F5: Remote Authentication Fallback option

In BIG-IP v13 F5 Networks introduced the Fallback option when using Remote authentication. When working with F5 devices, there are two ways of authentication users, locally or remotely. When using Local authentication you can create the users and the roles on the F5 device itself, without the need for authenticating against a remote server. When using Remote authentication, you configure the F5 device to authenticate against a remote authentication server, which can be LDAP, Active Directory, RADIUS or TACACS+.

F5: Remote Authentication Fallback option

Combine Remote and Local authentication on F5 devices

Unfortunately, even after adding the Fallback option on V13, you cannot combine Remote and Local authentication, if the Remote authentication server you have configured is UP and responding, the F5 device will try to authenticate against it, even if the authentication for the user fails.

Fallback Option for Remote Authentication

So, you may be wondering what is the actual use of the Fallback option?. Well Fallback option works ONLY if the remote authentication server is DOWN (not reachable) from the F5 device. Previous to V13, if the remote authentication server was down, and you have remote authentication configured on the F5 device, even if you have local users defined, the F5 will still try to authenticate the user against the remote authentication server. The only exception for this are the admin and root users, which by default, will authenticate locally, even if the remote authentication is configured on the F5 devices.

Configuring Remote Authentication Fallback

If you want to configure Remote authentication fallback, first, make sure you define the local user that you will use in case the remote server is not reachable in the F5.

You define the Users in the ‘Users’ section in the GUI as shown below:

users

Then, the only thing you need to do is to go to Users-> Remote authentication and select the “Fallback to Local” option as shown in the image below:

fallback to local

How Remote Authentication Fallback works

In the example shown above we have three users defined:

  • admin
  • indeni
  • joe

In addition to these three users, we know we have the default root users which will work for the CLI on F5 devices. In order to explain the behaviour of remote authentication we will define three scenarios:

  • Remote authentication server reachable
  • Remote authentication server unreachable
  • Remote authentication server reachable but login for user fails

Remote authentication server reachable

If the remote authentication server is reachable and you have configured the authentication properly, users will be able to access the F5 device with their credentials, even if they are not defined locally. So, lets say you usually access the F5 device with your user ‘bob’, and you can see ‘bob’ is not in the list above, if the remote authentication is working, then ‘bob’ will be able to access the device. We know admin and root will authenticate locally nevertheless. What about indeni and joe that are local users?, If indeni and joe are NOT defined in the remote authentication server, they won’t be able to access the device, because the remote authentication server is UP and reachable, only users defined in the remote authentication will access the F5 device.

Remote authentication server not reachable

This is where the ‘Fallback to Local’ option comes into play. because the remote authentication server is down, and the option is enabled, then F5 will fallback to authenticate the users locally. Users indeni, joe and the default root and admin will be able to authenticate to the device locally.

Remote authentication server reachable but login for user fails

This scenario could present when the login for the user fails because the wrong credentials are used or because there is a problem with the remote authentication configuration. Configuring remote authentication on F5 device can be a tricky task and usually requires to contact a BIG-IP Expert with deep understanding on Remote authentication protocols. Unfortunately, even if the Fallback to Local option is enabled on the F5 device, if the Remote authentication server is reachable and responding, F5 will not fallback to local. To date, there is not a way to combine Remote and Local authentication on BIG-IP devices.