Forum Discussion
Nimbostratustacacs attibute value pair settings for remote role attributes
Hi, I've read Sol8811 and sol8808 and articles https://devcentral.f5.com/articles/v10-remote-authorization-via-tacacs-43.U0yHO_mulsE http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_implementation/sol_mgmt_auth.html1030640
on ACS 4.2 - i got auth working via the following: create a 'new service' on the Interface Configuration>Tacacs+(Cisco IOS)>New Services. I created a new service called 'F5_extras' with protocol 'IP'. This enables the new setting to appear in my existing Group (which contains many different vendor equipment). In the Group setting I can assign PPP IP via 'custom attributes' window: service=PPP protocol=IP Obviously set your F5_extras in your LTM tacacs configuration.
(NOTE: ip assignment of dialup was not required for me - its mentioned a in a forum).
For REMOTE ROLES how to I configure the ACS for the attributes? eg, mentioned on the dev central forum a user applied these attributes to the ACS device: F5-LTM-Host=4500ltm1 F5-LTM-User-Role=administrator F5-LTM-User-Partition=Common F5-LTM-User-Console=tmsh
From Cisco site the Attribute values eg's are: eg's •acl=
•autocmd=
•callback-line
•callback-rotary
•cmd-arg=
•cmd=
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4-2-1/User_Guide/acs421ug/A_TACAtr.htmlwp977782
1 Reply
Cory_50405Noctilucent
I believe the attribute within ACS needs to be populated under the group configuration, shell profiles section. There's a pane for attributes and it should be populated with the same attribute as you put in the corresponding remote role within the BIG-IP.
For example, our attribute for administrators is F5-LTM-User-Role-1=adm. This goes in the custom attributes under the shell profile section of ACS as well as your remote role configuration as the attribute string.
