Try SpotterManage system authentication on a BIG-IP
| "added in version" 1.0.0 of f5networks.f5_modules"
Authors: Tim Rupp (@caphrim007), Nitin Khanna (@nitinthewiz)
Install with ansible-galaxy collection install f5networks.f5_modules:==1.28.0
collections:
- name: f5networks.f5_modules
version: 1.28.0Manage the system authentication configuration. This module can assist in configuring a number of different system authentication types. Note that this module can not be used to configure APM authentication types.
- name: Set the system auth to TACACS+, default server port
bigip_device_auth:
type: tacacs
authentication: use-all-servers
accounting: send-to-all-servers
protocol_name: ip
secret: secret
servers:
- 10.10.10.10
- 10.10.10.11
service_name: ppp
state: present
use_for_auth: true
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
- name: Set the system auth to TACACS+, override server port
bigip_device_auth:
type: tacacs
authentication: use-all-servers
protocol_name: ip
secret: secret
servers:
- address: 10.10.10.10
port: 1234
- 10.10.10.11
service_name: ppp
use_for_auth: true
state: present
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
type:
choices:
- tacacs
- local
description:
- The authentication type to manage with this module.
- Take special note that the parameters supported by this module will vary depending
on the C(type) that you are configuring.
- At this time, this module only supports a subset of the total available auth types.
required: true
type: str
state:
choices:
- absent
- present
default: present
description:
- The state of the authentication configuration on the system.
- When C(present), guarantees the system is configured for the specified C(type).
- When C(absent), sets the system auth source back to C(local).
type: str
secret:
description:
- Secret key used to encrypt and decrypt packets sent or received from the server.
- B(Do not) use the pound/hash sign in the secret for TACACS+ servers.
- When configuring TACACS+ auth for the first time, this value is required.
type: str
servers:
description:
- Specifies a list of the IPv4 addresses for servers using the Terminal Access Controller
Access System (TACACS)+ protocol with which the system communicates to obtain authorization
data.
- For each address, an alternate TCP port number may be optionally specified by specifying
the C(port) key.
- If no port number is specified, the default port C(49163) is used.
- This parameter is supported by the C(tacacs) type.
suboptions:
address:
description:
- The IP address of the server.
- This field is required, unless you are specifying a simple list of servers.
In that case, the simple list can specify server IPs. See the examples for more
clarification.
port:
description:
- The port of the server.
type: raw
provider:
description:
- A dict object containing connection details.
suboptions:
auth_provider:
description:
- Configures the auth provider for to obtain authentication tokens from the remote
device.
- This option is really used when working with BIG-IQ devices.
type: str
no_f5_teem:
default: false
description:
- If C(yes), TEEM telemetry data is not sent to F5.
- You may omit this option by setting the environment variable C(F5_TELEMETRY_OFF).
- Previously used variable C(F5_TEEM) is deprecated as its name was confusing.
type: bool
password:
aliases:
- pass
- pwd
description:
- The password for the user account used to connect to the BIG-IP or the BIG-IQ.
- You may omit this option by setting the environment variable C(F5_PASSWORD).
required: true
type: str
server:
description:
- The BIG-IP host or the BIG-IQ host.
- You may omit this option by setting the environment variable C(F5_SERVER).
required: true
type: str
server_port:
default: 443
description:
- The BIG-IP server port.
- You may omit this option by setting the environment variable C(F5_SERVER_PORT).
type: int
timeout:
description:
- Specifies the timeout in seconds for communicating with the network device for
either connecting or sending commands. If the timeout is exceeded before the
operation is completed, the module will error.
type: int
transport:
choices:
- rest
default: rest
description:
- Configures the transport connection to use when connecting to the remote device.
type: str
user:
description:
- The username to connect to the BIG-IP or the BIG-IQ. This user must have administrative
privileges on the device.
- You may omit this option by setting the environment variable C(F5_USER).
required: true
type: str
validate_certs:
default: true
description:
- If C(no), SSL certificates are not validated. Use this only on personally controlled
sites using self-signed certificates.
- You may omit this option by setting the environment variable C(F5_VALIDATE_CERTS).
type: bool
type: dict
version_added: 1.0.0
version_added_collection: f5networks.f5_modules
accounting:
choices:
- send-to-first-server
- send-to-all-servers
description:
- Specifies how the system returns accounting information, such as which services
users access and the amount of network resources they consume, to the TACACS+ server.
- When C(send-to-first-server), specifies the system transmits accounting information
back to the first available TACACS+ server in the list.
- When C(send-to-all-servers), specifies the system transmits accounting information
back to all TACACS+ servers in the list.
- This parameter is supported by the C(tacacs) type.
type: str
service_name:
choices:
- slip
- ppp
- arap
- shell
- tty-daemon
- connection
- system
- firewall
description:
- Specifies the name of the service the user is requesting to be authorized to use.
- Identifying what the user is asking to be authorized for enables the TACACS+ serverc
to behave differently for different types of authorization requests.
- This setting is required when configuring this form of system authentication.
- Note that the majority of TACACS+ implementations are of service type C(ppp), so
try that first.
type: str
use_for_auth:
description:
- Specifies whether or not this auth source is put in use on the system.
type: bool
protocol_name:
choices:
- lcp
- ip
- ipx
- atalk
- vines
- lat
- xremote
- tn3270
- telnet
- rlogin
- pad
- vpdn
- ftp
- http
- deccp
- osicp
- unknown
description:
- Specifies the protocol associated with the value specified in C(service_name), which
is a subset of the associated service being used for client authorization or system
accounting.
- Note that the majority of TACACS+ implementations are of protocol type C(ip), so
try that first.
type: str
update_secret:
choices:
- always
- on_create
default: always
description:
- C(always) will allow updating secrets if the user chooses to do so.
- C(on_create) will only set the secret when a C(use_auth_source) is C(true) and TACACS+
is not currently the auth source.
type: str
authentication:
choices:
- use-first-server
- use-all-servers
description:
- Specifies the process the system employs when sending authentication requests.
- When C(use-first-server), specifies the system sends authentication attempts only
to the first server in the list.
- When C(use-all-servers), specifies the system sends an authentication request to
each server until authentication succeeds, or until the system has sent a request
to all servers in the list.
- This parameter is supported by the C(tacacs) type.
type: str
accounting:
description: Which servers to send information to when using TACACS.
returned: changed
sample: send-to-all-servers
type: str
authentication:
description: Process the system uses to serve authentication requests when using
TACACS.
returned: changed
sample: use-all-servers
type: str
protocol_name:
description: Name of the protocol associated with C(service_name) used for client
authentication.
returned: changed
sample: ip
type: str
servers:
description: List of servers used in TACACS authentication.
returned: changed
sample:
- 1.2.2.1
- 4.5.5.4
type: list
service_name:
description: Name of the service the user is requesting to be authorized to use.
returned: changed
sample: ppp
type: str