Forum Discussion

gcave_213109's avatar
gcave_213109
Icon for Nimbostratus rankNimbostratus
Jan 20, 2016

Dynamic Roles with TACACS+ 4.1 and LTM 11.5.3

I want to dynamically assign roles VIA vendor specific attributes in TACACS 4.1. Here is how I setup 11.5.3:

 

(/Common)(tmos) list auth remote-role role-info auth remote-role { role-info { DC1 { attribute F5-LTM-User-Info-1=DC1 line-order 2 role %F5-LTM-User-Role user-partition all } } }

 

On the TACACS ==> Groups ==> TACACS Settings ==> Custom attributes>

 

F5-LTM-User-Info-1=DC1 F5-LTM-User-Role=400

 

When I tail -f /var/log/secure I see getting assigned the administrator role.

 

Jan 19 21:48:54 dti-f5ve-bigip01 notice httpd[15771]: 01070417:5: AUDIT - user da_gxcave - RAW: httpd(mod_auth_pam): user=da_gxcave(da_gxcave) partition=[All] level=Administrator tty=/usr/bin/tmsh host=165.249.239.22 attempts=1 start="Tue Jan 19 21:35:45 2016" end="Tue Jan 19 21:48:54 2016"

 

Anyone have any insight into this?

 

application delivery
authentication
BIG-IP
LTM

6 Replies

Sort By
  • anoop1's avatar
    anoop1
    Icon for Nimbostratus rankNimbostratus
    Jan 20, 2016

    Hi,

     

    With the above details it looks like you trying to use radius dictionary of F5 to use the roles via TACACS+. Please define the remote roles as below .

     

    eg: auth remote-role { description none role-info { DeviceAdmins { attribute F5-LTM-User-Info-1=adm console tmsh deny disabled description none line-order 1 role administrator user-partition All } f5-auditor { attribute f5role=manager console disable deny disabled description none line-order 2 role manager user-partition All } f5-operator { attribute F5-LTM-User-Info-1=f5-operator console disable deny disabled description none line-order 3 role operator user-partition partition2 } } }

     

    The user defined attribute and its value have to be sent from the tacacs to associate it to a role.

     

    • gcave_213109's avatar
      gcave_213109
      Icon for Nimbostratus rankNimbostratus
      Jan 20, 2016
      Anoop, How does the user attribute on TACACS+ get mapped to a particular user? I believe what you are saying it that I should add all of the attributes to the TACACS+ group. How is it know that I am an administrator, operator, etc. Since the remote users are built on TACACS+, missing something?
    • anoop1's avatar
      anoop1
      Icon for Nimbostratus rankNimbostratus
      Jan 21, 2016
      F5 do not consider userinfo , it considers the attribute value to map the roles.
  • anoop_128575's avatar
    anoop_128575
    Icon for Nimbostratus rankNimbostratus
    Jan 20, 2016

    Hi,

     

    With the above details it looks like you trying to use radius dictionary of F5 to use the roles via TACACS+. Please define the remote roles as below .

     

    eg: auth remote-role { description none role-info { DeviceAdmins { attribute F5-LTM-User-Info-1=adm console tmsh deny disabled description none line-order 1 role administrator user-partition All } f5-auditor { attribute f5role=manager console disable deny disabled description none line-order 2 role manager user-partition All } f5-operator { attribute F5-LTM-User-Info-1=f5-operator console disable deny disabled description none line-order 3 role operator user-partition partition2 } } }

     

    The user defined attribute and its value have to be sent from the tacacs to associate it to a role.

     

    • gcave_213109's avatar
      gcave_213109
      Icon for Nimbostratus rankNimbostratus
      Jan 20, 2016
      Anoop, How does the user attribute on TACACS+ get mapped to a particular user? I believe what you are saying it that I should add all of the attributes to the TACACS+ group. How is it know that I am an administrator, operator, etc. Since the remote users are built on TACACS+, missing something?
    • anoop_128575's avatar
      anoop_128575
      Icon for Nimbostratus rankNimbostratus
      Jan 21, 2016
      F5 do not consider userinfo , it considers the attribute value to map the roles.