Forum Discussion

brepav123_22459's avatar
brepav123_22459
Icon for Cirrus rankCirrus
Jan 22, 2016

Configuring TACACS v4.2 with F5 Remote Role Groups

Hi everyone,

I'm trying to get our F5s working with TACACS and i was successful in getting individual user accounts to work. However im trying to setup the groups but am having some trouble.

Working through a user guide i found online i set the following attributes in the TACACS+ Settings custom attributes:

    set F5-LTM-User-Info-1 = adm
    set F5-LTM-User-Console = 1
    set F5-LTM-User-Role = 0
            ![Image Text](/Portals/0/Users/084/96/224596/TACACS.PNG)

Then on the F5 side i have the attribute string set to F5-LTM-User-Info-1=adm with similar settings for the console, role, etc. However the users in TACACS assigned to the group with the above attributes are not authenticating in the F5. Any thoughts to why this is would be greatly appreciated.

Thanks! Brent

application delivery
BIG-IP
LTM
remote access
tacacs+

2 Replies

Sort By
  • brepav123_22459's avatar
    brepav123_22459
    Icon for Cirrus rankCirrus
    Jan 22, 2016

    Thanks for the reply. The article you posted is the one i was going off of originally. I matched my TACACS configs similar to yours with F5 but no luck. I guess im not 100% sure to put the settings in the TACACS. Im only semi familiar with the GUI so from that forum it looks like its the custom attributes in the PPP IP settings. However they dont seem to be making any difference.

     

    Thanks

     

    • JRahm's avatar
      JRahm
      Icon for Admin rankAdmin
      Jan 22, 2016
      there are options. You can set all the properties of a group on the F5 side instead of using the variables, or you can use the variables and set all the properties on the tacacs side. Your choice there. Assuming your tacacs server is Cisco, I know several questions have come up on that implementation but I'm not familiar with it, so unfortunately won't be much help there. There are some notes in the comments on the older article about the Cisco server that might be helpful: https://devcentral.f5.com/s/articles/v10-remote-authorization-via-tacacs-43