Forum Discussion

taphagreg_90345's avatar
taphagreg_90345
Icon for Nimbostratus rankNimbostratus
Feb 21, 2008

Authorisation if sysadmins using RADIUS or TACACS

I don't seem to be able to fnd much information on this. I have my F5 LTM and GTM and want to control the user lgins using RADIUS or TACACS to set the user privilege level.

 

 

However, I am not able to find the Radius AV file or any documentation about configuring it.

 

 

I don't think I would be the first person to ask the question so if anyone can help by giving some pointers that would help out.

 

 

I am using Cisco Secure ACS for my RADIUS / TACACS server.

 

 

greg
management
monitoring

17 Replies

Sort By
Show More
  • Claret_Carvalho's avatar
    Claret_Carvalho
    Icon for Nimbostratus rankNimbostratus
    Mar 14, 2009
    I could be wrong but i think this has been introduced as of 10.X unless i misread the documentation.
  • Chris_Phillips's avatar
    Chris_Phillips
    Icon for Nimbostratus rankNimbostratus
    Mar 14, 2009
    FWIW, i just came here looking for this functionality too. I won't kick off that it's not there already though! Never seen any PAM implementation use RADIUS options elsewhere in linux land, so didn't expect it here.
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Mar 16, 2009
    bkthomps, as Deb suggested, the best way to make an official request for a change in the product is to open a case with F5 Support. If there is an existing CR, your request will be attached to it.

     

     

    Aaron
  • redcats_65144's avatar
    redcats_65144
    Icon for Nimbostratus rankNimbostratus
    Jun 11, 2009
    Below is a statement in Release notes of v10.0.1 regarding Radius/TACACS+. It is clear to me that this feature has been added to the new release. Can anyone kindly share the experience here if you have already tested/used it in production? We would like to upgrade our current production environment just for this feature!

     

    Cheers.

     

     

    Group-based privilege assignment for RADIUS and TACACS+ user accounts

     

     

    For environments that store BIG-IP system user accounts on a remote server, your ability to assign user privileges on a group-wide basis has been expanded to include not only LDAP and Active Directory servers, but also RADIUS and TACACS+. Using the BIG-IP system's remoterole command, you can now assign a user role, partition access, and terminal access to a group of user accounts based on a specific RADIUS or TACACS+ attribute.

     

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jun 11, 2009
    Just to clarify hoolio's comments higher in this thread, I do work for F5 now.

     

     

    That said, I just wrote an article a week ago that covers the TACACS+ implementations angle of this feature:

     

     

    http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=2316 Click here
  • Adrian_1807's avatar
    Adrian_1807
    Icon for Nimbostratus rankNimbostratus
    Sep 14, 2011
    Hi.

     

     

    Lets resume this question. ;-)

     

     

    Jaso, very good job with that article. But for complete the question, I asume it is also possible to implement something similar with RADIUS isn´t it??

     

     

    In the other hand, I have a doubt regarding a possible failure with remote server. I mean, what happen if the RADIUS/TACACS stops working?? Will users be able to log on the system???

     

     

    Is it possible to have two authentication methods? First TACACS for example and if this fails to do it locally???

     

     

    And when ussing external authentication, i suppose it is still possible to have local users like admin, isn´t it??

     

     

    Thank you!!!