Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8147
Views
15
Helpful
2
Replies

Tacacs + for F5 using Cisco ISE 2.4

Go to solution
sejelmohajj
Level 1
Level 1

‎10-21-2018 12:55 AM

Guys,

 

Can i have have any proper document detailing how to  integrate F5 to Cisco ISE for Tacacs + ..

 

Regards

 

1 person had this problem
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎10-21-2018 04:19 AM

The job in ISE is fairly straightforward and mostly always the same.  It's nice that Cisco put some defaults into ISE for IOS-style devices and nexus and WLC.  But for everything else, your're going to have to RTFM of the 3rd party vendor's product.

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-user-account-administration-12-0-0/6.html

 

If you read further down the F5 page you will see that you need to assign roles to the F5 when it performs TACACS authorization requests to ISE.  In ISE this would mean, specifying the Profile as "custom" and then pasting the values in.

The same thing happens for Cisco Prime Infrastructure - if you read the documentation, then it will tell you all the lines of data you need to paste in when you assign a role of Full Admin, Read-Only Admin, etc.  I think F5 is similar, because it's not like IOS at all (that is, there is no concept of shell level 0-15)

 

Having said all that, it would be handy if someone could paste some examples of how they did it, just to help clarify.

 

View solution in original post

Go to solution
prath1991
Level 1
Level 1
In response to Arne Bier

‎08-22-2019 11:43 AM

its simple .

 

create below F5 profile in ISE :

for different user role pass the different user role value and then create Remote user role group in F5 to call this .Make sure to select the fallback to admin in TACACS on F5 to make sure we dont lock ourself out .

Hope it helps .

 

F5.PNGF5-2.PNG

Capture.PNG

View solution in original post

2 Replies 2

Go to solution
Arne Bier
VIP
VIP

‎10-21-2018 04:19 AM

The job in ISE is fairly straightforward and mostly always the same.  It's nice that Cisco put some defaults into ISE for IOS-style devices and nexus and WLC.  But for everything else, your're going to have to RTFM of the 3rd party vendor's product.

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-user-account-administration-12-0-0/6.html

 

If you read further down the F5 page you will see that you need to assign roles to the F5 when it performs TACACS authorization requests to ISE.  In ISE this would mean, specifying the Profile as "custom" and then pasting the values in.

The same thing happens for Cisco Prime Infrastructure - if you read the documentation, then it will tell you all the lines of data you need to paste in when you assign a role of Full Admin, Read-Only Admin, etc.  I think F5 is similar, because it's not like IOS at all (that is, there is no concept of shell level 0-15)

 

Having said all that, it would be handy if someone could paste some examples of how they did it, just to help clarify.

 

Go to solution
prath1991
Level 1
Level 1
In response to Arne Bier

‎08-22-2019 11:43 AM

its simple .

 

create below F5 profile in ISE :

for different user role pass the different user role value and then create Remote user role group in F5 to call this .Make sure to select the fallback to admin in TACACS on F5 to make sure we dont lock ourself out .

Hope it helps .

 

F5.PNGF5-2.PNG

Capture.PNG

Customers Also Viewed These Support Documents