Forum Discussion
vvskaladhar_488
Nimbostratus
NimbostratusTacacs configuration with F5-LTM-User attribute.
HI Can some one guide me with configuration guide for configuration of tacacs+ for F5 lTM and GTM ? I am looking for a configuration which with provide 3 levels of access admin/auditor/operator , I c...
Cory_50405
Noctilucent
NoctilucentIs the name of your ACS group "adm"? It has to match verbatim what your remote role group name is.
judascow_106704Indeed it is. "cloned an existing ACS group... and renamed it 'adm'"- Cory_50405Apologies for my reading comprehension fail. Did you remove any local usernames that may be conflicting with the remote user attempting to login?
- judascow_106704Just confirmed that there is no local user with the same username.
- Cory_50405Your remote role configuration looks good. Do you see any helpful information in/var/log/audit or/var/log/secure that identifies a problem?
- judascow_106704Success! I was editing the wrong custom attribute and enabling PPP in the wrong section of the TACACS group configuration. I had to add the PPP IP section to the Group config. In ACS 4.2, open Interface Configuration -> TACACS+ (Cisco IOS). Under Group, check the box for PPP IP, then Submit. In Group Config for 'adm' under TACACS+ Settings, check PPP IP and add the following in the first TACACS+ Settings Custom Attributes box: F5-LTM-User-Info-1=adm On the F5, my remoterole is remoterole { role info adm { attribute F5-LTM-User-Info-1=adm console enable line order 1 deny disable role administrator user partition all } } Thanks for all of your help, Cory!
- Cory_50405Glad to hear you got it working.
Dan_22262@Cory @judascow Great post guys. Using this, I got LTM BIGIP-11.6.0.0.0.401.ALL-scsi.ova + Cisco Secure ACS 4.2 up and running on basically the first shot. I made the same mistake above, I didn't originally put the custom attribute under PPP but under "shell". If anyone needs screenshots of the setup on both LTM and on ACS, I took them. Feel free to hit me up.
h_paredes_19017Dan, can you please share those screenshots?
gcave_213109Would it be possible for someone to share the screenshots with 4.1. I have setup: auth remote-role { role-info { /Common/adm { attribute F5-LTM-User-Info-1=adm console tmsh line-order 1 role administrator user-partition All } } } auth remote-user { default-role admin remote-console-access tmsh } auth source { type tacacs } auth tacacs /Common/system-auth { protocol ip secret $M$HO$rkzM7osX510D2HjVYcvnZw== servers { 165.249.239.32 } service ppp } I am getting a 'authorization failure, service ppp denied' on ACS 4.1
