For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Cory_50405's avatar
Cory_50405
Icon for Noctilucent rankNoctilucent
Mar 05, 2014

The attribute string we use for device administrators looks like this:

 

F5-LTM-User-Info-1=adm

 

You can check out Jason's writeup on remote TACACS authorization here:

 

https://devcentral.f5.com/articles/v10-remote-authorization-via-tacacs-43.Uxca8oUgvZc

 

When we originally set this up, we were using ACS 4.2. We've since migrated to 5.2, then to 5.3, so I don't have a 4.1 instance to check on, so I'll go by memory. You specify the attribute per user group (or per user), and use the same attribute that you specified in the remote role group within the BIG IP. I think you specify it in group attributes. A guide from Cisco is here:

 

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4-2/user/guide/ACS4_2UG/GrpMgt.htmlwp479948

 

  • mkmead2011_6261's avatar
    mkmead2011_6261
    Icon for Nimbostratus rankNimbostratus
    Aug 20, 2014
    Sorry to drag this old article back up but Cory would you mind posting a screenshot of your Cisco Tacacs 5.3 shell attribute page? I am trying to get this to work under 5.5 but I am not having any luck. I have the attribute in place to match the same as the remote role group string (F5-LTM-User-Info-1=TelecomFullAccess) but it still fails. I am wondering if I need to create a custom attribute field like we had under 4.2. Any help would be appericated.
  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Aug 20, 2014
    I posted a screenshot of ACS 5.3 custom attribute definition in another thread that you can find here: https://devcentral.f5.com/s/feed/0D51T00006i7YINSA2