Rant: F5 LTM and GTM Doesn’t Do External AAA Authorization

February 27, 2008 by Greg Ferro · 3 Comments

Hi! If you are new here, you might want to subscribe to the RSS feed to here more from me.

Service Oriented !
Authentication
Conclusion
Comments (3)

F5 BigIP LTM and GTM does not have any user authorisation capability for administration by Radius or TACACS. Can you believe that?

They have been producing F5 BigIP software for more than a decade and I cannot believe that customers have not been asking to provide external user authorisation. To compare, I have just been configuring APC Switched Rack Power Distribution bars, and they have Radius authorisation. How can a product costing tens of thousands not support this feature when a product worth a few hundred can ?

Service Oriented !

My data centres are now being driven to Service Oriented Networking, and without AAA servers I cannot control security policy to my F5 devices. If I had only one or two of these, this might be OK, but the business needs are that I MUST have multiple units (and F5 BigIP does not support hypervirtualization or even paravirtualization, just a simple resource partition )

Authentication

The F5 does support authentication, however this means that you must still create the user account on the F5 and configure all the necessary group privileges for the user. Not a brilliant idea when you have around fifty operators in a ²⁴⁄₇ NOC and the staff turnover is high.

Conclusion

F5 seems to be concentrating on nifty features for Microsoft sys admins (Powershell, iControl) , but missing out on fundamentals for networking. I hope someone is listening: external device authentication and authorisation is a mandatory requirement in modern networking, and the current method in BigIP is not good enough. I have talked about comparing the F5 and ACE here, minus 5 points to F5. for this.

Table of Contents

Service Oriented !
Authentication
Conclusion
Comments (3)

Please rate this post:

Why Rate Posts?

$1 Star - It\\\'s Crud$ $2 Stars - It\\\'s Tosh$ $3 Stars - Something\\\'s missing$ 4 Stars - Needs works

(1 votes, average: 10.00 out of 10)

Loading ...

Filed under Rant · Tagged with f5, Rant

Probably Related Posts on the Same Topic

Cisco IOS Load Balancing for Blue Coat SGOS

Some time ago I used IOS SLB feature on a C6500 to load balance a pair of Blue Coat ProxySG. Here the confuguration and some notes.

Read the full article

Rant: Brocade Requires Login & Service Contract to Access Foundry Manuals

So, I’m working on some Foundry gear and I’d like get access to some manuals to learn how Foundry works. Except they are hidden behind a login for valid service contract holders. Whats up with that ?

Read the full article

Rant:Cisco — Masters of the Networking World — What’s That on Your Home Page ?

Is Cisco’s home page a complete FAIL today ? Or is that just me.

Read the full article

Rant: I Loathe Voicemail, Its Disruptive and Inefficient

Its hard to describe how disruptive voice mail can be to an organised engineering day. The idea that someone can leave a message which requires me to undertake a further action (usually without confirmation) is anathema to being organised and getting things done.

Read the full article

Comments

3 Responses to “Rant: F5 LTM and GTM Doesn’t Do External AAA Authorization”

Christian says:

28 February 2008 at 01:52

I’ve recently ran into the same problem.. very annoying

BUT — I have gotten basic Radius working fine

also — F5 is a few years ahead of ace, i use ace’s too for virtualized customer infrastructures

The ACE is no competition for the F5 IMO, but i would really like to see F5 implement TACACS very soon

Reply
Don MacVittie says:

28 February 2008 at 21:52

Good Faith Disclosure: I am an F5 employee, one of the ones “…concentrating on nifty features…”

I’ll give you that it’s inconvenient not to have Radius do it for you (and prior to my employment at F5 have ranted about this in data center devices and appliances in general — and storage in particular), but there are two simple facts:

(1) The data center is sadly filled with devices and appliances that still don’t support Radius, F5 is hardly unique in that sense.

(2) F5 does a very good job of listening to customers — that is one of the reasons I came to the company.

When customers are asked where development time should be spent, Radius always loses. It always loses because for most organizations it is a minor imposition and they can get bigger bang for their buck if we implement things like Powershell and Control Point. We give the customers what they want — asking them would be a waste of time if we didn’t listen.

That doesn’t make it less inconvenient — particularly on initial setup — but for most customers that inconvenience is a minimal part of overall configuration cost and effort. For those it isn’t, they get basic Radius configured, as Christian mentions.

Remember that this is not core functionality for these products — a differentiator definitely, but not generally a buy/no buy decision point.

Don.

Reply
Greg Ferro says:

28 February 2008 at 22:10

Thanks for your response. I have two points.

I disagree with you on point 1, my data center is filled with products that do support authorization usually RADIUS or TACACS, but sometimes LDAP. In fact, I can’t think of any other product that does not have external authorization. But then, I believe myself to be a professional and I make security conscious choices.

I can see why RADIUS would lose in the development cycle and your point appears valid in this context. Let me make this point, if F5 can’t get the basic functions in place, how are they going to deliver the main functions ?

To put it differently, listening to customers when they SAY what they want, and failing to address fundamentals (or what they actually need) can lead to poor choices. Everyone says they want junk food, even when they know its the wrong choice.

Addiitonally, I have been asking for Radius authentication for years, and I am not alone. Check the forums for the ‘me too’ on my post. Which customers have you been listening to ?

Develop all the fancy features you like, but lets not forget fundamentals here. F5 has abrogated a primary security responsibility and it should be addressed.

Reply

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

A Random Selection of Other Fine Posts (or Not)

Can You Learn Anything From Google or Facebook Data Centers ?

I Believe That There Should Be a Security Design Team and a Security Audit Team. All Security Operations Should Be Performed by Network Operations.

Cynicism and Regret Are Powerful Design Tools

Fundraising Update Feb 2009

Network Dictionary — GONER