Adding F5 to TACACS

have you seen these? can you try them?

 

 

Configuring Remote Authentication and Authorization for Administrative Traffic

 

http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_implementation/sol_mgmt_auth.html1022039

 

 

v.10 - Remote Authorization via TACACS+ by Jason

 

http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/2316/v10--Remote-Authorization-via-TACACS43.aspx

Hi

 

 

Thanks for the reply,

 

I have 14 users configured in the Local directory, if I change the Authentication type under system -- users -- authentication to Remote--TACACS+, will I loose access to locally configured accounts,

 

 

Is there any example to know what type of logs I will get in the TATACS+ (Cisco ACS) server

 

 

Thanks

 

-Ram

 

I have 14 users configured in the Local directory, if I change the Authentication type under system -- users -- authentication to Remote--TACACS+, will I loose access to locally configured accountsyes, i understand all user except root and admin will be authenticated by tacacs+ server.

 

 

Is there any example to know what type of logs I will get in the TATACS+ (Cisco ACS) server sorry i do not have it but hoping somebody here has.

Hi Nitass,

 

 

I have created " bigpipe remoterole role info adm { attribute F5-LTM-User-Info-1=adm role administrator user partition console enable deny disable line order 1 } "

 

 

1. How can i see this this has been created successfully

 

 

2. in which directory it should be store to work properly

 

Hi Nitass,

 

 

I have created " bigpipe remoterole role info adm { attribute F5-LTM-User-Info-1=adm role administrator user partition console enable deny disable line order 1 } "

 

 

1. How can i see this this has been created successfully

 

 

2. in which directory it should be store to work properly

 

Ramkumar,

 

 

When you configure a remoterole through bigpipe, it should be stored in /config/bigip.conf. Look in there to see if it saved.

Hi

 

 

Thanks, This works, We are able to login to LTM using the credential in TACACS, how ever I dont see any accounting in Cisco ACS server for our logins, cant we get accounting and logs in Cisco ACS

 

 

Thanks, This works, We are able to login to LTM using the credential in TACACS, how ever I dont see any accounting in Cisco ACS server for our logins, cant we get accounting and logs in Cisco ACS

 

I am facing similar issue. LTM authentication via ACS is working fine, but I cann't see accounting logs in ACS.

 

Help

 

How ever I dont see any accounting in Cisco ACS server for our logins, cant we get accounting and logs in Cisco ACS

 

do you mean audit data?

 

sol13762: Configuring remote RADIUS or TACACS+ accounting

 

http://support.f5.com/kb/en-us/solutions/public/13000/700/sol13762

 

Hi nitass,

 

I was able to get it working with the link you provided, however there is still some issues:

 

1) I could not add two servers for destination syntax tmos> modify sys db config.auditing.forward.destination value 192.168.1.45 192.168.1.46 (not working) unless only one server. I tried different parameters "{" still did not take it.

 

2) tmos> save /sys config did not save to the standby unit. Even after b config sync all, the config did not appear in standby unit. (running v10.2.x)

 

tmos> show running-config sys db config.auditing.forward.destination { sys db config-auditing.forward.destination value "192.168.1.45" }

 

3) Getting Peer communication which is the standby heartbeat address on the Tacacs+ server. I don't want this audit

 

tmos> modify sys db config.auditing.forward.destination value 192.168.1.45 192.168.1.46 tmos> modify sys db config.auditing.forward.shared value "mysecret" tmos> modify sys db config.auditing.forward.type value tacacs+ tmos> modify sys db config.auditing value enable tmos> modify sys db log.mcpd.level value info tmos> save /sys config