Forum Discussion

Thrillseeker_12's avatar
Thrillseeker_12
Icon for Cirrus rankCirrus
Oct 07, 2013

TACACS Auth with Remote Role Groups --> Terminal Access

Hi,

 

For one of our customers I recently setup up TACACS Auth with Remote Role Groups. The setup works very good far. But when I tried to define something other (e.g. /bin/bash) than TMSH in Terminal Access group properties (System -> Users:Remote Role Groups > fw_adm) than I get the following error message:

 

01070920:3: Application error for confpp: remoterole console setting /bin/bash is invalid.

 

So my question is what is the corret shell/path for the F5 Extenedshell root shell (NOT TMSH!) ? The goal should be to give specific users in TACACS group fw_adm direct access to the Extended Shell (like root). At the moment only TMSH is working for group fw_adm.

 

Thanks for any help Regards Lukas

 

4 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Oct 08, 2013

    If I recall correctly, I believe you need to create a local user account (no password) that matches the name of the remote TACACS one and assign 'Advanced Shell' access to that.

     

    Of course, you'll want to test that the local account is unusable while TACACS is available and also when it's not.

     

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Oct 08, 2013

    I've gone rounds with this issue and haven't found any options to place remotely authenticated users into bash. They always get placed into TMSH regardless of configuration.

     

    We've instructed our users to just do 'run util bash' after logging in if they need the functionality of the bash shell.

     

  • Chris_FP's avatar
    Chris_FP
    Icon for Cirrus rankCirrus
    Oct 08, 2013

    What Lies Beneath is correct - You can only get direct to the BASH shell if a local user is added on the F5, which does rather negate the remote authentication side. I believe this is due to the way *nix works (somebody more qualified in *nix will be able to explain it better).

     

    I had the same issue and, like Cory, had to advise the users to perform the "run /util bash" command. Not that much of a hardship really!

     

  • rthakker_233194's avatar
    rthakker_233194
    Icon for Nimbostratus rankNimbostratus
    Nov 09, 2015

    Hi,

     

    This post is couple of years old but I am facing similar issue and using Radius.

     

    By giving tmash access I can certainly access Bash. But my problem is due to strict auditing policy enforced I am loosing out accountability of the users which they are using Bash. For example as a radmin user when I created directory under /home the owner of the directory is 'root'.

     

    rdmin@(F5-01)(cfg-sync Standalone)(/S1-green-P:Active)(/Common)(tmos) run /util bash [radmin@F5-01:/S1-green-P:Active:Standalone] ~ whoami root [radmin@F5-01:/S1-green-P:Active:Standalone] ~ cd /home/ [radmin@F5-01:/S1-green-P:Active:Standalone] home mkdir radmindir [radmin@F5-01:/S1-green-P:Active:Standalone] home ls -al total 12 drwxr-xr-x 6 root root 1024 Nov 9 15:50 . drwxr-xr-x 27 root root 1024 Oct 28 17:05 .. drwx------ 2 root webusers 1024 Jul 28 03:53 admin drwx------ 2 f5_remoteuser f5_remoteuser 1024 Jul 28 03:54 f5_remoteuser drwx------ 2 root root 1024 Nov 9 15:50 radmindir drwx------ 2 root webusers 1024 Nov 4 15:34 root [radmin@F5-01:/S1-green-P:Active:Standalone] home

     

    So I was wondering if anyone found solution to this problem as it's been couple of years since original post.

     

    Thanks RT