cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8337
Views
0
Helpful
7
Replies

Big IP Auth via ACS 5.1

kenny.kerns
Level 1
Level 1



Does
anyone have a working example of using ACS 5.1 to
authenticate
BigIP LTM GUI users?  I have found a couple of discussion in the F5 dev
site but nothing using ACS, only generic TACACS+ implementations.


7 Replies 7

Federico Ziliotto
Cisco Employee
Cisco Employee

Hi Kenny,

I personally do not have any experience with BigIP, but the configuration on ACS should be straight forward in case of T+ authentication/authorization.

Are there any particular authorization AVPs that ACS should pass back?

Regards,

Fede

Doesn't look like many people have problems with BigIP and ACS 5.x...must just be me :)

I ended up getting some help from TAC and this is what I had to do.

Create the External Group on the F5, this includes the custom attribute that the F5 witll expect back from the F5:

b remoterole role info Netadm '{
attribute "F5-LTM-User-Info-1=Netadm"
role administrator
user partition all
console enable
deny disable
line order 2
}'

Create the custom attribute in the Device Admin Shell Profile:

F5-LTM-User-Info-1 Mandatory Netadm

At this point it should work with no problems but somehow Single Connect got turned on in the Device Config section of ACS, which I didnt find until i did some packet captures.  After I turned off Single Connect everything worked like a champ.

BTW, I am using ACS to forward LDAP requests to our DC's for authentication.

Hope this helps someone else!

Hi Kenny,

What version of your BigIP? We have 6 BipIP and they are on version 10.2, the F5 document shows how to set up Tacacs on the F5 device, they said we need to create a service name PPP on the Cisco ACS 5.2 but I am not sure how to do it. Could you please help?

Thanks

Si

Hi,

In regards to the PPP Service creation on ACS 5.x, you no longer need to create a Service for TACACS+ authentication/authorization.

The Service PPP had to be created on the Legacy ACS 4.x versions but ACS 5.x no longer requires those types of services to be created.

In this case, for BigIP devices to work you only need to create the custom attribute F5-LTM-User-Info-1 (Mandatory) with value as: Netadm

The ACS 5.x will realize that the requested service is PPP without having to create a Custom Service like we used to do on ACS 4.x.

Also, if you are on ACS 5.1 base you might want to upgrade to latest patch as there is a known issue referring to TACACS+ with Service PPP not working as expected. Issue is resolved on Patch 2 and above.

Just for clarity I would like to add that we had to enable the IP service for PPP in the Interface configuration TACACS+. Then under the user/group under the TACACS+ Settings enable PPP IP and enable the custom attributes box and paste the "F5-LTM-User-Info-1=Netadm" value.

I'm assuming that was from an ACS version older than 5.x?

By the way on the F5 configuration it requires that you include a Service Name (or populate it with something) or else it won't save the TACACS+ configration. What did you all put in? PPP?

Yes, we are running 4.2. We are using "ppp" for service name and "ip" for authentication.