F5

How to select script monitoring authentication types

Learn how to get the most out of your infrastructure by selecting different indeni configuration and authentication settings.

Last updated: September 15, 2025

An avatar of the author
Katie Burton

Notice: This blog post was originally published on Indeni before its acquisition by BlueCat.

The content reflects the expertise and perspectives of the Indeni team at the time of writing. While some references may be outdated, the insights remain valuable. For the latest updates and solutions, explore the rest of our blog

Key Takeaways
  • Effective infrastructure monitoring with indeni requires access to the F5 advanced shell, which in turn mandates administrator-level privileges.
  • On F5 versions up to 11.5.4, iControl REST only supports locally authenticated users, forcing use of the local admin account when RADIUS is configured.
  • When RADIUS is used for both authentication and authorization on F5, the shell cannot be set to advanced shell for any user, again requiring the local admin account for proper permissions.
  • Using TMSH as a workaround to avoid the local admin account is not viable because extensive TMSH usage has been shown to consume excessive system memory.
  • For F5 11.5.4 and earlier, indeni monitoring must use the local admin account with SSH access regardless of the external authentication/authorization configuration.
  • For F5 11.6.0 and later, administrators can either use the local admin account with SSH or configure any Administrator-role account with an advanced shell, depending on whether authentication and authorization are local or remote.

Considerations when selecting authentication types

Choosing an authentication method for monitoring your infrastructure devices might sound easy at first glance. After all, a monitoring script would only need read-only, right? Wrong.

Monitoring with indeni goes beyond what normal monitoring tools does. The goal of indeni is to detect problems before they occur, saving you hours of troubleshooting and root cause analysis down the road. To get early detection indeni needs access to the advanced shell. Let’s take a look at what this means on F5 devices.

Example: Selecting authentication types for F5 devices

On an F5, having access to the advanced shell means that the user in question must have administrator access. Also, iControl REST requires the user to be locally authenticated up until version 11.5.4. This means that for systems running versions up to 11.5.4 using RADIUS for authentication administrators will have to resort to the local admin account for REST calls.

On top of that if a system has configured authentication and authorization using RADIUS there is no way of setting the shell to advanced shell on any version. So yet again, administrators must resort to the local admin account in order to set the proper permissions.
We have gone above and beyond to avoid using local admin accounts by investing a lot of time running monitor commands via TMSH. However, this has turned out to cause harm to the system due to TMSH using way too much memory. So what does this mean? In order for get the most out of using indeni, administrators will have to configure authentication according to the following table:

[divider width=”full”]

[row style=”collapse”]
[col span=”1/4″ ]
Version
[/col]
[col span=”1/4″ ]
Authentication
[/col]
[col span=”1/4″ ]
Authorization
[/col]
[col span=”1/4″ ]
User
[/col]
[/row]

[row style=”collapse”]

[col span=”1/4″ ]
11.5.4 and earlier
[/col]
[col span=”1/4″ ]
Any
[/col]
[col span=”1/4″ ]
Any[/col]
[col span=”1/4″ ]
Local admin (with SSH access)
[/col]
[/row]

[row style=”collapse”]
[col span=”1/4″ ]
11.6.0 and later
[/col]
[col span=”1/4″ ]
Remote
[/col]
[col span=”1/4″ ]
Remote
[/col]
[col span=”1/4″ ]
Local admin (with SSH access)
[/col]
[/row]

[row style=”collapse”]
[col span=”1/4″ ]
11.6.0 and later
[/col]
[col span=”1/4″ ]
Local
[/col]
[col span=”1/4″ ]
Local
[/col]
[col span=”1/4″ ]
Any account with role Administrator and shell set to Advanced Shell
[/col]
[/row]

[row style=”collapse”]
[col span=”1/4″ ]
11.6.0 and later
[/col]
[col span=”1/4″ ]
Remote
[/col]
[col span=”1/4″ ]
Local
[/col]
[col span=”1/4″ ]
Any account with role Administrator and shell set to Advanced Shell
[/col]
[/row]

[divider width=”full”]

Thank you to Patrik Jonsson for contributing this article.

Published in:

F5

Published on: February 14, 2017

An avatar of the author

Related content

Flock of geese flying in formation across a blue sky, framed by a pink graphic border, symbolizing coordinated network migrat
Blog

Automate your DDI modernization path by migrating with Micetro

Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.

Read more
Three armored figures walking toward a futuristic Las Vegas skyline with pyramids, glowing orb, and "Welcome to Fabulous Las
Blog

Your journey to intelligent NetOps begins at Cisco Live

Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.

Read more
Stacked colorful wooden directional arrows on a post by a calm seaside with distant hills and blue sky
Blog

Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)

Tired of patching and manually configuring BIND DNS and ISC DHCP? Discover how Micetro MDDS appliances can replace them for modern DDI.

Read more
Row of orange industrial robotic arms positioned along an automated conveyor belt in a factory setting
Blog

Automate it all in Integrity with REST v2 API-first DDI management

Discover API-first DDI with Integrity X by using REST v2 to automate DNS, DHCP, and IPAM for scalable, secure network operations.

Read more