F5 Big-IP LTM Active Directory Authentication

This is something that took me much longer than it probably should have.

We have a couple new F5 Big-IP LTM load balancers that we’re in the middle of setting it up. We wanted to have Active Directory authentication.

First we need specify how to connect to our Active Directory:

  1. Log into the web console with the admin account
  2. Navigate to System -> Users -> Authentication
  3. Leave Authentication at Basic and click the Change… button.
  4. Set User Directory to Remote – Active Directory
  5. Set Host to your domain name. If you need a specific domain controller, enter that instead.
  6. Set Remote Directory Tree to the distinguished name of the container in which your user accounts reside. F5 recommends this be as specific as possible. This should be something like: ou=AdminAccounts,dc=contoso,dc=com.
  7. Next, you can either specify a specific account to bind to LDAP with, or use the user’s credentials. We used the user’s credentials. To do that, you can set the User Template attribute and do not enter anything in Bind. Our User Template looks something like: %s@contoso.com. The %s indicates what the user types into the logon screen.
  8. Leave the rest as defaults.
  9. Click Finished.

You probably have something that looks like this:

CLB1 Active Directory

We now need to specify which groups have what access.

  1. Click the Remote Role Groups tab.
  2. Click the Create… button.
  3. Enter a Group Name.
  4. Enter a Line Order. The LTM will process groups in order of their Line Order number. F5 recommends your first group starts at 1000, so you have room before and after.
  5. For Attribute String, enter an LDAP attribute to match off of. Most people will use an Active Directory group containing the administrative accounts. This is done with the Attribute String like: memberOf=cn=LTMAdmins,ou=AdminGroups,dc=contoso,dc=com.
  6. Set Remote Access to Enabled in order to allow the group remote access. (Probably want this enabled)
  7. Set Assigned Role to the role these users should reside in.  Administratorgives full access.
  8. We set Partition Access to All. Set this appropriately.
  9. Terminal Access specifies the terminal which the users have access. tmsh is the default.
  10. Click Finished.

You should now have something like this:

CLB1 Remote Groups

That should get you basic Active Directory authentication working with a group of Administrators.