Forum Discussion

jba3126's avatar
jba3126
Icon for Cirrus rankCirrus
Apr 22, 2019

BigIQ integration with Cisco ACS (TACACS+)

I'm working with Big-IQ Central Manager and would like to authenticate against our TACACS (Cisco ACS) and use the RBAC capabilities; however the documentation is slim at best.  I'm getting an error, "User has no roles or groups associations.  
Trying to compare what we set our LTMs to authenticate using remote roles that are defined in ACS (below) to what I have on our BigIQ.

On our LTMs:
1. No users defined local
2. Authentication - Remote - TACACS+ 
3. Remote Role Groups
a. Group Name = TAC-Auth
b. Line Order 20 (Relative to our env.)
c. Attribute String = F5-LTM-User-Info-1=TAC-Auth
d. Remote Acccess = Enabled
e. Assigned Role = Other = %F5-LTM-User-Role
f. Partition Access = Other = %F5-LTM-Partition
g. Terminal Access = Other = %F5-LTM-User-Console

On ACS (Only giving one example)
Shell Profiles
1. F5-Device-TACAuth-Admin
2. Custom Attributes
a. F5-LTM-User-Info-1 = TAC-Auth
b. F5-LTM-User-Console = enable
c. F5-LTM-User-Role = Administrator
d. F5-LTM-Partition = All

BigIQ
1. Auth Providers = 
a. Name = NA_ACS
b. Type = TACACS+
2. User Groups
a. F5_Admin
c. Authorization Attributes
F5-BigIQ-User-Info = F5_Admin
%F5-BigIQ-User-Role = Administrator

ACS - Note: My understanding is that since BigIQ doesn't use partitions or the Terminal/Console role it might not be needed. 
2. Custom Attributes
a. F5-LTM-User-Info-1 = F5_Admin
b. F5-LTM-User-Role = Administrator

Thank you in advance for any insight!
/jeff

2 Replies

  • I wanted to share the answer as I was able to get this working with the help of sharp F5 PS Engineers. Keep in mind that a lot of this is contextualized to our infrastructure or made generic for obvious reasons 🙂

    BigIQ
    1. Auth Providers = 
    a. Name = NA_ACS
    b. Type = TACACS+
    c. Servers = Server IPs (Primary/Secondary) Port 49
    d. Secret = TACACS/ACS Secret Passphrase
    e. Primary Service = For us ppp
    f. Protocol = ip
    g. Encrypt = yes
    
    2. User Groups
    a. NA-BigIQAdmin
    b. Authorization Attributes
    F5-BigIQ-User-Info-1 = BigIQAdmin
    c. Roles Selected = Administrator
    
    ACS
    1. Shell Profiles
    a. F5-Device-TACAuth-BigIQAdmin
    b. Custom Attributes
    F5-BigIQ-User-Info-1 = BigIQAdmin
    
    2. Access Policy
    F5 Device Admin
    Authorization
    a. Name = BigIQ Admin
    b. Identity Group = F5 Admins
    c. NDG: Device Type = F5
    d. NDG: Location = All Locations
    e. Device Filter = Any
    f. Shell Profile = F5-Device-TACAuth-BigIQAdmin
    
    Once the user logs in they will automatically be added to the Users listing with tacacs+ next to their user id.
    
    I sincerely hope this helps someone!
    
    /jeff
    
  • Claire's avatar
    Claire
    Icon for Nimbostratus rankNimbostratus

    Many thanks for this, it was particularly helpful for us. Thanks to you I can authenticate against our TACACS (Cisco ISE).

     

    /Claire