Forum Discussion
NimbostratusHow to configure TACACS+ on Cisco ACS 5.3 for authenticating administrative users on LTM 11.2.0?
Hello,
I was desperate to get the Tacacs+ working on Cisco ACS for LTM 11.2.0. However I was not be able to find a direct answer.
There is my configuration on LTM ->System -> Users -> Authentication Encryption Enabled
Service Name ppp
Protocol Name ip
Authentication Authenticate to first server
Accounting Information Send to first available server
Debug Logging Enabled
External Users
Role Guest
Partition Access Common
Terminal Access Disabled
(Reference http://support.f5.com/kb/en-us/solutions/public/8000/800/sol8811.html?sr=37542950)
On ACS, I created a Shell Profile for Administrator, and added Attributes as followings, AttributeRequirementValue F5-LTM-User-RoleMandatory0 F5-LTM-User-PartitionMandatoryAll (Reference https://devcentral.f5.com/articles/v10-remote-authorization-via-tacacs-43.U348WqxOWRs)
I was able to login to LTM with Tacacs account, however I only got a Guest role, not an Administrator.
It seemed that I got half-way through, but not any further.
Could anybody help?
Thanks!
10 Replies
Cory_50405Noctilucent
Can you post your remote role configuration for your administrative role?
Does your remote role group name match verbatim what the group name is within ACS (and contains no spaces)?
XINGYU_99486Thanks for the quick response.
Can you give me a little more direction? I have not seen a remote role configuration, not in the document http://support.f5.com/kb/en-us/solutions/public/8000/800/sol8811.html?sr=37542950
Thanks.
- Cory_50405
Sure. Here's our remote role config for our administrator role:
auth remote-role { role-info { /Common/GW_Administrator { attribute F5-LTM-User-Info-1=adm console tmsh line-order 1 role administrator user-partition all }Your TACACS+ server config should look something like this:
auth tacacs /Common/system-auth { protocol ip secret ****** servers { 10.1.1.1 10.1.1.2 } service ppp }The ACS group that you wish to have administrator access will need to be assigned that shell profile you created in ACS. But the ACS group name will have to match verbatim what the remote role name is (in our case, it's GW_Administrator).
- XINGYU_99486
Followed your instruction, it now worked perfectly. Thank you so much, Cory!
One more question, do the Assigned Privilege Level and Max Privilege Level settings on ACS matter? Those are usually for Cisco switches/routers, not sure if F5 takes those attributes too?
- Cory_50405F5 doesn't care about those settings, but we also have Cisco devices to manage.
- XINGYU_99486I see. I would create separate Shell Profiles for F5, Cisco, HP, Brocade ... Thanks for your help!
- Cory_50405Ideally I would too. Sometimes we're forced to engineer around what already exists.
Lazaro_Pereira_Since I ended up banging my head on a wall for a couple of days on this let me post how I got this configured with an ACS 5.3 server that is already configured for AD Authentication and the F5 with remote roles via TACACS :
ACS 5.3
* Add your F5 Devices with key and give them a device type that is separate from the Cisco gear i.e: Device type:F5-Loadbalancers * Create an Identity group * Users and Identity Stores > Identity Groups * Create Admin Group (provide a name and optionally a description) * Create Operator Group (as above give it a name and description Bind the Identity Group to the AD group your Admins reside in * Access Polices > Default Device admin * Make sure that the check mark under policy structure has "Group Mapping Checked" if not check it and submit * Access Polices > Default Device Admin > Group Mapping * Create Rule for group mapping * Name: DeviceAdmins * Checkmark Compound Condition * Dictionary : AD1 , Attribute: External Group , Value: [the AD group for your admins] * Click addV * Identity Group click select and choose the admin identity group you created earlier * Click OK **Customize and Create the policy rules to send attributes to the F5** * Access Policies > Default Device Admins > Authorization * Click Customize * under Customize Conditions in the available box find the "Identity Groups" and move it to the selected box * Under Customize Results make sure that both shell profile and Command sets are in the selected box and Click OK * Create a Rule for Admins * Name: your choice * Conditions - NDG:Device Type : All Device Types:F5-Load-Balancers , Identity Group : DeviceAdmins * Results - Shell Profile : Click Select * Click Create in the popup and Create a name , click on the Custom Attributes Tab * Attribute : F5-LTM-User-Info-1 , Requirement: Mandatory , Attribute Value: Static, in the box below type "adm" <---without quotes! * Click common Tasks tab on top ad set your default Privilege to 1 and Max to 15 (doesnt do anythign for F5 but thats how I have it) and click submit * Click OK until you are back at the rule page and your new Shell profile should be there. * Under Command Sets Select PermitAll * Click Ok * Click SaveConfiguring the F5
GUI
* System > Users > Remote Role Groups * Create : name : DeviceAdmins, Line Order: 1,Attribute String: F5-LTM-User-Info-1=adm,Assigned Role: Administrators, Partition: all * Click FinishConfigure TACACS on F5
* System > Users > Authentication * click Change and select TACACS+ * add your ACS Server(s) * add your secret key * Service Name : ppp * Protocol Name : ipUnder external user I just set that to "No Access"
Click Finished.
You should be able to login now with your AD account. I hope this helps!
Amit585731Hi Lazaro, Thanks this worked. Just wanted to know what if we run vulnerability scanner using tacacs login will that work? I am trying to runn scanner on big ip system and scanner is not able to login.
