topic Big IP Auth via ACS 5.1 in Network Access Control

Big IP Auth via ACS 5.1

kenny.kerns — Mon, 11 Mar 2019 00:29:02 GMT

Does
anyone have a working example of using ACS 5.1 to authenticate
BigIP LTM GUI users? I have found a couple of discussion in the F5 dev
site but nothing using ACS, only generic TACACS+ implementations.

Re: Big IP Auth via ACS 5.1

Federico Ziliotto — Fri, 15 Oct 2010 14:02:34 GMT

Hi Kenny,

I personally do not have any experience with BigIP, but the configuration on ACS should be straight forward in case of T+ authentication/authorization.

Are there any particular authorization AVPs that ACS should pass back?

Regards,

Fede

Re: Big IP Auth via ACS 5.1

kenny.kerns — Tue, 19 Oct 2010 23:22:18 GMT

Doesn't look like many people have problems with BigIP and ACS 5.x...must just be me 🙂

I ended up getting some help from TAC and this is what I had to do.

Create the External Group on the F5, this includes the custom attribute that the F5 witll expect back from the F5:

b remoterole role info Netadm '{
attribute "F5-LTM-User-Info-1=Netadm"
role administrator
user partition all
console enable
deny disable
line order 2
}'

Create the custom attribute in the Device Admin Shell Profile:

F5-LTM-User-Info-1 Mandatory Netadm

At this point it should work with no problems but somehow Single Connect got turned on in the Device Config section of ACS, which I didnt find until i did some packet captures. After I turned off Single Connect everything worked like a champ.

BTW, I am using ACS to forward LDAP requests to our DC's for authentication.

Hope this helps someone else!

Big IP Auth via ACS 5.1

bestsoftware — Thu, 15 Dec 2011 23:38:36 GMT

Hi Kenny,

What version of your BigIP? We have 6 BipIP and they are on version 10.2, the F5 document shows how to set up Tacacs on the F5 device, they said we need to create a service name PPP on the Cisco ACS 5.2 but I am not sure how to do it. Could you please help?

Thanks

Big IP Auth via ACS 5.1

camejia — Thu, 22 Dec 2011 22:44:39 GMT

Hi,

In regards to the PPP Service creation on ACS 5.x, you no longer need to create a Service for TACACS+ authentication/authorization.

The Service PPP had to be created on the Legacy ACS 4.x versions but ACS 5.x no longer requires those types of services to be created.

In this case, for BigIP devices to work you only need to create the custom attribute F5-LTM-User-Info-1 (Mandatory) with value as: Netadm

The ACS 5.x will realize that the requested service is PPP without having to create a Custom Service like we used to do on ACS 4.x.

Also, if you are on ACS 5.1 base you might want to upgrade to latest patch as there is a known issue referring to TACACS+ with Service PPP not working as expected. Issue is resolved on Patch 2 and above.

Big IP Auth via ACS 5.1

tberrynole — Fri, 02 Mar 2012 19:57:02 GMT

Just for clarity I would like to add that we had to enable the IP service for PPP in the Interface configuration TACACS+. Then under the user/group under the TACACS+ Settings enable PPP IP and enable the custom attributes box and paste the "F5-LTM-User-Info-1=Netadm" value.

Big IP Auth via ACS 5.1

jack.leung — Mon, 05 Mar 2012 23:04:23 GMT

I'm assuming that was from an ACS version older than 5.x?

By the way on the F5 configuration it requires that you include a Service Name (or populate it with something) or else it won't save the TACACS+ configration. What did you all put in? PPP?

Big IP Auth via ACS 5.1

tberrynole — Tue, 06 Mar 2012 13:02:59 GMT

Yes, we are running 4.2. We are using "ppp" for service name and "ip" for authentication.