Forum Discussion

gcave_213109's avatar
gcave_213109
Icon for Nimbostratus rankNimbostratus
Jan 19, 2016

Dynamic Roles with TACACS+ 4.1 and LTM 11.5.3

I want to dynamically assign roles VIA vendor specific attributes in TACACS 4.1. Here is how I setup 11.5.3:   (/Common)(tmos) list auth remote-role role-info auth remote-role { role-info { ...
application delivery
authentication
BIG-IP
LTM
anoop_128575's avatar
anoop_128575
Icon for Nimbostratus rankNimbostratus
Jan 20, 2016

Hi,

 

With the above details it looks like you trying to use radius dictionary of F5 to use the roles via TACACS+. Please define the remote roles as below .

 

eg: auth remote-role { description none role-info { DeviceAdmins { attribute F5-LTM-User-Info-1=adm console tmsh deny disabled description none line-order 1 role administrator user-partition All } f5-auditor { attribute f5role=manager console disable deny disabled description none line-order 2 role manager user-partition All } f5-operator { attribute F5-LTM-User-Info-1=f5-operator console disable deny disabled description none line-order 3 role operator user-partition partition2 } } }

 

The user defined attribute and its value have to be sent from the tacacs to associate it to a role.

 

  • gcave_213109's avatar
    gcave_213109
    Icon for Nimbostratus rankNimbostratus
    Jan 20, 2016
    Anoop, How does the user attribute on TACACS+ get mapped to a particular user? I believe what you are saying it that I should add all of the attributes to the TACACS+ group. How is it know that I am an administrator, operator, etc. Since the remote users are built on TACACS+, missing something?
  • anoop_128575's avatar
    anoop_128575
    Icon for Nimbostratus rankNimbostratus
    Jan 20, 2016
    F5 do not consider userinfo , it considers the attribute value to map the roles.