Forum Discussion
Nimbostratustacacs +
Anyone can help me with the step by step procedure to configure Tacacs on F5
Also wanted to know if its compatible with ACS ver 2.4 to support the functionality
24 Replies
Samir_Jha_52506Noctilucent
Go through this link
abi1980_184094Thanks Samir Is this only for administrative users Is thereome thing whcih we can use for users with operator privilige as well- Samir_Jha_52506Can't configure Tacacs with Operator privileged. Option will not be enable for you.
- abi1980_184094
Can you use Tacacs + to authenticate userss with limited priviliges
Jana_Bollineni_You can select the role (Administrator, operator, etc) while configuring external authentication. "From the Role menu, select a user role that you want the BIG-IP system to assign as the default role for remote user accounts. This is the role assigned by BIG-IP for a remote user account that is not explicitly assigned a role."
Robert_Luechte1I don't use Cisco TACACS+ myself, I use Aruba Clearpass as my TACACS server, but here is what I think you need to do. On the BigIP, under System -> Users -> Authentication you will configure your TACACS servers and you should specify a service name of PPP and a protocol of IP. (You may already have this done.) Next on the BigIP, switch to the remote role groups tab and create roles similar to how I show it in the screen shot above. Create a remote role for each type of user you want to configure and assign a unique attribute for each role, i.e. F5-LTM-User-Info-1=adm, F5-LTM-User-Info-1=opr, etc.
Then on the TACACS server under the PPP IP service, there should be somewhere that you can assign a custom attribute to the user. When you find that, you will create the attribute of F5-LTM-User-Info-1 and the value of adm, opr, or whatever role the user requires.
If you can't figure out how to assign the attribute to the PPP service, you may need to do it under the shell service. If that is the case, on the BigIP authentication section you would specify shell as the service. I'm not sure about the protocol though. You may need to leave it blank, or stick with IP.
Hope this helps.
Good Luck,
Robert
- abi1980_184094Hi Robe Where can i find the option to assign attributes according to user roles am unable to find them can you help me with that
Robert_Luechte2Cirrus
I don't use Cisco TACACS+ myself, I use Aruba Clearpass as my TACACS server, but here is what I think you need to do. On the BigIP, under System -> Users -> Authentication you will configure your TACACS servers and you should specify a service name of PPP and a protocol of IP. (You may already have this done.) Next on the BigIP, switch to the remote role groups tab and create roles similar to how I show it in the screen shot above. Create a remote role for each type of user you want to configure and assign a unique attribute for each role, i.e. F5-LTM-User-Info-1=adm, F5-LTM-User-Info-1=opr, etc.
Then on the TACACS server under the PPP IP service, there should be somewhere that you can assign a custom attribute to the user. When you find that, you will create the attribute of F5-LTM-User-Info-1 and the value of adm, opr, or whatever role the user requires.
If you can't figure out how to assign the attribute to the PPP service, you may need to do it under the shell service. If that is the case, on the BigIP authentication section you would specify shell as the service. I'm not sure about the protocol though. You may need to leave it blank, or stick with IP.
Hope this helps.
Good Luck,
Robert
- abi1980_184094Hi Robe Where can i find the option to assign attributes according to user roles am unable to find them can you help me with that
- Robert_Luechte1
Do you mean on the BigIP or on the TACACS server?
- abi1980_184094on the F5 am using ltm image 10.2.4 and i do not see the option to set attributes for users
- Robert_Luechte2
Do you mean on the BigIP or on the TACACS server?
- abi1980_184094on the F5 am using ltm image 10.2.4 and i do not see the option to set attributes for users
- Robert_Luechte1
You won't set the attribute for individual users on the BigIP. If you're doing it this way, you won't even create the users on the BigIP.
You set that attribute in the remote role configuration System -> Users -> Remote Role Groups.
- abi1980_184094Hi rob I am able to make it work for administrators but for operators it isnt working
- Robert_Luechte2
You won't set the attribute for individual users on the BigIP. If you're doing it this way, you won't even create the users on the BigIP.
You set that attribute in the remote role configuration System -> Users -> Remote Role Groups.
- abi1980_184094Hi rob I am able to make it work for administrators but for operators it isnt working
- abi1980_184094
anyone knows if ACS version 2.4 is supported for tacacs
- Amy003_314955
I tried the steps but it did not work. Tacacs version 4.1 and Tmos version 12.1. Also, does the line order number in the remote role group matter ?
- Amy003_314955
It worked after enabling ppp on tacacs for the relevant user group. On F5, in the remote role group, also select ppp in the service.
