Forum Discussion
jba3126
Cirrostratus
CirrostratusBigIQ integration with Cisco ACS (TACACS+)
I'm working with Big-IQ Central Manager and would like to authenticate against our TACACS (Cisco ACS) and use the RBAC capabilities; however the documentation is slim at best. I'm getting an error,...
jba3126Cirrostratus
CirrostratusI wanted to share the answer as I was able to get this working with the help of sharp F5 PS Engineers. Keep in mind that a lot of this is contextualized to our infrastructure or made generic for obvious reasons 🙂
BigIQ
1. Auth Providers =
a. Name = NA_ACS
b. Type = TACACS+
c. Servers = Server IPs (Primary/Secondary) Port 49
d. Secret = TACACS/ACS Secret Passphrase
e. Primary Service = For us ppp
f. Protocol = ip
g. Encrypt = yes
2. User Groups
a. NA-BigIQAdmin
b. Authorization Attributes
F5-BigIQ-User-Info-1 = BigIQAdmin
c. Roles Selected = Administrator
ACS
1. Shell Profiles
a. F5-Device-TACAuth-BigIQAdmin
b. Custom Attributes
F5-BigIQ-User-Info-1 = BigIQAdmin
2. Access Policy
F5 Device Admin
Authorization
a. Name = BigIQ Admin
b. Identity Group = F5 Admins
c. NDG: Device Type = F5
d. NDG: Location = All Locations
e. Device Filter = Any
f. Shell Profile = F5-Device-TACAuth-BigIQAdmin
Once the user logs in they will automatically be added to the Users listing with tacacs+ next to their user id.
I sincerely hope this helps someone!
/jeff
seamlessfireworkCirrostratus
CirrostratusThat worked for me, thanks a lot! I also added a separate viewer role group with the attribute "BigIQViewer". The group has the roles device and license viewer set.
