Forum Discussion
AltostratusF5 Read Only In ISE with TACACS
Hello, can someone assist in setting up ISE to authorize users login in to the F5 LB with a read only account?
DRJAltocumulus
I've used AD group membership for this, but I'm guessing you already have admin auth working?
On the F5, create your F5 Remote Role Group (specify attribute string eg: F5-LTM-User-Info-1=monitoring) and the required Assigned Role level.
In ISE, add a rule in the Auth policy in the relevant Device Admin Policy Set. Match the device/AD user group, create your command set/shell profile as needed (create and match custom attribute to attribute string created for F5 Remote Role Group).
If I recall correctly I think that's pretty much all that's needed, but I could be forgetting something.
SleimanThanks for the reply DRJ. Here's what I've done. I'm able to login but I still have read/write rights.
- DRJ
So in your example, in the Custom Attribute in ISE (the last screenshot), specify the NAME as F5-LTM-USER-Info-1 and the Value as monitoring
I can't recall if this is required or not, but if you're still having issues after fixing the attribute, try set the shell privilege levels from 15 to something like 2.
- Sleiman
You are the man. Setting the NAME as F5-LTM-USER-Info-1 and the Value as monitoring did it. Hopefully this works in production :) Thanks for your help.