Forum Discussion
tacacs +
Anyone can help me with the step by step procedure to configure Tacacs on F5
Also wanted to know if its compatible with ACS ver 2.4 to support the functionality
- Samir_Jha_52506Noctilucent
Go through this link
- abi1980_184094NimbostratusThanks Samir Is this only for administrative users Is thereome thing whcih we can use for users with operator privilige as well
- Samir_Jha_52506NoctilucentCan't configure Tacacs with Operator privileged. Option will not be enable for you.
- abi1980_184094Nimbostratus
Can you use Tacacs + to authenticate userss with limited priviliges
- Jana_Bollineni_NimbostratusYou can select the role (Administrator, operator, etc) while configuring external authentication. "From the Role menu, select a user role that you want the BIG-IP system to assign as the default role for remote user accounts. This is the role assigned by BIG-IP for a remote user account that is not explicitly assigned a role."
- Robert_Luechte1Nimbostratus
I don't use Cisco TACACS+ myself, I use Aruba Clearpass as my TACACS server, but here is what I think you need to do. On the BigIP, under System -> Users -> Authentication you will configure your TACACS servers and you should specify a service name of PPP and a protocol of IP. (You may already have this done.) Next on the BigIP, switch to the remote role groups tab and create roles similar to how I show it in the screen shot above. Create a remote role for each type of user you want to configure and assign a unique attribute for each role, i.e. F5-LTM-User-Info-1=adm, F5-LTM-User-Info-1=opr, etc.
Then on the TACACS server under the PPP IP service, there should be somewhere that you can assign a custom attribute to the user. When you find that, you will create the attribute of F5-LTM-User-Info-1 and the value of adm, opr, or whatever role the user requires.
If you can't figure out how to assign the attribute to the PPP service, you may need to do it under the shell service. If that is the case, on the BigIP authentication section you would specify shell as the service. I'm not sure about the protocol though. You may need to leave it blank, or stick with IP.
Hope this helps.
Good Luck,
Robert
- abi1980_184094NimbostratusHi Robe Where can i find the option to assign attributes according to user roles am unable to find them can you help me with that
I don't use Cisco TACACS+ myself, I use Aruba Clearpass as my TACACS server, but here is what I think you need to do. On the BigIP, under System -> Users -> Authentication you will configure your TACACS servers and you should specify a service name of PPP and a protocol of IP. (You may already have this done.) Next on the BigIP, switch to the remote role groups tab and create roles similar to how I show it in the screen shot above. Create a remote role for each type of user you want to configure and assign a unique attribute for each role, i.e. F5-LTM-User-Info-1=adm, F5-LTM-User-Info-1=opr, etc.
Then on the TACACS server under the PPP IP service, there should be somewhere that you can assign a custom attribute to the user. When you find that, you will create the attribute of F5-LTM-User-Info-1 and the value of adm, opr, or whatever role the user requires.
If you can't figure out how to assign the attribute to the PPP service, you may need to do it under the shell service. If that is the case, on the BigIP authentication section you would specify shell as the service. I'm not sure about the protocol though. You may need to leave it blank, or stick with IP.
Hope this helps.
Good Luck,
Robert
- abi1980_184094NimbostratusHi Robe Where can i find the option to assign attributes according to user roles am unable to find them can you help me with that
- Robert_Luechte1Nimbostratus
Do you mean on the BigIP or on the TACACS server?
- abi1980_184094Nimbostratuson the F5 am using ltm image 10.2.4 and i do not see the option to set attributes for users
Do you mean on the BigIP or on the TACACS server?
- abi1980_184094Nimbostratuson the F5 am using ltm image 10.2.4 and i do not see the option to set attributes for users
- Robert_Luechte1Nimbostratus
You won't set the attribute for individual users on the BigIP. If you're doing it this way, you won't even create the users on the BigIP.
You set that attribute in the remote role configuration System -> Users -> Remote Role Groups.
- abi1980_184094NimbostratusHi rob I am able to make it work for administrators but for operators it isnt working
You won't set the attribute for individual users on the BigIP. If you're doing it this way, you won't even create the users on the BigIP.
You set that attribute in the remote role configuration System -> Users -> Remote Role Groups.
- abi1980_184094NimbostratusHi rob I am able to make it work for administrators but for operators it isnt working
- abi1980_184094Nimbostratus
anyone knows if ACS version 2.4 is supported for tacacs
I tried the steps but it did not work. Tacacs version 4.1 and Tmos version 12.1. Also, does the line order number in the remote role group matter ?
It worked after enabling ppp on tacacs for the relevant user group. On F5, in the remote role group, also select ppp in the service.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com