Forum Discussion

dan_03_140075's avatar
dan_03_140075
Icon for Nimbostratus rankNimbostratus
Mar 27, 2014

How can I verify Remote Role Groups via TACACS+ auth

Hello. My F5 v11.4 and 11.3 devices have tacacs authentication to AD for admin access to gui and terminal. We do however create F5 local users for this to work. So use my MS AD user name and password to login to F5. F5 has tacacs and same username configured. This works. I now want to remove the need for local F5 users and just use remote role groups. Tacacs already use the group(s). I have configured what I believe is the correct remote-role but it doesnt work. Is tehre any test I can run from the F5 to see whether the remote-role is working? Thanks auth remote-role { role-info { My-Admin { attribute "memberOF=cn=Services-Full Access,ou=Sec Grps,ou=Resrc,dc=pc,dc=internal,dc=company,dc=com" console tmsh line-order 1000 role administrator user-partition All } } }

 

  • So here are the specifics of the configuration we are using:

    Cisco ACS 5.3 as our TACACS server Under Policy Elements -> Authorization and Permissions -> Device Administration -> Shell Profiles, we defined multiple profiles depending on the level of authorization for the remote users. I'll detail our administrator role, but the other roles can be built accordingly.

    Under the Custom Attributes tab of the shell profile for the administrator role, our attribute is 'F5-LTM-User-Info-1', with a value of 'adm'. You then apply this shell profile to the ACS group that you want to be able to have administrator access to the BIG-IP.

    Our corresponding remote role config in the BIG-IP looks like this:

    /Common/F5_Administrator {
     attribute F5-LTM-User-Info-1=adm
      console tmsh
      line-order 1
      role administrator
      user-partition all
    }
    

    All of the AD specific user and group information should stay between the TACACS server and AD.

  • Could it be the Group Name and attrib string memberof need to match exactly? If so the AD group name contain a space and dashes [-]. When I try and enter it in Group Name it errors with 01070088:3: The requested object name (/Common/\My-Admin Full Access\) is invalid.
  • Can you point the BIG-IP to your TACACS server instead and use that kind of authentication/authorization? We have remote role working with TACACS without issue, so I can assist further with that setup.

     

    • dan_03_140075's avatar
      dan_03_140075
      Icon for Nimbostratus rankNimbostratus
      Hi Cory. I believe the F5 is configured for our tacacs servers. auth tacacs system-auth { accounting send-to-all-servers authentication use-all-servers protocol ip secret xxxxxxxxxxxx servers { 10.10.10.30 10.10.10.202 } service connection }
    • dan_03_140075's avatar
      dan_03_140075
      Icon for Nimbostratus rankNimbostratus
      We then create F5 users which clone the AD usernames. auth user adusername { description "adusername" encrypted-password "!!" partition Common partition-access all role admin shell bash }
    • Cory_50405's avatar
      Cory_50405
      Icon for Noctilucent rankNoctilucent
      If I recall, I think we had to specify PPP as the service in order to get it to work.
  • So here are the specifics of the configuration we are using:

    Cisco ACS 5.3 as our TACACS server Under Policy Elements -> Authorization and Permissions -> Device Administration -> Shell Profiles, we defined multiple profiles depending on the level of authorization for the remote users. I'll detail our administrator role, but the other roles can be built accordingly.

    Under the Custom Attributes tab of the shell profile for the administrator role, our attribute is 'F5-LTM-User-Info-1', with a value of 'adm'. You then apply this shell profile to the ACS group that you want to be able to have administrator access to the BIG-IP.

    Our corresponding remote role config in the BIG-IP looks like this:

    /Common/F5_Administrator {
     attribute F5-LTM-User-Info-1=adm
      console tmsh
      line-order 1
      role administrator
      user-partition all
    }
    

    All of the AD specific user and group information should stay between the TACACS server and AD.