For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jba3126's avatar
jba3126
Icon for Cirrostratus rankCirrostratus
Apr 22, 2019

BigIQ integration with Cisco ACS (TACACS+)

I'm working with Big-IQ Central Manager and would like to authenticate against our TACACS (Cisco ACS) and use the RBAC capabilities; however the documentation is slim at best. I'm getting an error,...
BIG-IQ
devops
Super-NetOps
tacacs
jba3126's avatar
jba3126
Icon for Cirrostratus rankCirrostratus
Apr 24, 2019

I wanted to share the answer as I was able to get this working with the help of sharp F5 PS Engineers. Keep in mind that a lot of this is contextualized to our infrastructure or made generic for obvious reasons 🙂

BigIQ
1. Auth Providers = 
a. Name = NA_ACS
b. Type = TACACS+
c. Servers = Server IPs (Primary/Secondary) Port 49
d. Secret = TACACS/ACS Secret Passphrase
e. Primary Service = For us ppp
f. Protocol = ip
g. Encrypt = yes

2. User Groups
a. NA-BigIQAdmin
b. Authorization Attributes
F5-BigIQ-User-Info-1 = BigIQAdmin
c. Roles Selected = Administrator

ACS
1. Shell Profiles
a. F5-Device-TACAuth-BigIQAdmin
b. Custom Attributes
F5-BigIQ-User-Info-1 = BigIQAdmin

2. Access Policy
F5 Device Admin
Authorization
a. Name = BigIQ Admin
b. Identity Group = F5 Admins
c. NDG: Device Type = F5
d. NDG: Location = All Locations
e. Device Filter = Any
f. Shell Profile = F5-Device-TACAuth-BigIQAdmin

Once the user logs in they will automatically be added to the Users listing with tacacs+ next to their user id.

I sincerely hope this helps someone!

/jeff
  • seamlessfirework's avatar
    seamlessfirework
    Icon for Cirrostratus rankCirrostratus
    Dec 27, 2024

    That worked for me, thanks a lot! I also added a separate viewer role group with the attribute "BigIQViewer". The group has the roles device and license viewer set.