cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5435
Views
3
Helpful
9
Replies

TACACS+ Command Accounting from F5 to Cisco ISE

Arie --
Level 1
Level 1

Hi,

Does anyone ever try to send TACACS+ command accounting from F5 BIGIP to Cisco ISE? I've tried to configure the F5 to send audit log to accounting server, which is Cisco ISE, but it is not recorded on TACACS+ Command Accounting report.

I tried to do packet capture and actually the Cisco ISE received the accounting from F5 but it can't show on TACACS+ command accounting report.

1 Accepted Solution

Accepted Solutions

bravojared
Level 4
Level 4

F5 does not do TACACS Command Authorization or Accounting for management.  You are limited to dropping a user into a role on F5 via remote role groups with no fine grained control of commands.  The link for integration is not the best source, but a starting point to understand...

When you configure an F5 for remote AuthC/AuthZ via ISE (or any TACACS or RADIUS Server), it can either be done with one remote role group with F5 variables defined for all entires or several remote role groups with static values.

I prefer one remote role group built with all variables and use the attributes sent from ISE within the AuthZ result to populate those variables, cleaner config on the F5 and ISE.  To do this nice and clean, this is my method that I use for our customers:

On F5: Create an “Cisco_ISE_AuthZ” (Cisco ISE Authorization) Remote Role Group with the following attributes that are all Variables to be sent down from ISE:

Group Name: Cisco_ISE_AuthZ

Line order 1

Attribute String: F5-LTM-User-Info-1=CiscoISEAuthZ

Remote Access: Enabled

Assigned Role: Other: %F5-LTM-User-Role

Partition Access: Other: %F5-LTM-User-Partition

Terminal Access: Other: %F5-LTM-User-Console

On ISE: Create ISE TACACS+ Profiles, which specify the values for the F5 to populate for the Cisco_ISE_AuthZ Remote Role Group.  The mechanism for this working is the F5 matches the CiscoISEAuthZ Attribute that we sent down with the Remote Role Group defined on F5 having the same attribute - and then populates the rest of the variables in that remote role.  Here are some examples:

Administrator:

F5-LTM-User-Info-1=CiscoISEAuthZ

F5-LTM-User-Role=0

F5-LTM-User-Partition=All

F5-LTM-User-Console=1

Read Only:

F5-LTM-User-Info-1=CiscoISEAuthZ

F5-LTM-User-Role=700

F5-LTM-User-Partition=All

F5-LTM-User-Console=0

Read Only with Shell:

F5-LTM-User-Info-1=CiscoISEAuthZ

F5-LTM-User-Role=700

F5-LTM-User-Partition=All

F5-LTM-User-Console=1

If you want any other roles, get the attribute values from F5's guide for role values, partition values, and console values and create the right AuthZ results.  Please note there are some slight changes between 10.x and later in those, so verify it for your version of F5.

View solution in original post

9 Replies 9

ldanny
Cisco Employee
Cisco Employee

Hi,

Have a look at this thread which should provide you some useful information

Re: F5 RADIUS Device Admin using ISE RADIUS

thanks,

You may want to take a look at BRKSEC-3699 (Reference Presentation) posted to ciscolive.com.  In that session I cover tips for configuring F5 LTM for TACACS+ load balancing.  You should see same report whether LB used or not.  If missing events, then may be issues with persistence on LB.

Cisco Live presentations are linked in this community page:ISE Training

Hi,

I still don't find what I looking for.

Actually I have configured F5 system to authenticate against TACACS+ from Cisco ISE as authentication server.

When user login to F5 system, it will authenticate and authorize by Cisco ISE using Internal User account from Cisco ISE.

One thing that I face is F5 said that it can send accounting to Cisco ISE as explained in this link

https://support.f5.com/csp/article/K13762

After configured the accounting configuration, the Cisco ISE received the accounting message from F5 which I look from TCP dump. But it doesn't show up in TACACS+ Command Accounting report.

Just wondering if someone has ever experience this before also.

hslai
Cisco Employee
Cisco Employee

What about TACACS Accounting report? It's not clear whether F5 is doing T+ command authorization so might not have command accounting.

bravojared
Level 4
Level 4

F5 does not do TACACS Command Authorization or Accounting for management.  You are limited to dropping a user into a role on F5 via remote role groups with no fine grained control of commands.  The link for integration is not the best source, but a starting point to understand...

When you configure an F5 for remote AuthC/AuthZ via ISE (or any TACACS or RADIUS Server), it can either be done with one remote role group with F5 variables defined for all entires or several remote role groups with static values.

I prefer one remote role group built with all variables and use the attributes sent from ISE within the AuthZ result to populate those variables, cleaner config on the F5 and ISE.  To do this nice and clean, this is my method that I use for our customers:

On F5: Create an “Cisco_ISE_AuthZ” (Cisco ISE Authorization) Remote Role Group with the following attributes that are all Variables to be sent down from ISE:

Group Name: Cisco_ISE_AuthZ

Line order 1

Attribute String: F5-LTM-User-Info-1=CiscoISEAuthZ

Remote Access: Enabled

Assigned Role: Other: %F5-LTM-User-Role

Partition Access: Other: %F5-LTM-User-Partition

Terminal Access: Other: %F5-LTM-User-Console

On ISE: Create ISE TACACS+ Profiles, which specify the values for the F5 to populate for the Cisco_ISE_AuthZ Remote Role Group.  The mechanism for this working is the F5 matches the CiscoISEAuthZ Attribute that we sent down with the Remote Role Group defined on F5 having the same attribute - and then populates the rest of the variables in that remote role.  Here are some examples:

Administrator:

F5-LTM-User-Info-1=CiscoISEAuthZ

F5-LTM-User-Role=0

F5-LTM-User-Partition=All

F5-LTM-User-Console=1

Read Only:

F5-LTM-User-Info-1=CiscoISEAuthZ

F5-LTM-User-Role=700

F5-LTM-User-Partition=All

F5-LTM-User-Console=0

Read Only with Shell:

F5-LTM-User-Info-1=CiscoISEAuthZ

F5-LTM-User-Role=700

F5-LTM-User-Partition=All

F5-LTM-User-Console=1

If you want any other roles, get the attribute values from F5's guide for role values, partition values, and console values and create the right AuthZ results.  Please note there are some slight changes between 10.x and later in those, so verify it for your version of F5.

Just a quick comment of clarity...

If question is specific to T+ authorization to F5 LTM itself, then disregard all comments referring to BRKSEC-3699.  I thought query was specific to the use of F5 to load balance TACACS+ requests from other systems.

Craig

Hi,

No problem Craig. It’s nice sharing for my reference.

Hi,

That’s great and complete explanation. Thank you. Now I know what the capability of F5 against TACACS+ via Cisco ISE.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: