TACACS+ Remote Role Configuration for BIG-IP

Several years ago (can it really have been 2009?) I wrote up a solution for using tacacs+ as the authentication and authorization source for BIG-IP user management. Much has changed in five years: ne...
Updated Jan 06, 2024
Version 2.0
application delivery
LTM
management
tac_plus
tacacs+
John_Beckmann's avatar
John_Beckmann
Icon for Employee rankEmployee
Jan 17, 2019

I have found the version of tac_plus that is available on http://li.nux.ro/download/nux/misc/el6/x86_64/ (from install Guide http://www.techspacekh.com/configuring-tacacs-plus-with-active-directory-user-authentication-on-rhelcentos-7/ ) uses different config for tac_plus.conf for the BIG-IP.

It requires pap = PAM and does not use the "set" command for the IP variables:-

key = "f5networks"
user = my_admin_user {
  member = adm
}
user = my_mgr_user {
  member = userMgr
}
user = my_editor_user {
  member = appEd
}
user = my_ops_user {
  member = ops
}
group = adm {
  login = PAM
  pap = PAM
  service = ppp
  protocol = ip {
    F5-LTM-User-Info-1 = adm
    F5-LTM-User-Console = 1
    F5-LTM-User-Role = 0
    F5-LTM-User-Partition = all
  }
}
group = appEd {
  login = PAM
  pap = PAM
  service = ppp
  protocol = ip {
    F5-LTM-User-Info-1 = appEd
    F5-LTM-User-Console = 0
    F5-LTM-User-Role = 300
    F5-LTM-User-Partition = Common
  }
}
group = userMgr {
  login = PAM
  pap = PAM
  service = ppp
  protocol = ip {
    F5-LTM-User-Info-1 = userMgr
    F5-LTM-User-Console = 0
    F5-LTM-User-Role = 40
    F5-LTM-User-Partition = Common
  }
}
group = ops {
  login = PAM
  pap = PAM
  service = ppp
  protocol = ip {
    F5-LTM-User-Info-1 = ops
    F5-LTM-User-Console = 1
    F5-LTM-User-Role = 400
    F5-LTM-User-Partition = Common
  }
}