Forum Discussion
NimbostratusDynamic Roles with TACACS+ 4.1 and LTM 11.5.3
I want to dynamically assign roles VIA vendor specific attributes in TACACS 4.1. Here is how I setup 11.5.3:
(/Common)(tmos) list auth remote-role role-info auth remote-role { role-info { DC1 { attribute F5-LTM-User-Info-1=DC1 line-order 2 role %F5-LTM-User-Role user-partition all } } }
On the TACACS ==> Groups ==> TACACS Settings ==> Custom attributes>
F5-LTM-User-Info-1=DC1 F5-LTM-User-Role=400
When I tail -f /var/log/secure I see getting assigned the administrator role.
Jan 19 21:48:54 dti-f5ve-bigip01 notice httpd[15771]: 01070417:5: AUDIT - user da_gxcave - RAW: httpd(mod_auth_pam): user=da_gxcave(da_gxcave) partition=[All] level=Administrator tty=/usr/bin/tmsh host=165.249.239.22 attempts=1 start="Tue Jan 19 21:35:45 2016" end="Tue Jan 19 21:48:54 2016"
Anyone have any insight into this?
6 Replies
anoop1Hi,
With the above details it looks like you trying to use radius dictionary of F5 to use the roles via TACACS+. Please define the remote roles as below .
eg: auth remote-role { description none role-info { DeviceAdmins { attribute F5-LTM-User-Info-1=adm console tmsh deny disabled description none line-order 1 role administrator user-partition All } f5-auditor { attribute f5role=manager console disable deny disabled description none line-order 2 role manager user-partition All } f5-operator { attribute F5-LTM-User-Info-1=f5-operator console disable deny disabled description none line-order 3 role operator user-partition partition2 } } }
The user defined attribute and its value have to be sent from the tacacs to associate it to a role.
gcave_213109Anoop, How does the user attribute on TACACS+ get mapped to a particular user? I believe what you are saying it that I should add all of the attributes to the TACACS+ group. How is it know that I am an administrator, operator, etc. Since the remote users are built on TACACS+, missing something?- anoop1F5 do not consider userinfo , it considers the attribute value to map the roles.
anoop_128575Hi,
With the above details it looks like you trying to use radius dictionary of F5 to use the roles via TACACS+. Please define the remote roles as below .
eg: auth remote-role { description none role-info { DeviceAdmins { attribute F5-LTM-User-Info-1=adm console tmsh deny disabled description none line-order 1 role administrator user-partition All } f5-auditor { attribute f5role=manager console disable deny disabled description none line-order 2 role manager user-partition All } f5-operator { attribute F5-LTM-User-Info-1=f5-operator console disable deny disabled description none line-order 3 role operator user-partition partition2 } } }
The user defined attribute and its value have to be sent from the tacacs to associate it to a role.
- gcave_213109Anoop, How does the user attribute on TACACS+ get mapped to a particular user? I believe what you are saying it that I should add all of the attributes to the TACACS+ group. How is it know that I am an administrator, operator, etc. Since the remote users are built on TACACS+, missing something?
- anoop_128575F5 do not consider userinfo , it considers the attribute value to map the roles.
