Forum Discussion
jba3126
Apr 22, 2019Cirrus
BigIQ integration with Cisco ACS (TACACS+)
I'm working with Big-IQ Central Manager and would like to authenticate against our TACACS (Cisco ACS) and use the RBAC capabilities; however the documentation is slim at best. I'm getting an error, "User has no roles or groups associations.
Trying to compare what we set our LTMs to authenticate using remote roles that are defined in ACS (below) to what I have on our BigIQ.
On our LTMs:
1. No users defined local
2. Authentication - Remote - TACACS+
3. Remote Role Groups
a. Group Name = TAC-Auth
b. Line Order 20 (Relative to our env.)
c. Attribute String = F5-LTM-User-Info-1=TAC-Auth
d. Remote Acccess = Enabled
e. Assigned Role = Other = %F5-LTM-User-Role
f. Partition Access = Other = %F5-LTM-Partition
g. Terminal Access = Other = %F5-LTM-User-Console
On ACS (Only giving one example)
Shell Profiles
1. F5-Device-TACAuth-Admin
2. Custom Attributes
a. F5-LTM-User-Info-1 = TAC-Auth
b. F5-LTM-User-Console = enable
c. F5-LTM-User-Role = Administrator
d. F5-LTM-Partition = All
BigIQ
1. Auth Providers =
a. Name = NA_ACS
b. Type = TACACS+
2. User Groups
a. F5_Admin
c. Authorization Attributes
F5-BigIQ-User-Info = F5_Admin
%F5-BigIQ-User-Role = Administrator
ACS - Note: My understanding is that since BigIQ doesn't use partitions or the Terminal/Console role it might not be needed.
2. Custom Attributes
a. F5-LTM-User-Info-1 = F5_Admin
b. F5-LTM-User-Role = Administrator
Thank you in advance for any insight!
/jeff
- jba3126Cirrus
I wanted to share the answer as I was able to get this working with the help of sharp F5 PS Engineers. Keep in mind that a lot of this is contextualized to our infrastructure or made generic for obvious reasons 🙂
BigIQ 1. Auth Providers = a. Name = NA_ACS b. Type = TACACS+ c. Servers = Server IPs (Primary/Secondary) Port 49 d. Secret = TACACS/ACS Secret Passphrase e. Primary Service = For us ppp f. Protocol = ip g. Encrypt = yes 2. User Groups a. NA-BigIQAdmin b. Authorization Attributes F5-BigIQ-User-Info-1 = BigIQAdmin c. Roles Selected = Administrator ACS 1. Shell Profiles a. F5-Device-TACAuth-BigIQAdmin b. Custom Attributes F5-BigIQ-User-Info-1 = BigIQAdmin 2. Access Policy F5 Device Admin Authorization a. Name = BigIQ Admin b. Identity Group = F5 Admins c. NDG: Device Type = F5 d. NDG: Location = All Locations e. Device Filter = Any f. Shell Profile = F5-Device-TACAuth-BigIQAdmin Once the user logs in they will automatically be added to the Users listing with tacacs+ next to their user id. I sincerely hope this helps someone! /jeff
- ClaireNimbostratus
Many thanks for this, it was particularly helpful for us. Thanks to you I can authenticate against our TACACS (Cisco ISE).
/Claire
Recent Discussions
Related Content
Â
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects