F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Cory_50405's avatar
Cory_50405
Icon for Noctilucent rankNoctilucent
Dec 22, 2011

remoterole and TACACS

Our organization has F5 LTMs deployed and we are trying to eliminate the need to define accounts local to the device. We currently have Cisco ACS servers configured with user accounts and we are trying to get the LTMs configured to pull authentication and authorization information from these ACS boxes.

 

 

We currently have this remoterole defined in our LTMs:

 

 

role info adm {

 

attribute "F5-LTM-User-Info-1=adm"

 

role "administrator"

 

console "enable"

 

deny disable

 

line order 1

 

user partition "all"

 

}

 

 

And this group created on our ACS server:

 

 

"Full Access"

 

Under TACACS+ settings, we have the PPP IP option checked, and the custom attributes box checked with F5-LTM-User-Info-1=adm defined as a custom attribute.

 

 

Does the name of the ACS group need to match the role info name on the LTM? It doesn't appear the LTM will accept spaces as part of the role info name.

 

 

Thanks,

 

 

Cory

 

management
monitoring

1 Reply

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Dec 27, 2011
    Hi Cory,

     

     

    The group name must be identical. I believe there was a bug (fixed in 10.2) with spaces in the attribute field:

     

     

    For details on remoterole options, you can check the Implementations Guide or 'b remoterole help':

     

    http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_implementation/sol_mgmt_auth.html?sr=182930341025343

     

     

    But in a quick test on 10.2.2, I couldn't run a remoterole command with a space in it. You might try opening a case with Support on this if you haven't already, to check if spaces are allowed and how to use them if they are.

     

     

    Aaron