Forum Discussion
NimbostratusCisco TACACS+ Config on ISE LTM Pair
NimbostratusThanks for the reply, I meant to update this. Just the Virtual Server. Authentication to the F5 will remain AD.
CirrusCheck: if you want to use User Authentication for a LTM service you'll need APM.
Or are you trying to loadbalance TACAS+ across LTM servers in front of your ISE?
- simpsjy
Currently our ISE LTMs use AD for authentication for our UC_Secure wireless network. The LTMs use AD for user authentication to the CLI and SSH. That needs to remain as is.
We have another group that the network wireless team wants to set up to use TACACS+. It's our understanding we can set up a Virtual Server\Profile\Pool to use TACACS+ for this group to authenticate (https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-local-traffic-manager-remote-authentication-methods/configuring-remote-tacacs-authentication.html#GUID-76C5D090-BF76-4CAF-8960-5F6730A6FECA). The problem is TACACS+ is not an option in the dropdown.
- simpsjy
Sorry, I've never posted on DevCentral so I may be asking the wrong question.
We do not want to change account user authentication TO the LTM's from AD (current config).
Currently our wireless traffic, "UC_Secure" uses radius authentication.
We want to add another wireless traffic group to use TACACS+ authentication.
Hi simpsjy
LTM is not a tacacs+ server so you cannot perform tacacs+ authentication of your wireless traffic group on LTM.
Of course you can front your tacacs+ servers with LTM but just for load balancing reasons
Keep in mind you might have troubles with SNAT as tacacs+ will see F5s IP
What you see here https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-local-traffic-manager-remote-authentication-methods/configuring-remote-tacacs-authentication.html#GUID-76C5D090-BF76-4CAF-8960-5F6730A6FECA is only for remote authenticating users to BIG-IP itself
