Forum Discussion

Cory_50405's avatar
Cory_50405
Icon for Noctilucent rankNoctilucent
Dec 22, 2011

remoterole and TACACS

Our organization has F5 LTMs deployed and we are trying to eliminate the need to define accounts local to the device. We currently have Cisco ACS servers configured with user accounts and we are trying to get the LTMs configured to pull authentication and authorization information from these ACS boxes.

 

 

We currently have this remoterole defined in our LTMs:

 

 

role info adm {

 

attribute "F5-LTM-User-Info-1=adm"

 

role "administrator"

 

console "enable"

 

deny disable

 

line order 1

 

user partition "all"

 

}

 

 

And this group created on our ACS server:

 

 

"Full Access"

 

Under TACACS+ settings, we have the PPP IP option checked, and the custom attributes box checked with F5-LTM-User-Info-1=adm defined as a custom attribute.

 

 

Does the name of the ACS group need to match the role info name on the LTM? It doesn't appear the LTM will accept spaces as part of the role info name.

 

 

Thanks,

 

 

Cory

 

1 Reply

  • Hi Cory,

     

     

    The group name must be identical. I believe there was a bug (fixed in 10.2) with spaces in the attribute field:

     

     

    For details on remoterole options, you can check the Implementations Guide or 'b remoterole help':

     

    http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_implementation/sol_mgmt_auth.html?sr=182930341025343

     

     

    But in a quick test on 10.2.2, I couldn't run a remoterole command with a space in it. You might try opening a case with Support on this if you haven't already, to check if spaces are allowed and how to use them if they are.

     

     

    Aaron