Forum Discussion

jba3126's avatar
jba3126
Icon for Cirrus rankCirrus
Apr 22, 2019

BigIQ integration with Cisco ACS (TACACS+)

I'm working with Big-IQ Central Manager and would like to authenticate against our TACACS (Cisco ACS) and use the RBAC capabilities; however the documentation is slim at best. I'm getting an error,...
BIG-IQ
devops
Super-NetOps
tacacs
jba3126's avatar
jba3126
Icon for Cirrus rankCirrus
Apr 24, 2019

I wanted to share the answer as I was able to get this working with the help of sharp F5 PS Engineers. Keep in mind that a lot of this is contextualized to our infrastructure or made generic for obvious reasons 🙂

BigIQ
1. Auth Providers = 
a. Name = NA_ACS
b. Type = TACACS+
c. Servers = Server IPs (Primary/Secondary) Port 49
d. Secret = TACACS/ACS Secret Passphrase
e. Primary Service = For us ppp
f. Protocol = ip
g. Encrypt = yes

2. User Groups
a. NA-BigIQAdmin
b. Authorization Attributes
F5-BigIQ-User-Info-1 = BigIQAdmin
c. Roles Selected = Administrator

ACS
1. Shell Profiles
a. F5-Device-TACAuth-BigIQAdmin
b. Custom Attributes
F5-BigIQ-User-Info-1 = BigIQAdmin

2. Access Policy
F5 Device Admin
Authorization
a. Name = BigIQ Admin
b. Identity Group = F5 Admins
c. NDG: Device Type = F5
d. NDG: Location = All Locations
e. Device Filter = Any
f. Shell Profile = F5-Device-TACAuth-BigIQAdmin

Once the user logs in they will automatically be added to the Users listing with tacacs+ next to their user id.

I sincerely hope this helps someone!

/jeff