Forum Discussion
NimbostratusLTM authenticating to TACACS - role group or no?
To start, yes I've seen some of the other threads about this, but they're pretty legacy at this point (I'm on 11.x). Plus they talk about setting up tacacs on the f5 itself, not connecting to another tac server.
We've setup tacacs.net server which we'll use to as the gateway mechanism to auth to AD. LTM needs to auth and get perms from the tac server.
What I'm not clear on is how I should configure either the F5 or the tac server to select the right perms. If I create a role group, it looks like that role group doesn't do anything. But when I remove the role group, then everyone has admin perms... < not sure then if I'm misconfiguring the tac server.
Ideally we want to do all of the management on AD by adding/removing users from either the F5_admins group or F5_Guest group, for example.
2 Replies
JNnvm, got it
- JN
Ok I lied...kinda. After more testing it seems the perms are controlled by the role group. You can't configure tacacs.net to send back the role or partition. And if you remove the role groups completely, it just grants everyone admin perms.
Shaggy - to answer, I put this line in the role group F5-LTM-User-Info-1= "whatever name you want".
It looks like the LTM compares this name to the same name on the tac server and then uses the role group perms if there is a match.
