F5OS support for TACACS+ over CLI
We ran into issues deploying rSeries and VELOS platforms on the network at our company using a custom form of TACACS+. Our implementation allows for application-specific domains with unique ports and keys. We had issues with it until we added the attribute value pairs to the TACACS+ domain profiles: Admin (unlimited_config): F5-F5OS-UID=1001 F5-F5OS-GID=9000 Operator (unlimited_enable): F5-F5OS-UID=1001 F5-F5OS-GID=9001 This change resolved the access issues via GUIand we are able to access using our TACACS+ credentials, but it does NOT work via CLI for access using the same credentials. We already have a case out to F5 about this, but I was wondering if anyone else is experiencing the same implementation challenge on accessing CLI using TACACS+.1.1KViews1like4CommentsConfiguring TACACS v4.2 with F5 Remote Role Groups
Hi everyone, I'm trying to get our F5s working with TACACS and i was successful in getting individual user accounts to work. However im trying to setup the groups but am having some trouble. Working through a user guide i found online i set the following attributes in the TACACS+ Settings custom attributes: set F5-LTM-User-Info-1 = adm set F5-LTM-User-Console = 1 set F5-LTM-User-Role = 0 ![Image Text](/Portals/0/Users/084/96/224596/TACACS.PNG) Then on the F5 side i have the attribute string set to F5-LTM-User-Info-1=adm with similar settings for the console, role, etc. However the users in TACACS assigned to the group with the above attributes are not authenticating in the F5. Any thoughts to why this is would be greatly appreciated. Thanks! Brent365Views0likes2CommentsRemote authentication with user specific role
Hello everyone, I was wondering how could I assign specific roles to each user I'm expecting on our systems. I know that if I create a local user with the same username as in the remote authentication server I can achive the exact thing. But we are using TACACS+ with ISE and multiple domains. If I try to create a user without the domain name it won't match and I cannot create local user with '\' like "domain\username". It would be the most convenient solution to let the support partner login as auditor on normal days but make exceptions when the **bleep** hits the fan. Of course I have multiple workarounds like making exceptions on ISE or AD but these systems are under another unit's control. Also even temorarily changing the whole remote role group's role would be a security risk. Any idea? How could I match the remote username with the local ones? What is your best practise handling the external contractors access to your systems? All the best, Bazsi976Views0likes1CommentHelp! ACS, v11.6, variable substitution for multiple user roles in multiple partitions?
v11.6 allows multiple roles per account as long as they are assigned to different partitions. What is the recommended configuration for LTM v11.6 and ACS 5.2 to support variable substitution for complex RBAC assignments? For instance, UserA in AD who is a member of AD groups 'F5 Operator' and 'F5 Certs' can login and have manager access to PartitionA and Certificate Manager access to Common.209Views0likes0CommentsLock out from Big IP after setting up Tacacs+
Is their any way to remove tacacs+ configuration from single user mode or roll back to local authentication mode. We have lost root as well as admin access to the devices immediately after configuring tacacs+. The config synced to the standby pair and locked us out completely. We have attempted to reset the root password using single user mode but in vain. We don't even see any hits on Cisco ACS from F5. We are using version 11.6.0. Any ideas and advice is appreciated.406Views0likes3Comments