TACACS+ Remote Role Configuration for BIG-IP
Several years ago (can it really have been 2009?) I wrote up a solution for using tacacs+ as the authentication and authorization source for BIG-IP user management. Much has changed in five years: ne...
Updated Jan 05, 2024
Version 2.0
JRahm
Admin
Admin
John_Beckmann
Employee
EmployeeI have found the version of tac_plus that is available on http://li.nux.ro/download/nux/misc/el6/x86_64/ (from install Guide http://www.techspacekh.com/configuring-tacacs-plus-with-active-directory-user-authentication-on-rhelcentos-7/ ) uses different config for tac_plus.conf for the BIG-IP.
It requires pap = PAM and does not use the "set" command for the IP variables:-
key = "f5networks"
user = my_admin_user {
member = adm
}
user = my_mgr_user {
member = userMgr
}
user = my_editor_user {
member = appEd
}
user = my_ops_user {
member = ops
}
group = adm {
login = PAM
pap = PAM
service = ppp
protocol = ip {
F5-LTM-User-Info-1 = adm
F5-LTM-User-Console = 1
F5-LTM-User-Role = 0
F5-LTM-User-Partition = all
}
}
group = appEd {
login = PAM
pap = PAM
service = ppp
protocol = ip {
F5-LTM-User-Info-1 = appEd
F5-LTM-User-Console = 0
F5-LTM-User-Role = 300
F5-LTM-User-Partition = Common
}
}
group = userMgr {
login = PAM
pap = PAM
service = ppp
protocol = ip {
F5-LTM-User-Info-1 = userMgr
F5-LTM-User-Console = 0
F5-LTM-User-Role = 40
F5-LTM-User-Partition = Common
}
}
group = ops {
login = PAM
pap = PAM
service = ppp
protocol = ip {
F5-LTM-User-Info-1 = ops
F5-LTM-User-Console = 1
F5-LTM-User-Role = 400
F5-LTM-User-Partition = Common
}
}