BigIQ integration with Cisco ACS (TACACS+)

Question

I'm working with Big-IQ Central Manager and would like to authenticate against our TACACS (Cisco ACS) and use the RBAC capabilities; however the documentation is slim at best.  I'm getting an error, "User has no roles or groups associations.  
Trying to compare what we set our LTMs to authenticate using remote roles that are defined in ACS (below) to what I have on our BigIQ.

On our LTMs:
1. No users defined local
2. Authentication - Remote - TACACS+ 
3. Remote Role Groups
a. Group Name = TAC-Auth
b. Line Order 20 (Relative to our env.)
c. Attribute String = F5-LTM-User-Info-1=TAC-Auth
d. Remote Acccess = Enabled
e. Assigned Role = Other = %F5-LTM-User-Role
f. Partition Access = Other = %F5-LTM-Partition
g. Terminal Access = Other = %F5-LTM-User-Console

On ACS (Only giving one example)
Shell Profiles
1. F5-Device-TACAuth-Admin
2. Custom Attributes
a. F5-LTM-User-Info-1 = TAC-Auth
b. F5-LTM-User-Console = enable
c. F5-LTM-User-Role = Administrator
d. F5-LTM-Partition = All

BigIQ
1. Auth Providers = 
a. Name = NA_ACS
b. Type = TACACS+
2. User Groups
a. F5_Admin
c. Authorization Attributes
F5-BigIQ-User-Info = F5_Admin
%F5-BigIQ-User-Role = Administrator

ACS - Note: My understanding is that since BigIQ doesn't use partitions or the Terminal/Console role it might not be needed. 
2. Custom Attributes
a. F5-LTM-User-Info-1 = F5_Admin
b. F5-LTM-User-Role = Administrator

Thank you in advance for any insight!
/jeff

jba3126 · Answer

I wanted to share the answer as I was able to get this working with the help of sharp F5 PS Engineers.  Keep in mind that a lot of this is contextualized to our infrastructure or made generic for obvious reasons 🙂
BigIQ
1. Auth Providers = 
a. Name = NA_ACS
b. Type = TACACS+
c. Servers = Server IPs (Primary/Secondary) Port 49
d. Secret = TACACS/ACS Secret Passphrase
e. Primary Service = For us ppp
f. Protocol = ip
g. Encrypt = yes

2. User Groups
a. NA-BigIQAdmin
b. Authorization Attributes
F5-BigIQ-User-Info-1 = BigIQAdmin
c. Roles Selected = Administrator

ACS
1. Shell Profiles
a. F5-Device-TACAuth-BigIQAdmin
b. Custom Attributes
F5-BigIQ-User-Info-1 = BigIQAdmin

2. Access Policy
F5 Device Admin
Authorization
a. Name = BigIQ Admin
b. Identity Group = F5 Admins
c. NDG: Device Type = F5
d. NDG: Location = All Locations
e. Device Filter = Any
f. Shell Profile = F5-Device-TACAuth-BigIQAdmin

Once the user logs in they will automatically be added to the Users listing with tacacs+ next to their user id.

I sincerely hope this helps someone!

/jeff

claire · Answer

Many thanks for this, it was particularly helpful for us. Thanks to you I can authenticate against our TACACS (Cisco ISE).&nbsp;/Claire

Forum Discussion

BigIQ integration with Cisco ACS (TACACS+)

Recent Discussions

Upgrade F5 BIGIP

DNS HM Probe issue

Is XFF a must for ASM WAF DoS

Switch ssl profile based on weak cipher detection via IRULE

F5 Switches in 'Changes Pending' Status

Related Content

TACACS issue

Integrating SSL Orchestrator with McAfee Web Gateway-Transparent Proxy

Making Mobile SDK Integration Ridiculously Easy with F5 XC Mobile SDK Integrator

Access Troubleshooting: BIG-IP APM OIDC integration

TACACS+ External Monitor (Python)

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS