Forum Discussion
dan_03_140075
Nimbostratus
NimbostratusHow can I verify Remote Role Groups via TACACS+ auth
Hello. My F5 v11.4 and 11.3 devices have tacacs authentication to AD for admin access to gui and terminal. We do however create F5 local users for this to work. So use my MS AD user name and password...
So here are the specifics of the configuration we are using:
Cisco ACS 5.3 as our TACACS server Under Policy Elements -> Authorization and Permissions -> Device Administration -> Shell Profiles, we defined multiple profiles depending on the level of authorization for the remote users. I'll detail our administrator role, but the other roles can be built accordingly.
Under the Custom Attributes tab of the shell profile for the administrator role, our attribute is 'F5-LTM-User-Info-1', with a value of 'adm'. You then apply this shell profile to the ACS group that you want to be able to have administrator access to the BIG-IP.
Our corresponding remote role config in the BIG-IP looks like this:
/Common/F5_Administrator { attribute F5-LTM-User-Info-1=adm console tmsh line-order 1 role administrator user-partition all }All of the AD specific user and group information should stay between the TACACS server and AD.
Cory_50405
Noctilucent
NoctilucentCan you point the BIG-IP to your TACACS server instead and use that kind of authentication/authorization? We have remote role working with TACACS without issue, so I can assist further with that setup.
dan_03_140075Hi Cory. I believe the F5 is configured for our tacacs servers. auth tacacs system-auth { accounting send-to-all-servers authentication use-all-servers protocol ip secret xxxxxxxxxxxx servers { 10.10.10.30 10.10.10.202 } service connection }- dan_03_140075We then create F5 users which clone the AD usernames. auth user adusername { description "adusername" encrypted-password "!!" partition Common partition-access all role admin shell bash }
- Cory_50405If I recall, I think we had to specify PPP as the service in order to get it to work.
- dan_03_140075This works. We can now login to the F5s using our AD username and password. When we change our AD password, we can use the new password when logging into the F5s. So no Remote Role Groups involved. For various reasons I would like to use groups instead of usernames. So "clone/mirror" AD groups on the F5. That way we just add users to the AD group and the relevant F5 access is available. No need to create F5 users.
- dan_03_140075So F5 <> tacacs <> AD is all good. Just the Remote Role Groups not working.... I suspect it could be because of the AD group name, "ABC-Online Services-Full Access"? When I try and create a remote role group with that name it errors. 01070088:3: The requested object name (/Common/\ABC-Online Services-Full Access\) is invalid.
- Cory_50405I know with TACACS the remote role group name must match verbatim the group name in TACACS. Try naming your remote role after the group used in TACACS. Keep in mind the remote role portion is for authorization.
- dan_03_140075OK, I am using the verbatim group name in TACACS, which seems to be the problem... as per the error. What do I need to do/escape to specify the group name in the group name field? When you say " remote role portion is for authorization", does this mean we can not get rid of the requirement to create F5 users?
- Cory_50405Using remote role is the solution to not having to define local users. It moves the authentication and authorization piece to a remote source. It seems the back slash character is the issue. Are you putting that in the group name?
- Cory_50405I think we had issues trying to get this to work and it had to do with spaces in the TACACS group name. Just something else to consider.
- dan_03_140075Hmm ok. I dont put backslashes in. The actual group name doesn't have any backslashes, just spaces and dashes. I tried to escape them with backslashes e.g. "ABC-Online\ Services-Full\ Access" Is there any way to get these names "in"?