LTM (v11.3) TACACS+ authentication - Cisco ACSv4.1

Question

Hi, I am trying to configure TACACS+ authentication on LTM v11.3 with a Cisco TACACS+ server ACSv4.1. Any references for any specific configuration required on LTM and Cisco ACS side? Some of the post say there is some separate service to be enabled in the Cisco ACS side, if so?&nbsp;
ON the LTM side i am configuring the following option under -&gt;System-&gt;users-&gt;Authentication Authentication User Directory -&gt; Remote-TACACS+ Configuration Servers -&gt; Secret -&gt; *** confirm secret -&gt; *** Encryption -&gt; Enabled Service Name -&gt; tacacs+ Protocoal Name -&gt; Authentication -&gt; Authenticate to each server until success Accounting Information -&gt; Send to all servers Debug logging -&gt; Enabled External Users Role -&gt; Administrator Terminal Access -&gt; Disable&nbsp;

cory_50405 · Answer

For the LTM, use protocol name 'ip' and service name 'ppp'.  We had to specify these parameters in order to get it to work.&nbsp;
For the ACS side, be sure to populate the custom attribute that matches up with the remote roles that you've created in LTM.  Remote role group name needs to match verbatim with the group configured in ACS.&nbsp;

karthik_kumaran · Answer

What should be given in th "Attribute String" field under "System ›› Users : Remote Role Groups" ? I am using Cisco ACS 4.1, where can i find this "Attribute String" configuration in ACS 4.1 ?

cory_50405 · Answer

The attribute string we use for device administrators looks like this:&nbsp;
F5-LTM-User-Info-1=adm&nbsp;
You can check out Jason's writeup on remote TACACS authorization here:&nbsp;
https://devcentral.f5.com/articles/v10-remote-authorization-via-tacacs-43.Uxca8oUgvZc&nbsp;
When we originally set this up, we were using ACS 4.2.  We've since migrated to 5.2, then to 5.3, so I don't have a 4.1 instance to check on, so I'll go by memory.  You specify the attribute per user group (or per user), and use the same attribute that you specified in the remote role group within the BIG IP.  I think you specify it in group attributes.  A guide from Cisco is here:&nbsp;
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4-2/user/guide/ACS4_2UG/GrpMgt.htmlwp479948&nbsp;

karthik_kumaran · Answer

Thanks a lot. One more query. I already have a number of groups created in my Cisco ACS, and would want to use one among them in the F5 for "Remote Role Groups". The Jason's writeup that you provided link, mentions that the remote role groups need to be added in order. There is also a numbering of groups (starting from 0) in my Cisco ACS. In the "Line order" field in "Remote Role Groups" configuration, should I use the same Group number as in the ACS?

cory_50405 · Answer

The group number isn't critical, but the group name is. The remote role group must be named verbatim with the ACS group name. And the ACS group name cannot contain spaces, if I remember correctly.

Forum Discussion

LTM (v11.3) TACACS+ authentication - Cisco ACSv4.1

9 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

TACACS+ External Monitor (Python)

Doing mTLS Authentication per URL

Distributed caching of authentication requests with NGINX Ingress Controller

Application Programming Interface (API) Authentication types simplified