tacacs +

I don't use Cisco TACACS+ myself, I use Aruba Clearpass as my TACACS server, but here is what I think you need to do. On the BigIP, under System -> Users -> Authentication you will configure your TACACS servers and you should specify a service name of PPP and a protocol of IP. (You may already have this done.) Next on the BigIP, switch to the remote role groups tab and create roles similar to how I show it in the screen shot above. Create a remote role for each type of user you want to configure and assign a unique attribute for each role, i.e. F5-LTM-User-Info-1=adm, F5-LTM-User-Info-1=opr, etc.

Then on the TACACS server under the PPP IP service, there should be somewhere that you can assign a custom attribute to the user. When you find that, you will create the attribute of F5-LTM-User-Info-1 and the value of adm, opr, or whatever role the user requires.

If you can't figure out how to assign the attribute to the PPP service, you may need to do it under the shell service. If that is the case, on the BigIP authentication section you would specify shell as the service. I'm not sure about the protocol though. You may need to leave it blank, or stick with IP.

Hope this helps.

Good Luck,

Robert