F5 Big-IP Active Directory Authentication

After all these years of using F5 Big-IP’s with Radius or TACACS authentication, they have finally added proper Active Directory authentication.  When you have many F5 devices in your environment, it can be very time consuming to have to manage all the user privileges.  The F5 Enterprise Manager can assist with this, but Active Directory group authentication is a better solution.  This is how I set it up.

  1. Start with making sure your DNS severs are set to your Active Directory DNS servers
  2. Go to Users, then Authentication and under User Directory, select Remote – Active Directory.  I used the following settings:
    Host: domain.corp (if you use the FQDN name for your domain, it will select one of your domain controllers.  That way you aren’t tied to just one)
    Port: 389 (default)
    Remote Directory Tree: OU=Accounts,DC=domain,DC=corp (this should be the base search OU)
    Scope: Sub (select sub if you want it to search sub OU’s)
    Bind DN: CN=f5_user,OU=Accounts,DC=domain,DC=corp (The user account you want the F5 to use to search AD)
    Check Member Attribute in Group: Check this to do group authorization
  3. Click on Remote Role Groups.  In here you can create roles that map to AD groups.  For example, you can create an AD group called F5_admin_group.  Then map the DN to the F5 Role.
    Group Name: Admin
    Line Order: 1
    Attribute String: memberOF=CN=F5_admin_group,OU=Accounts,DC=domain,DC=corp
  4. Once this is configured, you should no longer have to specify each user to a role in the F5 and just manage it via Active Directory.

F5 SOL11072