For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

getnyce_157084's avatar
getnyce_157084
Icon for Nimbostratus rankNimbostratus
May 24, 2014
Solved

Multiple AAA authetication groups to TACACS

Currently I authenticate to a TACACS for my read/write account. Anyone who needs to manage the LTM will be added to that group. However I need to give auditor access to a group of users. When I great a local account it doesn't allow me to add a password. I can't add them to the group that I'm in because they will have too much access. How to I get the LTM to authenticate a group of users with an auditor role.

 

aaa
application delivery
LTM
management
security
tacacs
  • Cory_50405's avatar
    Cory_50405
    May 25, 2014

    You need to use remote role with your TACACS+ server. Essentially this involves setting up remote roles and eliminating local user accounts. There have been several threads lately about remote authentication via TACACS+ lately. Here's one:

     

    https://devcentral.f5.com/questions/how-to-configure-tacacs-on-cisco-acs-53-for-authenticate-administrative-users-on-ltm-1120

     

    Also, here is some info regarding remote role:

     

    http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-1-0/16.html

     

18 Replies

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    May 25, 2014

    You need to use remote role with your TACACS+ server. Essentially this involves setting up remote roles and eliminating local user accounts. There have been several threads lately about remote authentication via TACACS+ lately. Here's one:

     

    https://devcentral.f5.com/questions/how-to-configure-tacacs-on-cisco-acs-53-for-authenticate-administrative-users-on-ltm-1120

     

    Also, here is some info regarding remote role:

     

    http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-1-0/16.html

     

    • ZenCentral's avatar
      ZenCentral
      Icon for Nimbostratus rankNimbostratus
      Jul 25, 2016

      Did you find out how to define multiple partitioins to one user?

       

    • Walter_Kacynski's avatar
      Walter_Kacynski
      Icon for Cirrostratus rankCirrostratus
      Aug 11, 2014
      Is it possible to use this method to map multiple partitions to a single user? It seems that when using Locally defined users a user can only be given access to 1 partation or All partiions. I wish to have a user access two named partions and not common. Thank-You.
    • Cory_50405's avatar
      Cory_50405
      Icon for Noctilucent rankNoctilucent
      Jun 12, 2014
      The relevant logging should be in ACS. Check out the failed TACACS authentications report. Feel free to post configs here for review.