Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

BigIQ integration with Cisco ACS (TACACS+)

jba3126
Cirrus
Cirrus

‎22-Apr-2019 15:41

I'm working with Big-IQ Central Manager and would like to authenticate against our TACACS (Cisco ACS) and use the RBAC capabilities; however the documentation is slim at best. I'm getting an error, "User has no roles or groups associations. Trying to compare what we set our LTMs to authenticate using remote roles that are defined in ACS (below) to what I have on our BigIQ. On our LTMs: 1. No users defined local 2. Authentication - Remote - TACACS+ 3. Remote Role Groups a. Group Name = TAC-Auth b. Line Order 20 (Relative to our env.) c. Attribute String = F5-LTM-User-Info-1=TAC-Auth d. Remote Acccess = Enabled e. Assigned Role = Other = %F5-LTM-User-Role f. Partition Access = Other = %F5-LTM-Partition g. Terminal Access = Other = %F5-LTM-User-Console On ACS (Only giving one example) Shell Profiles 1. F5-Device-TACAuth-Admin 2. Custom Attributes a. F5-LTM-User-Info-1 = TAC-Auth b. F5-LTM-User-Console = enable c. F5-LTM-User-Role = Administrator d. F5-LTM-Partition = All BigIQ 1. Auth Providers = a. Name = NA_ACS b. Type = TACACS+ 2. User Groups a. F5_Admin c. Authorization Attributes F5-BigIQ-User-Info = F5_Admin %F5-BigIQ-User-Role = Administrator ACS - Note: My understanding is that since BigIQ doesn't use partitions or the Terminal/Console role it might not be needed. 2. Custom Attributes a. F5-LTM-User-Info-1 = F5_Admin b. F5-LTM-User-Role = Administrator Thank you in advance for any insight! /jeff
Labels:
0 Kudos
2 REPLIES 2

jba3126
Cirrus
Cirrus

‎23-Apr-2019 18:13

I wanted to share the answer as I was able to get this working with the help of sharp F5 PS Engineers. Keep in mind that a lot of this is contextualized to our infrastructure or made generic for obvious reasons 🙂

 

BigIQ 1. Auth Providers = a. Name = NA_ACS b. Type = TACACS+ c. Servers = Server IPs (Primary/Secondary) Port 49 d. Secret = TACACS/ACS Secret Passphrase e. Primary Service = For us ppp f. Protocol = ip g. Encrypt = yes 2. User Groups a. NA-BigIQAdmin b. Authorization Attributes F5-BigIQ-User-Info-1 = BigIQAdmin c. Roles Selected = Administrator ACS 1. Shell Profiles a. F5-Device-TACAuth-BigIQAdmin b. Custom Attributes F5-BigIQ-User-Info-1 = BigIQAdmin 2. Access Policy F5 Device Admin Authorization a. Name = BigIQ Admin b. Identity Group = F5 Admins c. NDG: Device Type = F5 d. NDG: Location = All Locations e. Device Filter = Any f. Shell Profile = F5-Device-TACAuth-BigIQAdmin Once the user logs in they will automatically be added to the Users listing with tacacs+ next to their user id. I sincerely hope this helps someone! /jeff
0 Kudos

Claire
Nimbostratus
Nimbostratus

‎09-Jul-2021 01:28

Many thanks for this, it was particularly helpful for us. Thanks to you I can authenticate against our TACACS (Cisco ISE).

 

/Claire

0 Kudos
Copyright © 2023 Khoros, LLC