v.10 - Remote Authorization via TACACS+ > DevCentral

Current Articles | Categories | Search | Syndication

Monday, May 18, 2009 8:30 AM

v.10 - Remote Authorization via TACACS+

by Jason Rahm - 18704 views

Remote authorization for ldap was first introduced in version 9.4. Now, however, in v10, the feature has been expanded to include radius and tacacs+. In this article, I'll walk through the tacacs+ server configuration and the remoterole configuration on the BIG-IP required to get remote authorization working.

Remote Roles

Before we get to the configuration steps, we need to look at the remoterole requirements. There are two approaches you can take. You can configure all the roles locally on the BIG-IP and pass only a group attribute, or you can configure all the roles remotely and pass the group and the role attributes in the authorization. The attributes you can pass are role, partition, and console access. By default, the role is no access, the partition is all, and the console access is disabled. This parameter list is applied against the Other External Users user created by the system when you enable a remote authentication server. If you don't specify a remoterole configuration, all users authenticated externally that do not have an account locally on the BIG-IP will receive those paramaters. Now in v.10, specifying the remoterole allows you to group external users into locally significant roles and partitions so you don't have to define them on the system. This is a tremendous help to the system administrators, particularly in large installations where many BIG-IPs and many users leads to many man hours of data entry. The attributes will be passed in these variables:

F5-LTM-User-Info-1 -- Group Name, user defined
F5-LTM-User-Role
- 0 - Administrator
- 20 - Resource Administrator
- 40 - User Manager
- 100 - Manager
- 300 - Application Editor
- 400 - Operator
- 700 - Guest
- 800 - Application Security Policy Editor
- 900 - None
F5-LTM-User-Partition
- All
- Common
- User Defined
F5-LTM-User-Console
- 0 - Disabled
- 1 - Enabled

Given that information, we'll use this group/attribute map for our configuration:

BIG-IP RemoteRole Attributes
Group Name	Role	Partition	Console Access	Attribute Location
adm	Administrator	All	yes	BIG-IP
appEd	Application Editor	Common	no	TACACS+ Server
userMgr	User Manager	p1	no	BIG-IP
ops	Operator	p2	yes	TACACS+ Server

So following the recommendations here in the implementations guide, we can configure the settings in the above table via bigpipe:

b remoterole role info adm '{
     attribute "F5-LTM-User-Info-1=adm"
      role administrator
      user partition all
      console enable
      deny disable
      line order 1
}'
b remoterole role info appEd '{
      attribute "F5-LTM-User-Info-1=appEd"
      role "%F5-LTM-User-Role"
      user partition "%F5-LTM-User-Partition"
      console "%F5-LTM-User-Console"
      deny disable
      line order 2
}'
b remoterole role info userMgr '{
      attribute "F5-LTM-User-Info-1=userMgr"
      role manager
      user partition p1
      console disable
      deny disable
      line order 3
}'
b remoterole role info ops '{
      attribute "F5-LTM-User-Info-1=ops"
      role "%F5-LTM-User-Role"
      user partition "%F5-LTM-User-Partition"
      console "%F5-LTM-User-Console"
      deny disable
      line order 4
}'

You'll notice above that I highlighted the role manager under the userMgr group. This is because we really want the user manager role, but the command cannot at present handle the multiple word roles, so you'll need to edit the bigip.conf manually to change the role to user manager and then save. Now we can move on to the TACACS+ server.

TACACS+ Installation

I first used the tac_plus daemon from Shrubbery Networks about ten years ago. Not sure if it's changed much, but it's light and simple, so it will be perfect for this demonstration. Once downloaded and moved into place on your favorite linux distro (I'm using Ubuntu) you can extract the files, configure, and install. I'm assuming you have all the necessary tools in place to compile.

tar xvfz /var/tmp/tacacs+-F4.0.4.18.tar.gz
cd /var/tmp/tacacs+-F4.0.4.18
./configure --without-libwrap
make
make install

I had a problem with tcp wrappers on this Ubuntu vm, so I just configured without. This puts the tac_plus binary in /usr/local/bin/. Excellent! Now we can configure.

TACACS+ Configuration

I added user1, user2, user3, & user4 to the Ubuntu server and set their passwords. We'll configure tacacs to grab the credentials from the system. We'll also set the key for the BIG-IP to reach out with (all lines in /var/tmp/tac_plus.conf):

key = "pcloadletter"
default authentication = file /etc/passwd

Now, we'll configure the groups. Notice that the adm and userMgr configurations are much shorter. This is because the role attributes are configured on the BIG-IP.

group = adm {
   service = ppp protocol = ip {
      F5-LTM-User-Info-1 = adm
   }
}
group = appEd {
   service = ppp protocol = ip {
      F5-LTM-User-Info-1 = appEd
      F5-LTM-User-Console = 0
      F5-LTM-User-Role = 300
      F5-LTM-User-Partition = Common
   }
}
group = userMgr {
   service = ppp protocol = ip {
      F5-LTM-User-Info-1 = userMgr
   }
}
group = ops {
   service = ppp protocol = ip {
      F5-LTM-User-Info-1 = ops
      F5-LTM-User-Console = 1
      F5-LTM-User-Role = 400
      F5-LTM-User-Partition = p2
   }
}

Finally, we'll map the users to the groups they belong to:

user = user1 {
   member = adm
}
user = user2 {
   member = appEd
}
user = user3 {
   member = userMgr
}
user = user4 {
   member = ops
}

And that's it on the server side for configuration. Start the daemon (tac_plus -C /var/tmp/tac_plus.conf), and we can go back to the BIG-IP to configure the remote server.

Configure the BIG-IP User Authentication

You can do this via bigpipe, tmsh, or the XUI. Since the remoterole configuration can only be done in bigpipe at this time, we'll stick with it.

b auth tacacs system-auth { debug enable secret pcloadletter service ppp protocol ip servers 10.10.20.250 }
b system auth source type tacacs

This should do it! Now, the test!

XUI:

20090602-v10_remoterole_xui

SSH:

20090602-v10_remoterole_ssh

* Notes: All remoterole ssh sessions will land in the bigpipe shell. If you have administrator access, you can hop out to the bash shell by typing !/bin/bash. Also, if you upgraded to v10 instead of a clean install, it's possible that the sshd auth parameters are not correct. You'll need to verify that the lines in /config/bigip/auth/pam.d/sshd are in this order:

#%PAM-1.0
auth required pam_audit.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_audit.so
account required pam_stack.so service=system-auth
account required pam_bigip_authz.so
password required pam_audit.so
password required pam_stack.so service=system-auth
session required pam_audit.so
session required pam_stack.so service=system-auth

Get the Flash Player to see this player.

20090602-v10_RemoteAuthorization.mp3

Posted In: DevCentral, BIG-IP, Development, Access Control, Tech Tips, Video, Audio, Jason Rahm, GTM, LTM, v.10, Management, Advanced

Rate This Article: 12345

COMMENTS

posted @ Thursday, July 09, 2009 5:27 AM by Manuel

Thank you.
I'm trying to do this witch CiscoSecureACS
Have you done it?
Do I have to create as vendor specific attributes?

F5-LTM-User-Info-1
F5-LTM-User-Role
F5-LTM-User-Partition
F5-LTM-User-Console

posted @ Thursday, July 16, 2009 11:40 AM by redcats

Good stuff. I just tested this on our newly upgraded 3600 (v9.4.6 to v10.0.1), and it worked as expected.

We use CiscoSecureACS for tacacs+ authentication. There were existing groups with different definitions in the TACACS+ settings for PPP IP configuration. I had to add a custom attribute in that section to make it work.

Moreover, I think by reading the original post, I unintentionally overlooked the phrase "in this order" in the notes, and thought I had all the lines needed, being unaware that it is the ORDER of lines that makes a difference.

account required pam_stack.so service=system-auth
account required pam_bigip_authz.so

But here is something interesting:
This remote authentication does not work if you ssh into the peer from one box in the HA pair without explicitly specifying the username, even though ssh assumes the same username when not specified.

[abc@ltm01:Active] config # ssh peer
Password:
Password:
Password:

[abc@ltm01:Active] config # ssh -l abc peer
Password:
Last login: Thu Jul 16 18:38:50 2009 from 3.3.3.6
bp>exit

Does anyone have the same experience? Is this a bug that needs to be fixed, or it is just a security feature that prevented this from happening.

cheers.

posted @ Thursday, July 16, 2009 11:47 AM by Jason Rahm

Glad to hear it!

With regards to the change in behavior with ssh, I'd follow up with a case to support to get clarification on the desired behavior, and whether or not this is something that needs to be addressed. Post back if you get a response that will benefit the community!

Oh, and the top poster also had some questions on getting it to work with ACS, perhaps you could post back your steps for ACS?

posted @ Thursday, July 16, 2009 12:36 PM by redcats

Good idea with opening a case with F5. I'll post back when I get an answer.

Regarding the actual steps taken on the CiscoSecureACS, I basically just followed the implementation guide and your examples, except that I do not need to install a TACACS+ server.

Here is a snapshot of what I put in place.

1. On F5 boxes, enable TACACS+ remote authentication. We did not create any local users and simply used remote group definitions on ACS server.

Servers x.x.x.x
Secret: xxxx
Encryption Enabled
Service Name ppp
Protocol Name ip
Authentication Authenticate to first server
Accounting Information Send to first available server
Debug Logging Enabled
External Users
Role No Access
Partition Access All
Terminal Access Disabled

2. Login to each box via SSH using root or admin and add the remoteroles:

b remoterole role info Netadm '{
attribute "F5-LTM-User-Info-1=Netadm"
role administrator
user partition all
console enable
deny disable
line order 1
}'
b remoterole role info ECOps '{
attribute "F5-LTM-User-Info-1=Ops"
role operator
user partition all
console disable
deny disable
line order 2
}'

Make sure your /config/bigip/auth/pam.d/sshd file entries are in correct order according to the note in the original post.

3. On ACS server, I modified the existing group Netadm and Ops configurations. You can add the F5 devices under Network Configuration in the correct Network Device Group, make sure the key matches the secret speficied in the TACACS+ authentication section above, choose TACACS+ (CISCO IOS) from Authenticate Using dropdown list and check Single Connect TACACS+ AAA Client.

-Under Group Setup/Edit Settings/TACACS+ Settings
check "PPP IP" and Custom Attributes, add:

F5-LTM-User-Info-1=Netadm

change Netadm to whatever group name you are editing. And you can apply NAR to the group for F5 devices as needed for IP access control.

Restart service and Bingo!

posted @ Thursday, July 16, 2009 12:39 PM by redcats

Correction:

b remoterole role info Netadm '{
attribute "F5-LTM-User-Info-1=Netadm"
role administrator
user partition all
console enable
deny disable
line order 1
}'

b remoterole role info Ops '{
attribute "F5-LTM-User-Info-1=Ops"
role operator
user partition all
console disable
deny disable
line order 2
}'

posted @ Thursday, December 10, 2009 4:19 PM by raj

Is it possible to give a user to access multiple partitions instead of all/common partitions ?

posted @ Tuesday, December 15, 2009 8:46 AM by Jason Rahm

@rajesh161, not currently. you can assign one or all. You can open a case a request the feature.

posted @ Monday, February 01, 2010 6:26 AM by chen Jun

Very good documents!

I would like to add in one more point, for LTM tacacs+ configuration, matching on service name is very important. Personally I would recommend to use a customized service name.

The customized service name can be configured in Cisco ACS, under
Interface Options --> Tacacs + (Cisco Options) --> New Services. Once that is configured, you are able to enable it in group, and able add custom attribute for that service.

The following LTM config is using customized service name called "system"

auth tacacs system-auth {
secret "password"
service "system" <<<<<<
protocol "ip"
servers "172.28.26.75"
}

posted @ Monday, February 01, 2010 9:17 PM by chen Jun

Here is on of my sample config, which only require only one remoterole config in LTM.

remoterole {
role info F5_Test {
attribute "F5-LTM-Host=4500ltm1"
console "%F5-LTM-User-Console"
deny disable
line order 1
role "%F5-LTM-User-Role"
user partition "%F5-LTM-User-Partition"
}
}

The custom attribute I used in Group setting of Cisco ACS is listed below:

F5-LTM-Host=4500ltm1
F5-LTM-User-Role=administrator
F5-LTM-User-Partition=Common
F5-LTM-User-Console=tmsh

The first one F5-LTM-Host is used to match remoterole in LTM, and rest arel attribute that will be returned by Cisco ACS.

So what you could do is to configure only one remoterole in LTM, but create multiple groups in Cisco ACS with different value for custom attribute, then create different users in ACS, and assign those users to different group.

When user login, as long as F5-LTM-Host is matched, the attribute will be returned to LTM once login success, user access rights will be then be enforced.

The last one F5-LTM-User-Console is to determine which shell for user. The value could be disable, enable, tmsh, or bpsh. If enable or bpsh is used, then console access will be bigpipe shell; if tmsh is used, the console access will be tmsh shell, tmsh shell is better.

posted @ Friday, March 19, 2010 6:43 AM by Troy Piper

We are having a problem getting remoterole to work with Cisco ACS v4.2 using RADIUS. When authenticating the attribute match never appears to happen and the user is logged in with the default credentials set in the GUI. I wondering if the syntax for attribute match is correct for RADIUS?

We have the atributes configured
[User Defined Vendor]
Name=F5
IETF Code=3375
VSA 1=F5-LTM-User-Info-1
VSA 2=F5-LTM-User-Role
VSA 3=F5-LTM-User-Partition
VSA 4=F5-LTM-User-Console

[F5-LTM-User-Info-1]
Type=STRING
Profile=OUT

[F5-LTM-User-Role]
Type=INTEGER
Profile=OUT
Enums=F5-User-Roles

[F5-User-Roles]
0=Administrator
20=Resource Administrator
40=User Manager
100=Manager
300=Application Editor
400=Operator
700=Guest
800=Application Security Policy Editor
900=None

[F5-LTM-User-Partition]
Type=String
Profile=OUT

[F5-LTM-User-Console]
Type=INTEGER
Profile=OUT
Enums=F5-Console-Opts

[F5-Console-Opts]
0=Disable
1=Enable

On the LTM we have
[root@F5-inside-1600:Active] config # b remoterole list
remoterole {
role info {
testing {
attribute "F5-LTM-User-Info-1=UserRole"
console "tmsh"
line order 20
role "administrator"
user partition "all"
}
}
}

Here are the Attribute Value Pairs the ACS server is returning as seen in a packet capture duing authentication.

0000 08 06 ff ff ff ff 1a 10 00 00 0d 2f 01 0a 55 73 .........../..Us
0010 65 72 52 6f 6c 65 1a 0c 00 00 0d 2f 02 06 00 00 erRole...../....
0020 02 bc 1a 19 00 00 0d 2f 03 13 49 6e 74 65 72 6e ......./..Intern
0030 65 74 2d 53 65 72 76 69 63 65 73 1a 0c 00 00 0d et-Services.....
0040 2f 04 06 00 00 00 00 /......

posted @ Wednesday, March 24, 2010 6:14 AM by chen Jun

The dictionary above is not correct. Below is what I have tested out, it works fine with Cisco ACS 4.2

[User Defined Vendor]

Name=F5
IETF Code=3375
Need Internal Length=TRUE
ID Length=1
VSA 1=F5-LTM-User-Role
VSA 2=F5-LTM-User-Role-Universal
VSA 3=F5-LTM-User-Partition
VSA 4=F5-LTM-User-Console
VSA 5=F5-LTM-User-Shell
VSA 10=F5-LTM-User-Context-1
VSA 11=F5-LTM-User-Context-2
VSA 12=F5-LTM-User-Info-1
VSA 13=F5-LTM-User-Info-2

RadiusExtensionPoints=EAP

[F5-LTM-User-Role]
Type=INTEGER
Profile=OUT
Enums=F5-User-Roles

[F5-User-Roles]
0=Administrator
20=Resource Administrator
40=User Manager
100=Manager
300=Application Editor
400=Operator
700=Guest
800=Application Security Policy Editor
900=None

[F5-LTM-User-Role-Universal]
Type=INTEGER
Profile=OUT
Enums=F5-LTM-User-Role-Universal-Opts

[F5-LTM-User-Role-Universal-Opts]
0=Disable
1=Enable

[F5-LTM-User-Partition]
Type=String
Profile=OUT

[F5-LTM-User-Console]
Type=INTEGER
Profile=OUT
Enums=F5-Console-Opts

[F5-Console-Opts]
0=Disable
1=Enable

[F5-LTM-User-Shell]
Type=String
Profile=OUT

[F5-LTM-User-Context-1]
Type=INTEGER
Profile=OUT

[F5-LTM-User-Context-2]
Type=INTEGER
Profile=OUT

[F5-LTM-User-Info-1]
Type=STRING
Profile=OUT

[F5-LTM-User-Info-2]
Type=STRING
Profile=OUT

The most important here is VSA number for those attribute.

Best regards,
CJ

posted @ Wednesday, March 24, 2010 7:00 AM by chen Jun

one more thing to add. %F5-LTM-User-Shell should be used for console. The F5-LTM-User-Shell is a string value, it can be put as disable, bpsh or tmsh in Cisco Acs. Below is configuration on F5

remoterole {
role info DC1 {
attribute "F5-LTM-User-Info-1=DC1"
console "%F5-LTM-User-Shell"
line order 1
role "%F5-LTM-User-Role"
user partition "%F5-LTM-User-Partition"
}
}

posted @ Wednesday, March 24, 2010 11:41 AM by Troy Piper

Thanks! that seems to be working much better for me.

posted @ Monday, December 20, 2010 11:08 AM by Justin Knox

fwiw, I had a little trouble with tac_plus compiling on Ubuntu as well. I installed the libwrap0-dev package via apt to resolve the error that I got when running ye olde ./configure:

sudo apt-get install libwrap0-dev

that ought to install the headers that Shrubbery's configure script is looking for. This was in addition to build-essential, bison, and flex.

posted @ Wednesday, February 02, 2011 8:46 AM by Tyler Ripley

Has anyone been able to get this to work with ACS 5? The group settings are different in ACS 5 and I can't seem to get LTM and ACS5 configured properly.

posted @ Thursday, April 07, 2011 7:56 AM by Jason

I have successfully configured Cisco ACS 5.1 with F5 BigIP LTM but want to know if Authorization is supported as well. Basically we would like to give some people access to only have the ability to run a few commands from tmsh. I was able to get a user to authenticate with TACACS+ and lock them into tmsh but having difficulty with permitting them to only run certain commands. Any ideas?

posted @ Thursday, April 07, 2011 8:00 AM by Jason Rahm

The authorization works, but is only as granular as the roles defined on the LTM that your ACS group/user profiles map to. Currently, there is no mechanism to restrict permissions within an LTM role.

posted @ Thursday, April 07, 2011 8:25 AM by Jason

Ok. So is there a way to modify the role(s) on the LTM to only allow a specific set of commands? What we want to do is give our NOC the ability to add IP's to a data-group we created that is referenced in an iRule. Example commands:

tmsh modify ltm data-group True-Client-IP-shunlist records add {x.x.x.x}
tmsh modify ltm data-group True-Client-IP-shunlist records delete {x.x.x.x}
tmsh list ltm data-group True-Client-IP-shunlist
quit

Basically don't want to give access to a shell with the ability to do more than what they are only required to do.

Also, is there any plans to support TACACS+ authorization in the future?

Thanks

posted @ Thursday, April 07, 2011 8:56 AM by Jason Rahm

No, you cannot currently modify a role. Open a case with support and request this functionality. If there is a current RFE, publish here so other customers can attach cases against it.

posted @ Tuesday, April 26, 2011 2:20 PM by Wintrode

Jason, I am trying to get this working with LDAP/AD instead of TACACS, are there any resources that list the supported attributes which can be used?

posted @ Tuesday, April 26, 2011 2:26 PM by Jason Rahm

I don't have any experience on ldap/ad with regards to remote auth. Maybe it's time for another article...

posted @ Tuesday, April 26, 2011 6:09 PM by Jason Rahm

Perhaps these solutions will help:

http://support.f5.com/kb/en-us/solutions/public/11000/000/sol11072.html?sr=14099474

http://support.f5.com/kb/en-us/solutions/public/10000/900/sol10929.html?sr=14099510

posted @ Tuesday, April 26, 2011 6:45 PM by Jason Rahm

This worked for me in a test tonight:

b remoterole '{
role info F5Admins {
attribute "memberOF=cn=grp-Admins,ou=Groups,dc=site,dc=com"
console "enable"
line order 1
role "administrator"
user partition "all"
}
}'
b load

I'll take screenshots and write this up tomorrow.

posted @ Wednesday, April 27, 2011 5:23 AM by Wintrode

They key for me was the attribute syntax. I was using what ldapsearch returned which was "memberOf: cn=yadda,ou=yadda,dc=yadda,dc=gov"

Once I corrected it to "memberof=cn=yadda,ou=yadda,dc=yadda,dc=gov"
Everything worked fine. To complicate matters I also had an escape character in my group name. Once I got that sorted, everything worked as it should.

The tough part is that the only real way top troubleshoot this was to tcpdump the LDAP traffic to see what was going on. Once I saw the lookup binding working correctly and the authentication bind, I figured it had to be something with the role definition. I wish there was an easier way to trouble shoot this level of authentication. The auth logs are pretty limited in what feedback they give you.

Thanks for the help.

posted @ Wednesday, April 27, 2011 9:13 AM by Jason Rahm

Similar write-up for Active Directory: http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086457/Remote-Authorization-via-Active-Directory.aspx

posted @ Thursday, August 18, 2011 1:59 PM by bherrick

We have multiple groups that we want to have no access, several groups that will have guest access, and one group that will get administrator access.

Currently, groups with no attribute or remote role definitions get put into the administrator role by default. This seems like the opposite of good default behavior.

Is it possible to create a default group that all users get put into if they have no F5 specific attributes in the TACACS response?

posted @ Thursday, August 18, 2011 2:11 PM by Jason Rahm

I set the default remote authorization to no access, but that was prior to remoterole configuration. What version do you have?

posted @ Thursday, August 18, 2011 2:27 PM by bherrick

That works.

I was able to find the setting in the GUI, is that set-able in the CLI? Did I miss something from the steps above?

posted @ Thursday, August 18, 2011 2:37 PM by bherrick

Got it:

bigpipe remote users default partition Common default role none remote console access disable

Thanks...

posted @ Friday, August 19, 2011 7:16 AM by Wintrode

Another option, if you want everyone else to have Read Only access would be to put a group as the last one in the line order that would have an attribute matched by everyone. The people that would need elevated priveleges would match one of the previous attributes and be granted access at that level, everyone else would fall to the final everyone group.

posted @ Wednesday, September 07, 2011 12:58 PM by Dan Ecott

I am interested to know if the configuration process changes when using the Viprion boxes. For example, with one management IP per blade, do we simply add all management IPs into the Cisco ACS side as clients with the same secret?

Thanks.

posted @ Wednesday, September 07, 2011 1:09 PM by Jason Rahm

I would think as long as ACS matches source and key it should be fine to approach it like that.

posted @ Tuesday, October 11, 2011 6:05 AM by bigbrother

Hi everybody

I use LTM 6900 with version 10.2.2. Is it possible to authenticate administrative user accounts via radius (windows 2008 radius) server?

best regards
bb

posted @ Tuesday, October 11, 2011 6:32 AM by bigbrother

Hi Everybody

I would like to authenticate users via Windows Radius server. Does somebody know how to do it?

best regards
bb

Only registered users may post comments.