the following properties:
User Name

Password

Role

Terminal Access

manager1

manager1

Manager

Disabled

operator1

operator1

Operator

Disabled

resource_admin1

resource_admin1

Resource
Administrator

Advanced shell

user_manager1

user_manager1

User Manager

Disabled

F5 Networks Education Services

www.f5.com/training

F5 Global Services | Getting SmartED Series


F5 Global Services Training |
QuickLabs

11. From the System Users : User List, you should see the following:

12. If using TMSH:


tmsh list /auth user

In the next lab, you will practice logging into the BIG-IP system assuming the
identity of the different user roles and see what tasks you are allowed to do.
Continue with the next lab.

Lab 1B: Test Local Administration User Roles

Test Local User Roles


In this lab, you will test each of the user roles that you previously created.
Lab Requirements

You must have successfully completed Lab 1A: Create Local Users and
Assign Roles prior to beginning this lab.

To test your roles, log out of the BIG-IP system in your current role, and log
back in as a different user.
During this lab, you may forget which role you are logged in as.
If that happens, refer to the banner above the F5 icon.
For example:

F5 Networks Education Services

www.f5.com/training

F5 Global Services | Getting SmartED Series


Checklist

F5 Global Services Training | QuickLabs

Test the Auditor, Manager, Operator, Resource Administer, and


User Manager Roles

As you test each role, fill in the table with a mark indicating if you are able to perform these t

Role

View
Statisti
cs

View
Pool

Create
Pool

Disable
Pool
Member

View
Self IPs

Create
Self IP

Termina
l
access

Auditor
Manager
Operator
Resource
Administrator
User Manager

Test the Auditor Role


1 Log out of the system.
13. Log in as the Auditor role with the credentials: Username: auditor1 and
Password: auditor1.
14. Navigate to Statistics Module Statistics : Local Traffic. Next to
Statistics Type, use the pull down menu and select Pools. Can you view the
statistics?
15. Navigate Local Traffic Pools. Can you see the existing pools?
16. Are you able to create a pool? Can you click the Create button?
17. Click on http_pool. Click on the Members tab.
18. Can you Disable or Enable a pool member?
19. Navigate to Network Self IPs. Can you view the Self IP List?
20. Are you able to create a Self IP? Can you click the Create button?
21. Log out of the Configuration utility (GUI).
22. Using the PuTTY SSH Client icon, open an SSH session to the management
port at 192.168.1.31. Make sure the protocol is set to SSH (port 22) before
connecting.
23. Attempt to login as auditor1 with password auditor1. Can you do that?
Why do you suppose you cannot?

F5 Networks Education Services

www.f5.com/training

F5 Global Services | Getting SmartED Series


F5 Global Services Training |
QuickLabs

In some cases, a users role will limit the menu items visible in the Configuration ut

Test the Manager Role

Can you view the statistics?

Can you see the existing pools?

Can you create a pool?

Can you disable and enable pool member 172.16.20.1:80?


Use the steps below to enable and disable a pool member:
o To disable a pool member, click the check box next to
172.16.20.1:80.
o Click Disable. The status icon turns to black.
o To enable a pool member, click the check box next to
172.16.20.1:80 and click Enable. The status icon turns to
green.

Can you view the Self IP List?

Can you create a Self IP?

Log out of the Configuration utility (GUI).

Use the PuTTY SSH Client, open an SSH session to 192.168.1.31, and
attempt to login as manager1 with password: manager1.

Test the Operator Role

Can you view the statistics?

Can you see the existing pools?

Can you create a pool?

Can you Disable or Enable pool member 172.16.20.1:80?

Can you view the Self IP List?

Can you create a Self IP?

Log out of the Configuration utility (GUI).

Can you use the PuTTY SSH Client, open an SSH session to 192.168.1.31,
and attempt to login as operator1 with password: operator1?

Test the Resource Administrator Role

Can you view the statistics?

F5 Networks Education Services

www.f5.com/training

F5 Global Services | Getting SmartED Series


Checklist

F5 Global Services Training | QuickLabs

Can you see the existing pools?

Can you create a pool?

Can you Disable or Enable pool member 172.16.20.1:80?

Can you view the Self IP List?

Can you create a Self IP?

Log out of the Configuration utility (GUI).

Can you use PuTTY, open an SSH session to 192.168.1.31, and login with
the credentials: Login as: resource_admin1 and Password:
resource_admin1
o Enter tmsh show /net to view the network configuration.
o Enter exit to close your Putty session.

Test the User Manager Role

Can you view the statistics?

Can you see the existing pools?

Can you create a pool?

Can you Disable or Enable pool member 172.16.20.1:80?

Can you view the Self IP List?

Can you create a Self IP?

Log out of the Configuration utility (GUI).

Can you use the PuTTY SSH Client, open an SSH session to 192.168.1.31,
and attempt to login as user_manager1?

Test the Ability to Unlock User Account


If a user exceeds the number of unsuccessful login attempts than the
password policy allows, the BIG-IP system locks the user account. One of the
key differences between the User Manager role and the other roles on the
system is the ability to unlock a system user who has been locked out.
1 Before you can test this ability, you have to configure the Password Policy.
Only the Admin role can perform this task.
24. Log in as the Administrator role with the credentials: Username: admin and
Password: admin.
25. Navigate System Users: and click the Authentication tab.

F5 Networks Education Services

www.f5.com/training

F5 Global Services | Getting SmartED Series


F5 Global Services Training |
QuickLabs

Notice the other Password Policy fields that are available.


For more information, click the Help tab or refer to the BIG-IP System: User Account Adm

26. Change the Maximum Login Failures to 3.


27. Click Update.
28. Log out of the system.
29. This time, attempt to login as auditor1 with a bad password. Login with
Username auditor1 and pick a bad password such as 1234. Attempt this
three times.

Notice on the third time, you do not see any kind of system warning.
But you are locked out of the system and have to contact the User Manager to unlock y

30. Log in as the User Manager with the credentials: Username:


user_manager1 and Password: user_manager1.
31. Navigate to System Users.
32. Verify that the User Name auditor1 is Locked Out and notice the number of
Failed Logins.
33. To unlock the user, click on the check box to the left of auditor1.
34. Click Unlock.
35. Verify that the Locked Out field for auditor1 is now set to No and the Failed
Logins field is set to 0.
36. Log out of the Configuration utility.
37. Log in as the Auditor role with the credentials: Username: auditor1 and
Password: auditor1.

Expected Results
During the Administering Local User Roles Lab, you created five user roles.
Keep in mind, depending on your version of BIG-IP and what modules you
have provisioned (LTM, ASM, etc.), there are many other roles that you can
create. Each one will have specific read and write privileges for specific
configuration objects.
In this lab, you discovered that all the roles you created could view pools,
statistics, and Self IPs. However, only the manager, operator, and resource
administrator roles could enable and disable pool members. Only the
manager and resource administrator could create a pool, and only the
resource administrator has terminal access and can create Self IPs. Recall
when you created the resource administrator, you assigned Advanced shell
F5 Networks Education Services

www.f5.com/training

F5 Global Services | Getting SmartED Series


Checklist

F5 Global Services Training | QuickLabs

terminal access to that role. The user manager can unlock a user. In addition,
a user manager can add users to the system.
In the following table, an X indicates the tasks that you were able to perform
for a particular user role.
Role

View
Statisti
cs

View
Pool

Auditor

Manager

Operator

Resource
Administrator
User Manager

Create
Pool

Disable
Pool
Member

View
Self IPs

Create
Self IP

Termina
l
access

X
X
X

X
X

This completes Lab 1B: Test Local Administration User Roles.

Lab 2: Scenarios
Lab 2: Scenarios
Determine the most appropriate local user role for each of the
following scenarios.
In the previous lab, you created and tested five BIG-IP user roles. However, in
each BIG-IP system, there are many more user roles available. In the next
lab, you will refer to the entire list of user roles and select the role that best
fits the scenario. Then you will create the user on the system, assign the role
to the user, and test to determine if you selected the best role for the
scenario.
You can access the entire list of user roles by using one of the following
methods. Pick one method to use for this next lab.
Method 1: Link to BIG-IP User Account Manual
To access, use this link and scroll down to the table that describes each role:
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigipuser-account-administration-12-0-0/4.html#referenceid
Method 2: Use the Online Help
1. Login to the BIG-IP system
2. Navigate to System Users: User List
3. Click Create
4. Click on the Help tab on the left side of the screen.

F5 Networks Education Services

www.f5.com/training

F5 Global Services | Getting SmartED Series


F5 Global Services Training |
QuickLabs

5. Click Role / Assigned Role.

Scenario 1: New User: Documenter


Your company has hired a new employee to help document your current BIGIP configuration. The new employee will not be permitted to make any
changes to the system but will need access to view all the system objects.
The new person does not need to see log data or have access to the archives
(UCS files).
Create a new user called documenter1. Test the role and determine if the
role meets the requirements.

F5 Networks Education Services

www.f5.com/training

F5 Global Services | Getting SmartED Series


Checklist

F5 Global Services Training | QuickLabs

Scenario 2: New User: LTM Admin


Your company has undergone changes in personnel and you now have a new
team member who is proficient with Local Traffic Manager (LTM)
administration but is not familiar with other modules. You want the new team
member to be able to create and modify LTM objects such as virtual servers,
pools, nodes, and custom profiles. In addition, the new team member will
need access to TMSH.
Create a new user called ltmadmin1 using the specifications listed above.
o Can you assign one of the roles you previously used in Lab 1A: Create
Local Users and Assign Roles?
Test the role and determine if the role meets the requirements.

Scenario 3: New User: Firewall Admin


There is a new person assigned to the BIG-IP team. The new person is an
expert in handling firewall rules. The new person will need to be able to
create network security profiles. The new person should be able to view all
objects on the system but only be able to modify the Advanced Firewall
Management (AFM) configuration objects.
Create a new user called firewalladmin1 using the specifications described
above. Test the role and determine if the role meets the requirements.
o Are there any changes required to the system before you can create
and test this Advanced Firewall security role?

Scenario 4: New User: LTM User Manager


Your company hired a new manager for the BIG-IP system. The new manager
will be able to configure all LTM objects. In addition, the new manager will be
available to unlock a system user who exceeds the number of unsuccessful
login attempts than the password policy allows.
Create a new user called ltmmanager1 using the specifications described
above. Test the role and determine if the role meets the requirements.
o What options are available if the requirements exceed the systemsupplied user roles?

Scenario 5: New User: iRules Specialist


Your company hired a specialist who is responsible for the iRules on the BIGIP system. The specialist will be able to create, modify, and delete iRules on
the system. The specialist will not be able to assign iRules to virtual servers.
Create a new user called irules1 using the specifications described above.
Test the role and determine if the role meets the requirements.
F5 Networks Education Services

www.f5.com/training

F5 Global Services | Getting SmartED Series


F5 Global Services Training |
QuickLabs

Expected Results
The role that best meets the specifications for Scenario 1: New User: Documenter
is the Guest role. After creating the user and assigning the Guest role, you logged
in as the documenter1. You verified that you can view all the system objects, but
cannot make any changes to the objects.
The role that best meets the specifications for Scenario 2: New User: LTM Admin is
the Manager role with the terminal access enabled for tmsh. After creating the
user and assigning the Manager role, you logged in as the ltmadmin1. You
verified that you can create and modify LTM objects such as virtual servers, pools,
and nodes. In addition, you were be able to use PuTTY to open an SSH session so
that you could use TMSH commands.
The role that best meets the specifications for Scenario 3: New User: Firewall
Admin is the Firewall Manager role. However, before you could assign the
Firewall Manager role to the user, you had to provision the system for Advanced
Firewall. To perform this task, you had to navigate to System Resource
Provisioning. Next, you had to click the check box next to Advanced Firewall
(AFM) and select either Dedicated, Nominal, or Minimal from the drop down menu.
In this scenario, Minimal would be the best choice.
To activate the change, you had to click Submit, and the system displayed a
warning:
Reprovisioning may restart daemons or reboot the system,
which causes lost connections. Are you sure you want to proceed?

To proceed with the lab, you answered Yes. But if this was a production system,
you would schedule downtime before performing this task. After the provisioning
completed, you were able to assign the Firewall Manager role to the new person.
You logged in as firewalladmin1, and you verified that you could view all objects
on the system and were able to modify the Advanced Firewall Management (AFM)
configuration objects. For example, you could navigate to Security Protocol
Security: Security Profiles: HTTP and create a new profile.
During Scenario 4: New User: LTM User Manager, you discovered if you assigned a
Resource Administrator role, you could configure all LTM objects, but the new
manager could not unlock a system user who exceeded the number of
unsuccessful login attempts. If you assigned a User Manager role, you could unlock
a system user but could not configure all LTM objects. Therefore, in this case,
assigning an Administrator role could best meet the requirements.
It is interesting to note that the User Manager role cannot unlock another
Administrator or Resource Manager. Only an Administrator role can unlock another
Administrator or Resource Manager.
The role that best meets the specifications for Scenario 5: New User: iRules
Specialist is the iRules Manager role. After creating the user and assigning the
iRules Manager role, you logged in as the irules1. You verified that you can
F5 Networks Education Services

www.f5.com/training

F5 Global Services Training | QuickLabs

F5 Global Services | Getting SmartED Series


Checklist

create, modify, and delete iRules but cannot assign iRules to any of the
configuration objects.

F5 Networks Education Services

www.f5.com/training