Forum Discussion

getnyce_157084's avatar
getnyce_157084
Icon for Nimbostratus rankNimbostratus
May 24, 2014

Multiple AAA authetication groups to TACACS

Currently I authenticate to a TACACS for my read/write account. Anyone who needs to manage the LTM will be added to that group. However I need to give auditor access to a group of users. When I great a local account it doesn't allow me to add a password. I can't add them to the group that I'm in because they will have too much access. How to I get the LTM to authenticate a group of users with an auditor role.

 

aaa
application delivery
LTM
management
security
tacacs
  • Cory_50405's avatar
    Cory_50405
    May 25, 2014

    You need to use remote role with your TACACS+ server. Essentially this involves setting up remote roles and eliminating local user accounts. There have been several threads lately about remote authentication via TACACS+ lately. Here's one:

     

    https://devcentral.f5.com/questions/how-to-configure-tacacs-on-cisco-acs-53-for-authenticate-administrative-users-on-ltm-1120

     

    Also, here is some info regarding remote role:

     

    http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-1-0/16.html

     

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    May 25, 2014

    You need to use remote role with your TACACS+ server. Essentially this involves setting up remote roles and eliminating local user accounts. There have been several threads lately about remote authentication via TACACS+ lately. Here's one:

     

    https://devcentral.f5.com/questions/how-to-configure-tacacs-on-cisco-acs-53-for-authenticate-administrative-users-on-ltm-1120

     

    Also, here is some info regarding remote role:

     

    http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-1-0/16.html

     

    • getnyce_157084's avatar
      getnyce_157084
      Icon for Nimbostratus rankNimbostratus
      May 27, 2014
      Cory, The F5 configuration seems straight forward. Unfortunately is the ACS side of things i'm struggling with. I'm running 5.3 ACS, can you point me to any doc's that show me step by step out to configure the ACS side of the house for remote role. I have been searching the net but I seem to find only 4.2 docs.
    • Cory_50405's avatar
      Cory_50405
      Icon for Noctilucent rankNoctilucent
      May 27, 2014
      The first link in my comment contains some screenshots of ACS 5.3. I don't know of any walk-through documents, but the process is involves creating a shell profile where you set the custom attribute that you defined on the remote role configuration. Then you would apply that shell profile to an ACS user group (Access Policies > Access Services > Default Device Admin > Authorization, then click on the group to modify. Towards the bottom, there'll be a field to specify a shell profile).
    • getnyce_157084's avatar
      getnyce_157084
      Icon for Nimbostratus rankNimbostratus
      Jun 09, 2014
      This has been tough for me to get configured. I have it configured appropriately in f5. However in ACS I'm having a tough time. TACACS is using an External AD group to do the authentication. The authorization policy that is correctly allowing me into the F5 is working. However when i add the F5 attribute ot the shell profile associated with the authorization policy it isn't making me an admit. I have read alot on here about the role map name matching the group name verbatim on the ACS. But the ACS does't have a group, it's just using AD.