Forum Discussion
NimbostratusTacacs configuration with F5-LTM-User attribute.
HI Can some one guide me with configuration guide for configuration of tacacs+ for F5 lTM and GTM ? I am looking for a configuration which with provide 3 levels of access admin/auditor/operator , I came to know there we can create attribute simialr to F5-ltm-user , and provide levels of access and radius servers.
please let me know if we have any config guide available
20 Replies
Cory_50405Noctilucent
What TACACS server are you using? If Cisco ACS, I can give you a pretty good walkthrough.
judascow_106704I have the same question for LTM and am using Cisco ACS. If you can provide a walkthrough I'd appreciate it.
Thanks
- Cory_50405
What version of ACS are you running?
- judascow_106704
4.2
- Cory_50405
Darn, was hoping you'd say 5.2 or 5.3. I don't have access to an ACS 4.2 system any longer, but we had it working on 4.2 before we upgraded.
So this question has come up a few times, most recently here:
https://devcentral.f5.com/questions/ltm-v113-tacacs-authentication-cisco-acsv41
Have you setup the BIG-IP remote roles and ACS group configs at all or are you just getting started?
- judascow_106704
I've created one BIG-IP remote role and have cloned an existing ACS group, the one I want to add the F5 admin login ability to, and renamed it "adm".
F5 remoterole
role info adm { attribute "F5-LTM-User-Info-1=adm" console "enable" deny disable line order 1 role "administrator" user partition "all" }
ACS group TACACS+ Settings Custom Attribute:
F5-LTM-User-Info-1=admLogin currently fails on the F5 (v10.2.4) but the ACS Passed Authentications log shows that the login was successful.
Missing something obvious?
I plan on also setting up auditor & operator roles once I have this one working.
Thanks
- Cory_50405
Is the name of your ACS group "adm"? It has to match verbatim what your remote role group name is.
- judascow_106704Indeed it is. "cloned an existing ACS group... and renamed it 'adm'"
- Cory_50405Apologies for my reading comprehension fail. Did you remove any local usernames that may be conflicting with the remote user attempting to login?
- judascow_106704Just confirmed that there is no local user with the same username.
- Cory_50405
Your remote role config looks to be the problem after looking at this more. Do you have remote access set to disable in yours? I think that may be the problem. Here's what our administrator remote role looks like:
/Common/Admin { attribute F5-LTM-User-Info-1=adm console tmsh line-order 1 role administrator user-partition all } 
Shivam_84461Hello Cory,
How about the documentation on acs 5.4 ?
Thanks Shivam
- Cory_50405
I'm not familiar with anything past 5.3 which we are using now. I would guess that 5.4 would be very similar but I don't know what Cisco changed or added.
Are you having specific problems?
