remote authentication to host management
Largely due to PCI, I need to allow the necessary users to access the configuration utility of our 7200v, which is doing vCMP so there's no LTM, etc. on it.
The local auth control can't match our password complexity requirements (it can be set to exceed it, or not...and on our old F5, somebody kept disabling it.)
So, having our 6400 and the vCMP instances using ldap (currently) satisfies our security policy. The self-signed certs on the 7200v vCMPs and whether client certs should also be required is another story (I had it mostly setup, per the SOL, but another admin tried to get around it and broke the system where we almost lost everything....F5 support was able to get everything except client certs working again.)
But, the whole ldap authentication needs a working gateway on the TMM side is kind of a problem. Is there any way to get around this?
Alternative? I saw some stuff about two-factor authentication. Which there is requirement for, and would've been satisfied by requiring client certificates. But, I'd guess that the google OTP two-factor would require resources not part of vCMP dedicated. I've only done it with AWS.
I think having two-factor would be more important for the vCMP host than the guests, especially if local auth is really the only option. Since I found that recently former admin had created local accounts for everyone on the host...after I had said it needs to only be people we trust ...and have need to be on there, and apparently to have at least taken any F5 training...
Back when I started, I had to take both the basic and advanced LTM training...(and not quit. The person that went through it before me....was interviewed over lunch during the training, and gave his two weeks notice on his return from training.) Guess I was wrong on who 'we' were.
I'm new at being the old timer....
Plus wasn't there a hotfix in the last month or two that was more critical for vCMP hosts than other systems?
Probably missed the 30 day window that PCI requires.
LK