You are here: Home / Blog / Rant / Rant: F5 LTM and GTM doesn’t do external AAA authorization

Rant: F5 LTM and GTM Doesn’t Do External AAA Authorization

27th February 2008 by 4 Comments

F5 BigIP LTM and GTM does not have any user authorisation capability for administration by Radius or TACACS. Can you believe that?

They have been producing F5 BigIP software for more than a decade and I cannot believe that customers have not been asking to provide external user authorisation. To compare, I have just been configuring APC Switched Rack Power Distribution bars, and they have Radius authorisation. How can a product costing tens of thousands not support this feature when a product worth a few hundred can ?

Service Oriented !

My data centres are now being driven to Service Oriented Networking, and without AAA servers I cannot control security policy to my F5 devices. If I had only one or two of these, this might be OK, but the business needs are that I MUST have multiple units (and F5 BigIP does not support hypervirtualization or even paravirtualization, just a simple resource partition )

Authentication

The F5 does support authentication, however this means that you must still create the user account on the F5 and configure all the necessary group privileges for the user. Not a brilliant idea when you have around fifty operators in a 24/7 NOC and the staff turnover is high.

Conclusion

F5 seems to be concentrating on nifty features for Microsoft sys admins (Powershell, iControl) , but missing out on fundamentals for networking. I hope someone is listening: external device authentication and authorisation is a mandatory requirement in modern networking, and the current method in BigIP is not good enough. I have talked about comparing the F5 and ACE here, minus 5 points to F5. for this.

Filed Under: Rant Tagged With: ,
About Greg Ferro

Greg Ferro is a Network Engineer/Architect, mostly focussed on Data Centre, Security Infrastructure, and recently Virtualization. He has over 20 years in IT, in wide range of employers working as a freelance consultant including Finance, Service Providers and Online Companies. He is CCIE#6920 and has a few ideas about the world, but not enough to really count.

He is a host on the Packet Pushers Podcast, blogger at EtherealMind.com and on Twitter @etherealmind and Google Plus

  • Christian

    I’ve recently ran into the same problem.. very annoying

    BUT – I have gotten basic Radius working fine

    also – F5 is a few years ahead of ace, i use ace’s too for virtualized customer infrastructures

    The ACE is no competition for the F5 IMO, but i would really like to see F5 implement TACACS very soon

  • http://devcentral.f5.com Don MacVittie

    Good Faith Disclosure: I am an F5 employee, one of the ones “…concentrating on nifty features…”

    I’ll give you that it’s inconvenient not to have Radius do it for you (and prior to my employment at F5 have ranted about this in data center devices and appliances in general – and storage in particular), but there are two simple facts:

    (1) The data center is sadly filled with devices and appliances that still don’t support Radius, F5 is hardly unique in that sense.

    (2) F5 does a very good job of listening to customers – that is one of the reasons I came to the company.

    When customers are asked where development time should be spent, Radius always loses. It always loses because for most organizations it is a minor imposition and they can get bigger bang for their buck if we implement things like Powershell and Control Point. We give the customers what they want – asking them would be a waste of time if we didn’t listen.

    That doesn’t make it less inconvenient – particularly on initial setup – but for most customers that inconvenience is a minimal part of overall configuration cost and effort. For those it isn’t, they get basic Radius configured, as Christian mentions.

    Remember that this is not core functionality for these products – a differentiator definitely, but not generally a buy/no buy decision point.

    Don.

  • http://etherealmind.com Greg Ferro

    Thanks for your response. I have two points.

    I disagree with you on point 1, my data center is filled with products that do support authorization usually RADIUS or TACACS, but sometimes LDAP. In fact, I can’t think of any other product that does not have external authorization. But then, I believe myself to be a professional and I make security conscious choices.

    I can see why RADIUS would lose in the development cycle and your point appears valid in this context. Let me make this point, if F5 can’t get the basic functions in place, how are they going to deliver the main functions ?

    To put it differently, listening to customers when they SAY what they want, and failing to address fundamentals (or what they actually need) can lead to poor choices. Everyone says they want junk food, even when they know its the wrong choice.

    Addiitonally, I have been asking for Radius authentication for years, and I am not alone. Check the forums for the ‘me too’ on my post. Which customers have you been listening to ?

    Develop all the fancy features you like, but lets not forget fundamentals here. F5 has abrogated a primary security responsibility and it should be addressed.

  • Dave Noonan

    In case someone else finds this while searching for “BIG-IP tacacs”, this feature has been in added. There’s a tutorial at this link and I’ve made it work with ACS 5.3.

    https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/2316/v10–Remote-Authorization-via-TACACS43.aspx