Forum Discussion
NimbostratusLTM (v11.3) TACACS+ authentication - Cisco ACSv4.1
Hi, I am trying to configure TACACS+ authentication on LTM v11.3 with a Cisco TACACS+ server ACSv4.1. Any references for any specific configuration required on LTM and Cisco ACS side? Some of the post say there is some separate service to be enabled in the Cisco ACS side, if so?
ON the LTM side i am configuring the following option under ->System->users->Authentication Authentication User Directory -> Remote-TACACS+ Configuration Servers -> Secret -> *** confirm secret -> *** Encryption -> Enabled Service Name -> tacacs+ Protocoal Name -> Authentication -> Authenticate to each server until success Accounting Information -> Send to all servers Debug logging -> Enabled External Users Role -> Administrator Terminal Access -> Disable
9 Replies
Cory_50405Noctilucent
For the LTM, use protocol name 'ip' and service name 'ppp'. We had to specify these parameters in order to get it to work.
For the ACS side, be sure to populate the custom attribute that matches up with the remote roles that you've created in LTM. Remote role group name needs to match verbatim with the group configured in ACS.
Karthik_KumaranWhat should be given in th "Attribute String" field under "System ›› Users : Remote Role Groups" ? I am using Cisco ACS 4.1, where can i find this "Attribute String" configuration in ACS 4.1 ?
- Cory_50405
The attribute string we use for device administrators looks like this:
F5-LTM-User-Info-1=adm
You can check out Jason's writeup on remote TACACS authorization here:
https://devcentral.f5.com/articles/v10-remote-authorization-via-tacacs-43.Uxca8oUgvZc
When we originally set this up, we were using ACS 4.2. We've since migrated to 5.2, then to 5.3, so I don't have a 4.1 instance to check on, so I'll go by memory. You specify the attribute per user group (or per user), and use the same attribute that you specified in the remote role group within the BIG IP. I think you specify it in group attributes. A guide from Cisco is here:
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4-2/user/guide/ACS4_2UG/GrpMgt.htmlwp479948
- mkmead2011_6261Sorry to drag this old article back up but Cory would you mind posting a screenshot of your Cisco Tacacs 5.3 shell attribute page? I am trying to get this to work under 5.5 but I am not having any luck. I have the attribute in place to match the same as the remote role group string (F5-LTM-User-Info-1=TelecomFullAccess) but it still fails. I am wondering if I need to create a custom attribute field like we had under 4.2. Any help would be appericated.
- Cory_50405I posted a screenshot of ACS 5.3 custom attribute definition in another thread that you can find here: https://devcentral.f5.com/s/feed/0D51T00006i7YINSA2
- Karthik_Kumaran
Thanks a lot. One more query. I already have a number of groups created in my Cisco ACS, and would want to use one among them in the F5 for "Remote Role Groups". The Jason's writeup that you provided link, mentions that the remote role groups need to be added in order. There is also a numbering of groups (starting from 0) in my Cisco ACS. In the "Line order" field in "Remote Role Groups" configuration, should I use the same Group number as in the ACS?
- Cory_50405
The group number isn't critical, but the group name is. The remote role group must be named verbatim with the ACS group name. And the ACS group name cannot contain spaces, if I remember correctly.
- Karthik_Kumaran
Thanks Cory. I was able to get LTM working on TACACS authentication with ACS. I have another question.
Is it possible to disable the default admin account from GUI access once LTM is enabled for TACACS? I want the admin account to work only if the TACACS server is not reachable. Is there a possible configuration for this?
- Cory_50405None that I'm aware of.
