f5-declarative-onboarding
f5-declarative-onboarding copied to clipboard
F5Networks
DO 1.24.0 doesn't honor Remote Role Groups "remoteAccess": true setting. Previously working on 1.21.1
Environment
- Declarative Onboarding Version: 1.24.0
- BIG-IP Version: 15.1.2.1
Summary
When using the DO 1.24 RPM on a BIG-IP 15.1.2.1, the "remoteAccess": true setting under "class": "RemoteAuthRole" is ignored and is set to disabled resulting in an inability to log in with RADIUS auth users to the BIG-IP web interface. The last known working version that honored the setting was DO 1.21.1. This bug still occurs even if the schema of the do.json sent is set at 1.21.0, 1.22.0 or 1.24.0. It seems to be dependent on the RPM installed on BIG-IP.
Steps To Reproduce
Steps to reproduce the behavior:
- Submit the following declaration:
{
"class": "DO",
"declaration": {
"$schema": "https://raw.githubusercontent.com/F5Networks/f5-declarative-onboarding/master/src/schema/latest/base.schema.json",
"schemaVersion": "1.21.0",
"class": "Device",
"async": true,
"label": "Onboard BIG-IP into Standalone Configuration",
"Common": {
"class": "Tenant",
"hostname": "bigip1.domain.com",
"dbVars": {
"class": "DbVariables",
"ui.advisory.enabled": true,
"ui.advisory.color": "green",
"ui.advisory.text": "AS3 Managed - Local changes may be lost",
"config.allow.rfc3927": "enable",
"ui.system.preferences.advancedselection": "advanced",
"ui.system.preferences.recordsperscreen": "1000"
},
"myNtp": {
"class": "NTP",
"servers": [
"0.pool.ntp.org",
"1.pool.ntp.org"
],
"timezone": "UTC"
},
"myProvisioning": {
"class": "Provision",
"ltm": "nominal",
"avr": "nominal",
"asm": "nominal"
},
"external": {
"class": "VLAN",
"tag": 4094,
"mtu": 1500,
"interfaces": [
{
"name": "1.1",
"tagged": false
}
]
},
"myAuth": {
"class": "Authentication",
"enabledSourceType": "radius",
"fallback": true,
"remoteUsersDefaults": {
"partitionAccess": "all",
"terminalAccess": "disabled",
"role": "no-access"
},
"radius": {
"serviceType": "authenticate-only",
"servers": {
"primary": {
"server": "10.2.2.11",
"port": "1812",
"secret": "radiussecret"
},
"secondary": {
"server": "10.2.2.12",
"port": "1812",
"secret": "radiussecret"
}
}
}
},
"F5-Admin": {
"class": "RemoteAuthRole",
"attribute": "F5-LTM-User-Info-1=mgmt",
"console": "tmsh",
"lineOrder": 1001,
"role": "admin",
"remoteAccess": true,
"userPartition": "all"
}
}
}
}
- Declaration completes successfully
{
"id": "b807acbd-aa33-4739-a2df-049618479988",
"selfLink": "https://localhost/mgmt/shared/declarative-onboarding/task/b807acbd-aa33-4739-a2df-049618479988",
"result": {
"class": "Result",
"code": 200,
"status": "OK",
"message": "success"
},
....
"F5-Admin": {
"class": "RemoteAuthRole",
"attribute": "F5-LTM-User-Info-1=mgmt",
"console": "tmsh",
"lineOrder": 1001,
"role": "admin",
"remoteAccess": true,
"userPartition": "all"
},
....
- You attempt to log in with RADIUS credentials, it fails.
- If you look in the web interface: Log in with a local account -> System -> Users -> Remote Role Groups -> Remote Access is set to Disabled when it should be Enabled
Expected Behavior
The Remote Access setting in the Remote Role Group is set to Enabled, and used to do this on 1.21.1.
Actual Behavior
The Remote Access setting in the Remote Role Group is set to Disabled and doesn't allow RADIUS users to authenticate. No error messages are displayed when submitting the do.json.
Thank you for reporting this issue. I have added it to our internal product backlog as AUTOTOOL-2780.
I got the same problem. I am running TMOS 14.1.4.4 with DO 1.24.0. Here is my declaration. It is for the TACACS authentication "RemoteAuthRole": { "class": "RemoteAuthRole", "lineOrder": 100, "attribute": "F5-LTM-User-Info-1=adm", "remoteAccess": true, "console": "tmsh", "role": "admin", "userPartition": "all" }
Even though it is set to true for "remoteaccess" but it still is disabled
