06-21-2018 01:08 AM
Hi,
Does anyone ever try to send TACACS+ command accounting from F5 BIGIP to Cisco ISE? I've tried to configure the F5 to send audit log to accounting server, which is Cisco ISE, but it is not recorded on TACACS+ Command Accounting report.
I tried to do packet capture and actually the Cisco ISE received the accounting from F5 but it can't show on TACACS+ command accounting report.
Solved! Go to Solution.
06-22-2018 10:06 AM
F5 does not do TACACS Command Authorization or Accounting for management. You are limited to dropping a user into a role on F5 via remote role groups with no fine grained control of commands. The link for integration is not the best source, but a starting point to understand...
When you configure an F5 for remote AuthC/AuthZ via ISE (or any TACACS or RADIUS Server), it can either be done with one remote role group with F5 variables defined for all entires or several remote role groups with static values.
I prefer one remote role group built with all variables and use the attributes sent from ISE within the AuthZ result to populate those variables, cleaner config on the F5 and ISE. To do this nice and clean, this is my method that I use for our customers:
On F5: Create an “Cisco_ISE_AuthZ” (Cisco ISE Authorization) Remote Role Group with the following attributes that are all Variables to be sent down from ISE:
Group Name: Cisco_ISE_AuthZ
Line order 1
Attribute String: F5-LTM-User-Info-1=CiscoISEAuthZ
Remote Access: Enabled
Assigned Role: Other: %F5-LTM-User-Role
Partition Access: Other: %F5-LTM-User-Partition
Terminal Access: Other: %F5-LTM-User-Console
On ISE: Create ISE TACACS+ Profiles, which specify the values for the F5 to populate for the Cisco_ISE_AuthZ Remote Role Group. The mechanism for this working is the F5 matches the CiscoISEAuthZ Attribute that we sent down with the Remote Role Group defined on F5 having the same attribute - and then populates the rest of the variables in that remote role. Here are some examples:
Administrator:
F5-LTM-User-Info-1=CiscoISEAuthZ
F5-LTM-User-Role=0
F5-LTM-User-Partition=All
F5-LTM-User-Console=1
Read Only:
F5-LTM-User-Info-1=CiscoISEAuthZ
F5-LTM-User-Role=700
F5-LTM-User-Partition=All
F5-LTM-User-Console=0
Read Only with Shell:
F5-LTM-User-Info-1=CiscoISEAuthZ
F5-LTM-User-Role=700
F5-LTM-User-Partition=All
F5-LTM-User-Console=1
If you want any other roles, get the attribute values from F5's guide for role values, partition values, and console values and create the right AuthZ results. Please note there are some slight changes between 10.x and later in those, so verify it for your version of F5.
06-21-2018 01:16 AM
Hi,
Have a look at this thread which should provide you some useful information
Re: F5 RADIUS Device Admin using ISE RADIUS
thanks,
06-21-2018 04:49 AM
You may want to take a look at BRKSEC-3699 (Reference Presentation) posted to ciscolive.com. In that session I cover tips for configuring F5 LTM for TACACS+ load balancing. You should see same report whether LB used or not. If missing events, then may be issues with persistence on LB.
06-21-2018 02:42 PM
Cisco Live presentations are linked in this community page:ISE Training
06-21-2018 08:48 PM
Hi,
I still don't find what I looking for.
Actually I have configured F5 system to authenticate against TACACS+ from Cisco ISE as authentication server.
When user login to F5 system, it will authenticate and authorize by Cisco ISE using Internal User account from Cisco ISE.
One thing that I face is F5 said that it can send accounting to Cisco ISE as explained in this link
https://support.f5.com/csp/article/K13762
After configured the accounting configuration, the Cisco ISE received the accounting message from F5 which I look from TCP dump. But it doesn't show up in TACACS+ Command Accounting report.
Just wondering if someone has ever experience this before also.
06-22-2018 08:47 AM
What about TACACS Accounting report? It's not clear whether F5 is doing T+ command authorization so might not have command accounting.
06-22-2018 10:06 AM
F5 does not do TACACS Command Authorization or Accounting for management. You are limited to dropping a user into a role on F5 via remote role groups with no fine grained control of commands. The link for integration is not the best source, but a starting point to understand...
When you configure an F5 for remote AuthC/AuthZ via ISE (or any TACACS or RADIUS Server), it can either be done with one remote role group with F5 variables defined for all entires or several remote role groups with static values.
I prefer one remote role group built with all variables and use the attributes sent from ISE within the AuthZ result to populate those variables, cleaner config on the F5 and ISE. To do this nice and clean, this is my method that I use for our customers:
On F5: Create an “Cisco_ISE_AuthZ” (Cisco ISE Authorization) Remote Role Group with the following attributes that are all Variables to be sent down from ISE:
Group Name: Cisco_ISE_AuthZ
Line order 1
Attribute String: F5-LTM-User-Info-1=CiscoISEAuthZ
Remote Access: Enabled
Assigned Role: Other: %F5-LTM-User-Role
Partition Access: Other: %F5-LTM-User-Partition
Terminal Access: Other: %F5-LTM-User-Console
On ISE: Create ISE TACACS+ Profiles, which specify the values for the F5 to populate for the Cisco_ISE_AuthZ Remote Role Group. The mechanism for this working is the F5 matches the CiscoISEAuthZ Attribute that we sent down with the Remote Role Group defined on F5 having the same attribute - and then populates the rest of the variables in that remote role. Here are some examples:
Administrator:
F5-LTM-User-Info-1=CiscoISEAuthZ
F5-LTM-User-Role=0
F5-LTM-User-Partition=All
F5-LTM-User-Console=1
Read Only:
F5-LTM-User-Info-1=CiscoISEAuthZ
F5-LTM-User-Role=700
F5-LTM-User-Partition=All
F5-LTM-User-Console=0
Read Only with Shell:
F5-LTM-User-Info-1=CiscoISEAuthZ
F5-LTM-User-Role=700
F5-LTM-User-Partition=All
F5-LTM-User-Console=1
If you want any other roles, get the attribute values from F5's guide for role values, partition values, and console values and create the right AuthZ results. Please note there are some slight changes between 10.x and later in those, so verify it for your version of F5.
06-22-2018 02:14 PM
Just a quick comment of clarity...
If question is specific to T+ authorization to F5 LTM itself, then disregard all comments referring to BRKSEC-3699. I thought query was specific to the use of F5 to load balance TACACS+ requests from other systems.
Craig
06-23-2018 02:51 AM
Hi,
No problem Craig. It’s nice sharing for my reference.
06-23-2018 02:49 AM
Hi,
That’s great and complete explanation. Thank you. Now I know what the capability of F5 against TACACS+ via Cisco ISE.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide