For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

aalkhuja_160331's avatar
aalkhuja_160331
Icon for Cirrus rankCirrus
Aug 17, 2015

Configure Radius/TACACS+ with Cisco ACS v 5.7

Hi,

 

can any body please direct me how to configure a Radius or TACACS+ Admin authentication on F5 LC V 11.6 with Cisco ACS v5.7. I'm trying to do the Radius, but it didn't work, and i cannot see any data under the radius authentication in the ACS. Also i did tried for the TACACS+ but for vain, my configs in the F5 was:

 

System > Users > Remote Role Groups * Create : name : DeviceAdmins, Line Order: 1,Attribute String: F5-LTM-User-Info-1=adm,Assigned Role: Administrators, Partition: all

 

System > Users > Authentication * click Change and select TACACS+ * add your ACS Server(s) * add your secret key * Service Name : ppp * Protocol Name : ip

 

also did the special attributes in the ACS.

 

the weird things is that: - there is no data at all in the ACS monitoring showing that the F5 is trying to authenticate. - Once i apply the TACACS+ in the F5, i will not be able to login through the admin account(unlike the radius)

 

please your help.

 

thnx

 

Ammar

 

application delivery
BIG-IP Access Policy Manager (APM)
cisco
LTM
security

4 Replies

  • Robert_Luechte2's avatar
    Robert_Luechte2
    Icon for Cirrus rankCirrus
    Aug 18, 2015

    I can't tell you how to do the configuration in Cisco ACS because we use Aruba Clearpass instead, Based on what you posted it sounds like the BigIP is configured properly, but here are some things to check on the BigIP.

     

    1: Do you have a route to get from the BigIP to the ACS server?

     

    2: Do a packet capture on the BigIP. If you capture the data to a file, you can view it in WireShark. If you configure Wireshark with your secret key you can see the decrypted packets. Then you can verify that the F5-LTM-User-Info-1=adm attribute is being sent properly.

     

    3: If you enable TACACS+ in the BigIP you still should be able to log in via the local admin account.

     

    Hope this helps.

     

    Robert

     

  • aalkhuja_160331's avatar
    aalkhuja_160331
    Icon for Cirrus rankCirrus
    Aug 18, 2015

    Thanx Robert,

     

    The ping is Ok from the management interface,but im suspecting the TACACS+ port. I'll perform these, but can you tell me how to open a telnet session with the TACACS+ port (49) from the management source interface, I want to check whether there is a connectivity via this specific port, because in the ACS monitoring, there is nothing shows that there was a traffic request from F5.

     

    BR Ammar

     

  • Robert_Luechte2's avatar
    Robert_Luechte2
    Icon for Cirrus rankCirrus
    Aug 18, 2015

    I don't think there are any port restrictions on the managment interface, especially port 49. If you want to test via telnet, from a CLI shell prompt you can do "telnet (tacacs-IP-addr) 49"

     

    Based on how your routing is configured you may not be using the management interface to talk to the the TACACS server. If you do a tcpdump on all the interfaces, filtering on the IP address of your TACACS+ server, you would see what source IP address is being used. If it's not the management interface, you have a couple of options. You can either added management static routes for the TACACS server, or modify the TACACS server to accept connections from whatever IP address the BigIP is using.

     

    Robert

     

  • enesaz_389902's avatar
    enesaz_389902
    Icon for Nimbostratus rankNimbostratus
    May 05, 2019

    hello , Dear Robert , am trying to integrate clearpass with F5 for tacacs+, could you please share or help with any documents for config from aruba side and f5 side thanks