Remote authorization for ldap was first introduced in version 9.4.  Now, however, in v10, the feature has been expanded to include radius and tacacs+.  In this article, I'll walk through the tacacs+ server configuration and the remoterole configuration on the BIG-IP required to get remote authorization working.

Remote Roles

Before we get to the configuration steps, we need to look at the remoterole requirements.  There are two approaches you can take.  You can configure all the roles locally on the BIG-IP and pass only a group attribute, or you can configure all the roles remotely and pass the group and the role attributes in the authorization.  The attributes you can pass are role, partition, and console access.  By default, the role is no access, the partition is all, and the console access is disabled.  This parameter list is applied against the Other External Users user created by the system when you enable a remote authentication server.  If you don't specify a remoterole configuration, all users authenticated externally that do not have an account locally on the BIG-IP will receive those paramaters.  Now in v.10, specifying the remoterole allows you to group external users into locally significant roles and partitions so you don't have to define them on the system.  This is a tremendous help to the system administrators, particularly in large installations where many BIG-IPs and many users leads to many man hours of data entry.  The attributes will be passed in these variables:

  • F5-LTM-User-Info-1 -- Group Name, user defined
  • F5-LTM-User-Role
    • 0 - Administrator
    • 20 - Resource Administrator
    • 40 - User Manager
    • 100 - Manager
    • 300 - Application Editor
    • 400 - Operator
    • 700 - Guest
    • 800 - Application Security Policy Editor
    • 900 - None
  • F5-LTM-User-Partition
    • All
    • Common
    • User Defined
  • F5-LTM-User-Console
    • 0 - Disabled
    • 1 - Enabled

Given that information, we'll use this group/attribute map for our configuration:

 

BIG-IP RemoteRole Attributes

Group Name

Role

Partition

Console Access

Attribute Location

adm

Administrator

All

yes

BIG-IP

appEd

Application Editor

Common

no

TACACS+ Server

userMgr

User Manager

p1

no

BIG-IP

ops

Operator

p2

yes

TACACS+ Server

 

 So following the recommendations here in the implementations guide, we can configure the settings in the above table via bigpipe:

b remoterole role info adm '{ 
     attribute "F5-LTM-User-Info-1=adm"
      role administrator
      user partition all
      console enable
      deny disable
      line order 1
}'
b remoterole role info appEd '{
      attribute "F5-LTM-User-Info-1=appEd"
      role "%F5-LTM-User-Role"
      user partition "%F5-LTM-User-Partition"
      console "%F5-LTM-User-Console"
      deny disable
      line order 2
}'
b remoterole role info userMgr '{
      attribute "F5-LTM-User-Info-1=userMgr"
      role manager
      user partition p1
      console disable
      deny disable
      line order 3
}'
b remoterole role info ops '{
      attribute "F5-LTM-User-Info-1=ops"
      role "%F5-LTM-User-Role"
      user partition "%F5-LTM-User-Partition"
      console "%F5-LTM-User-Console"
      deny disable
      line order 4
}'

You'll notice above that I highlighted the role manager under the userMgr group.  This is because we really want the user manager role, but the command cannot at present handle the multiple word roles, so you'll need to edit the bigip.conf manually to change the role to user manager and then save.  Now we can move on to the TACACS+ server.

TACACS+ Installation

I first used the tac_plus daemon from Shrubbery Networks about ten years ago.  Not sure if it's changed much, but it's light and simple, so it will be perfect for this demonstration.  Once downloaded and moved into place on your favorite linux distro (I'm using Ubuntu) you can extract the files, configure, and install.  I'm assuming you have all the necessary tools in place to compile.

  • tar xvfz /var/tmp/tacacs+-F4.0.4.18.tar.gz
  • cd /var/tmp/tacacs+-F4.0.4.18
  • ./configure --without-libwrap
  • make
  • make install

I had a problem with tcp wrappers on this Ubuntu vm, so I just configured without.  This puts the tac_plus binary in /usr/local/bin/.  Excellent!  Now we can configure.

TACACS+ Configuration

 I added user1, user2, user3, & user4 to the Ubuntu server and set their passwords.  We'll configure tacacs to grab the credentials from the system.  We'll also set the key for the BIG-IP to reach out with (all lines in /var/tmp/tac_plus.conf):

key = "pcloadletter"
default authentication = file /etc/passwd

Now, we'll configure the groups.  Notice that the adm and userMgr configurations are much shorter.  This is because the role attributes are configured on the BIG-IP.

group = adm {
   service = ppp protocol = ip {
      F5-LTM-User-Info-1 = adm
   }
}
group = appEd {
   service = ppp protocol = ip {
      F5-LTM-User-Info-1 = appEd
      F5-LTM-User-Console = 0
      F5-LTM-User-Role = 300
      F5-LTM-User-Partition = Common
   }
}
group = userMgr {
   service = ppp protocol = ip {
      F5-LTM-User-Info-1 = userMgr
   }
}
group = ops {
   service = ppp protocol = ip {
      F5-LTM-User-Info-1 = ops
      F5-LTM-User-Console = 1
      F5-LTM-User-Role = 400
      F5-LTM-User-Partition = p2
   }
}

Finally, we'll map the users to the groups they belong to:

user = user1 {
   member = adm
}
user = user2 {
   member = appEd
}
user = user3 {
   member = userMgr
}
user = user4 {
   member = ops
}

And that's it on the server side for configuration.  Start the daemon (tac_plus -C /var/tmp/tac_plus.conf), and we can go back to the BIG-IP to configure the remote server.

Configure the BIG-IP User Authentication

You can do this via bigpipe, tmsh, or the XUI.  Since the remoterole configuration can only be done in bigpipe at this time, we'll stick with it.

  • b auth tacacs system-auth { debug enable secret pcloadletter service ppp protocol ip servers 10.10.20.250 }
  • b system auth source type tacacs

This should do it!  Now, the test! 

XUI:

 

 

SSH:

 

 

* Notes: All remoterole ssh sessions will land in the bigpipe shell.  If you have administrator access, you can hop out to the bash shell by typing !/bin/bash.  Also, if you upgraded to v10 instead of a clean install, it's possible that the sshd auth parameters are not correct.  You'll need to verify that the lines in /config/bigip/auth/pam.d/sshd are in this order:

#%PAM-1.0
auth required pam_audit.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_audit.so
account required pam_stack.so service=system-auth
account required pam_bigip_authz.so

password required pam_audit.so
password required pam_stack.so service=system-auth
session required pam_audit.so
session required pam_stack.so service=system-auth

  

Get the Flash Player to see this player.