cancel
Showing results for 
Search instead for 
Did you mean: 

BigIQ integration with Cisco ACS (TACACS+)

jba3126
Altostratus
Altostratus
I'm working with Big-IQ Central Manager and would like to authenticate against our TACACS (Cisco ACS) and use the RBAC capabilities; however the documentation is slim at best. I'm getting an error, "User has no roles or groups associations. Trying to compare what we set our LTMs to authenticate using remote roles that are defined in ACS (below) to what I have on our BigIQ. On our LTMs: 1. No users defined local 2. Authentication - Remote - TACACS+ 3. Remote Role Groups a. Group Name = TAC-Auth b. Line Order 20 (Relative to our env.) c. Attribute String = F5-LTM-User-Info-1=TAC-Auth d. Remote Acccess = Enabled e. Assigned Role = Other = %F5-LTM-User-Role f. Partition Access = Other = %F5-LTM-Partition g. Terminal Access = Other = %F5-LTM-User-Console On ACS (Only giving one example) Shell Profiles 1. F5-Device-TACAuth-Admin 2. Custom Attributes a. F5-LTM-User-Info-1 = TAC-Auth b. F5-LTM-User-Console = enable c. F5-LTM-User-Role = Administrator d. F5-LTM-Partition = All BigIQ 1. Auth Providers = a. Name = NA_ACS b. Type = TACACS+ 2. User Groups a. F5_Admin c. Authorization Attributes F5-BigIQ-User-Info = F5_Admin %F5-BigIQ-User-Role = Administrator ACS - Note: My understanding is that since BigIQ doesn't use partitions or the Terminal/Console role it might not be needed. 2. Custom Attributes a. F5-LTM-User-Info-1 = F5_Admin b. F5-LTM-User-Role = Administrator Thank you in advance for any insight! /jeff
2 REPLIES 2

jba3126
Altostratus
Altostratus

I wanted to share the answer as I was able to get this working with the help of sharp F5 PS Engineers. Keep in mind that a lot of this is contextualized to our infrastructure or made generic for obvious reasons 🙂

 

BigIQ 1. Auth Providers = a. Name = NA_ACS b. Type = TACACS+ c. Servers = Server IPs (Primary/Secondary) Port 49 d. Secret = TACACS/ACS Secret Passphrase e. Primary Service = For us ppp f. Protocol = ip g. Encrypt = yes 2. User Groups a. NA-BigIQAdmin b. Authorization Attributes F5-BigIQ-User-Info-1 = BigIQAdmin c. Roles Selected = Administrator ACS 1. Shell Profiles a. F5-Device-TACAuth-BigIQAdmin b. Custom Attributes F5-BigIQ-User-Info-1 = BigIQAdmin 2. Access Policy F5 Device Admin Authorization a. Name = BigIQ Admin b. Identity Group = F5 Admins c. NDG: Device Type = F5 d. NDG: Location = All Locations e. Device Filter = Any f. Shell Profile = F5-Device-TACAuth-BigIQAdmin Once the user logs in they will automatically be added to the Users listing with tacacs+ next to their user id. I sincerely hope this helps someone! /jeff

Claire
Nimbostratus
Nimbostratus

Many thanks for this, it was particularly helpful for us. Thanks to you I can authenticate against our TACACS (Cisco ISE).

 

/Claire