Forum Discussion

lkchen's avatar
lkchen
Icon for Nimbostratus rankNimbostratus
Jul 08, 2015

remote authentication to host management

Largely due to PCI, I need to allow the necessary users to access the configuration utility of our 7200v, which is doing vCMP so there's no LTM, etc. on it.

 

The local auth control can't match our password complexity requirements (it can be set to exceed it, or not...and on our old F5, somebody kept disabling it.)

 

So, having our 6400 and the vCMP instances using ldap (currently) satisfies our security policy. The self-signed certs on the 7200v vCMPs and whether client certs should also be required is another story (I had it mostly setup, per the SOL, but another admin tried to get around it and broke the system where we almost lost everything....F5 support was able to get everything except client certs working again.)

 

But, the whole ldap authentication needs a working gateway on the TMM side is kind of a problem. Is there any way to get around this?

 

Alternative? I saw some stuff about two-factor authentication. Which there is requirement for, and would've been satisfied by requiring client certificates. But, I'd guess that the google OTP two-factor would require resources not part of vCMP dedicated. I've only done it with AWS.

 

I think having two-factor would be more important for the vCMP host than the guests, especially if local auth is really the only option. Since I found that recently former admin had created local accounts for everyone on the host...after I had said it needs to only be people we trust ...and have need to be on there, and apparently to have at least taken any F5 training...

 

Back when I started, I had to take both the basic and advanced LTM training...(and not quit. The person that went through it before me....was interviewed over lunch during the training, and gave his two weeks notice on his return from training.) Guess I was wrong on who 'we' were.

 

I'm new at being the old timer....

 

Plus wasn't there a hotfix in the last month or two that was more critical for vCMP hosts than other systems?

 

Probably missed the 30 day window that PCI requires.

 

LK

 

management
security
vcmp

2 Replies

Sort By
  • lkchen's avatar
    lkchen
    Icon for Nimbostratus rankNimbostratus
    Jul 16, 2015
    So, this is curious....somebody managed to get ldap authentication into vCMP host working. Somehow it can do ldap through management, when there's no LTM? I had thought I had seen ldap working from the 'network management' vlan...the 'unboxer' wanted to peek inside the 7200v's had setup them up through front panel in telco-room (where they had been stashed to be out of sight for a tour.) Which did at least mean they were powered up and activated onto support before their 1 year hardware warranty expired. When we had gotten our 6400's, they sat in their boxes for more than 1 year....and one of the units was DOA, but it was out of warranty and hadn't been activated into support...so we had buy another unit. Figured moving to 'proper' network would be no problem later...except it didn't. Though the issue of the units reverting to previous IP after a reboot was supposed to have been fixed when I upgraded them to 11.5.1....but maybe we haven't looked at changing their IPs (again) since the upgrade. Though wonder about their current final location....mounted backwards (as was typical for networking equipment...) in APC netshelter solution....so its trying to pull cool air from the hot aisle and vent into the enclosed space behind it (as the front is filled in with blanks...) Wonder if that's why we have already had a power supply fail. The 2400 had been mounted this way, but back when we had standalone open racks, so there was no cool...just varying degrees of hot.... while the 6400s were installed with other networking into in two post rack. Hmmm.... Still, didn't expect to see ldap working...but nice that it is. Guess I need to finish setting up the remote roles then. Wonder what the procedure is for upgrading, and would that fix the apache cert problem. (haven't applied the Xen? vulnerability patch yet....) Upgrading with vCMPs, is new to me, as is active/active...which one of the pair of vCMPs is (though I don't know why perhaps made sense when the boxes used to be in two different locations....no still doesn't seem right to me.)
  • lkchen's avatar
    lkchen
    Icon for Nimbostratus rankNimbostratus
    Jul 21, 2015
    So, it seems to be the issue of which default gateway does pam_ldap use authentication of management traffic. The docs are confusing, since at first it seems to suggest traffic flows across the management interface. But, says the ldap server needs to be reachable from Domain 0. Since the 7200v hosts are vCMP dedicated, there's no LTM/TMM side to configure.... so the only default route on it is the management one. And, auth works once the network was opened up to allow ldap auth to work on it. Hopefully networking won't shoot us for temporarily putting the 7200v's in their management network and poking holes and such in it. So, this raised the question, why do the other F5 instances need to use their TMM default route to get to LDAP? Or why is there a default route at all? So, as a test we deleted the default route from one of the instances, and what was working...continues to work. Though GTM is on this instance, and its now trying to do zone transfers from the management IP....which is not the IP that is permitted. (both by firewall and bind config.) But, not really sure any of the GTM stuff works anyways.... contractor that had been working on it is gone...perhaps we just need to start over. But, are there any issues in not having a default route on the TMM side? We (normally) have wildcard forwarders set on it for vlan to vlan routing, along with auto last hop....the LTM side should be fine, afaict....