Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Big IP Auth via ACS 5.1



Does
anyone have a working example of using ACS 5.1 to
authenticate
BigIP LTM GUI users?  I have found a couple of discussion in the F5 dev
site but nothing using ACS, only generic TACACS+ implementations.


7 REPLIES
Cisco Employee

Re: Big IP Auth via ACS 5.1

Hi Kenny,

I personally do not have any experience with BigIP, but the configuration on ACS should be straight forward in case of T+ authentication/authorization.

Are there any particular authorization AVPs that ACS should pass back?

Regards,

Fede

New Member

Re: Big IP Auth via ACS 5.1

Doesn't look like many people have problems with BigIP and ACS 5.x...must just be me :)

I ended up getting some help from TAC and this is what I had to do.

Create the External Group on the F5, this includes the custom attribute that the F5 witll expect back from the F5:

b remoterole role info Netadm '{
attribute "F5-LTM-User-Info-1=Netadm"
role administrator
user partition all
console enable
deny disable
line order 2
}'

Create the custom attribute in the Device Admin Shell Profile:

F5-LTM-User-Info-1 Mandatory Netadm

At this point it should work with no problems but somehow Single Connect got turned on in the Device Config section of ACS, which I didnt find until i did some packet captures.  After I turned off Single Connect everything worked like a champ.

BTW, I am using ACS to forward LDAP requests to our DC's for authentication.

Hope this helps someone else!

New Member

Big IP Auth via ACS 5.1

Hi Kenny,

What version of your BigIP? We have 6 BipIP and they are on version 10.2, the F5 document shows how to set up Tacacs on the F5 device, they said we need to create a service name PPP on the Cisco ACS 5.2 but I am not sure how to do it. Could you please help?

Thanks

Si

Silver

Big IP Auth via ACS 5.1

Hi,

In regards to the PPP Service creation on ACS 5.x, you no longer need to create a Service for TACACS+ authentication/authorization.

The Service PPP had to be created on the Legacy ACS 4.x versions but ACS 5.x no longer requires those types of services to be created.

In this case, for BigIP devices to work you only need to create the custom attribute F5-LTM-User-Info-1 (Mandatory) with value as: Netadm

The ACS 5.x will realize that the requested service is PPP without having to create a Custom Service like we used to do on ACS 4.x.

Also, if you are on ACS 5.1 base you might want to upgrade to latest patch as there is a known issue referring to TACACS+ with Service PPP not working as expected. Issue is resolved on Patch 2 and above.

New Member

Big IP Auth via ACS 5.1

Just for clarity I would like to add that we had to enable the IP service for PPP in the Interface configuration TACACS+. Then under the user/group under the TACACS+ Settings enable PPP IP and enable the custom attributes box and paste the "F5-LTM-User-Info-1=Netadm" value.

New Member

Big IP Auth via ACS 5.1

I'm assuming that was from an ACS version older than 5.x?

By the way on the F5 configuration it requires that you include a Service Name (or populate it with something) or else it won't save the TACACS+ configration. What did you all put in? PPP?

New Member

Big IP Auth via ACS 5.1

Yes, we are running 4.2. We are using "ppp" for service name and "ip" for authentication.

6827
Views
0
Helpful
7
Replies
CreatePlease login to create content