I don't seem to be able to fnd much information on this. I have my F5 LTM and GTM and want to control the user lgins using RADIUS or TACACS to set the user privilege level. However, I am not able to find the Radius AV file or any documentation about configuring it. I don't think I would be the first person to ask the question so if anyone can help by giving some pointers that would help out. I am using Cisco Secure ACS for my RADIUS / TACACS server. greg

I use radius. Because there is no way to send attributes at this time, our web user role is no access. This blocks anyone without an account defined locally on the box from gaining administrative access (except via the admin/root accounts). v9.4.x SYSTEM->USERS->Authentication (remote access policy on this screen) v9.1.x System->Users->Authentication Source System->Users->Users->Remote Access

So you are saying that F5 does not support RADIUS authorization for management ?

That's correct. All authorization is a function local to the F5 at this time.

That is rubbish. Absolutely completely poor quality.

That's a productive response. You understand that citizen_elah doesn't work for F5 and is taking his own time to try to help you understand and solve your problem? I can't imagine you will get much help with that type of attitude. Aaron

Authorisation if sysadmins using RADIUS or TACACS

17 Replies

Brian_Thompson
Nimbostratus
Mar 12, 2009
i'd like to see support for this
Claret_Carvalho
Nimbostratus
Mar 14, 2009
I could be wrong but i think this has been introduced as of 10.X unless i misread the documentation.
Chris_Phillips
Nimbostratus
Mar 14, 2009
FWIW, i just came here looking for this functionality too. I won't kick off that it's not there already though! Never seen any PAM implementation use RADIUS options elsewhere in linux land, so didn't expect it here.
hoolio
Cirrostratus
Mar 16, 2009
bkthomps, as Deb suggested, the best way to make an official request for a change in the product is to open a case with F5 Support. If there is an existing CR, your request will be attached to it.

Aaron
redcats_65144
Nimbostratus
Jun 11, 2009
Below is a statement in Release notes of v10.0.1 regarding Radius/TACACS+. It is clear to me that this feature has been added to the new release. Can anyone kindly share the experience here if you have already tested/used it in production? We would like to upgrade our current production environment just for this feature!

Cheers.

Group-based privilege assignment for RADIUS and TACACS+ user accounts

For environments that store BIG-IP system user accounts on a remote server, your ability to assign user privileges on a group-wide basis has been expanded to include not only LDAP and Active Directory servers, but also RADIUS and TACACS+. Using the BIG-IP system's remoterole command, you can now assign a user role, partition access, and terminal access to a group of user accounts based on a specific RADIUS or TACACS+ attribute.
JRahm
Admin
Jun 11, 2009
Just to clarify hoolio's comments higher in this thread, I do work for F5 now.

That said, I just wrote an article a week ago that covers the TACACS+ implementations angle of this feature:

http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=2316 Click here
Adrian_1807
Nimbostratus
Sep 14, 2011
Hi.

Lets resume this question. ;-)

Jaso, very good job with that article. But for complete the question, I asume it is also possible to implement something similar with RADIUS isn´t it??

In the other hand, I have a doubt regarding a possible failure with remote server. I mean, what happen if the RADIUS/TACACS stops working?? Will users be able to log on the system???

Is it possible to have two authentication methods? First TACACS for example and if this fails to do it locally???

And when ussing external authentication, i suppose it is still possible to have local users like admin, isn´t it??

Thank you!!!