Forum Discussion

f5cap_115294's avatar
f5cap_115294
Icon for Nimbostratus rankNimbostratus
May 16, 2013

TACACS+.net Integration

Hi,

 

I have been working on implementing TACACS+.net for my network based devices. I was able to get the F5 BigIP to communicate with the TACACS+ server, however I can only log in if I set the defaults in the user section of the F5 to "administrative" access. If I try to say "no access" for the defaults the F5 will not allow the login.

 

I have configured the following on the TACACS+ side for the pairs and values.

 

 

service=ppp

 

protocol=ip

 

F5-LTM-User-Role=0

 

F5-LTM-User-Partition=All

 

F5-LTM-User-Console=1

 

 

Any ideas of where to look, or how to complete the configuration. I only need this for general administrative access.

 

Thank you,

 

f5cap.

 

3 Replies

  • Why would you want the user role to be No Access?i understand user role will be assigned from tacacs+.

     

     

    Any ideas of where to look, or how to complete the configuration. I only need this for general administrative access.have you configured F5-LTM-User-Info-1 attribute?

     

     

    v.10 - Remote Authorization via TACACS+ by Jason

     

    https://devcentral.f5.com/tech-tips/articles/v10-remote-authorization-via-tacacs-43

     

     

    by the way, i have seen Juerg posted his cisco acs configuration example here but i could not find it today. you may send him message to see if he can share.

     

     

    Juerg Wiesmann

     

    https://devcentral.f5.com/community/profile/asuid/11186
  • Andrei_379458's avatar
    Andrei_379458
    Historic F5 Account

    What worked for my quick test lab:

     

    Setup:

     

    1. Windows 2016 Server with AD & tacacs.net configured.

       

    2. LTM v.14 running with internal vlan connected into the above server.

       

    Tacacs.net config files (found under c:\ProgramData\TACACS.net\config):

     

    1. tacacsplus.xml => LocalIP changed from 127.0.0.1 to the NIC IP facing LTM (10.1.20.30 in my case)

       

    2. authentication.xml:

       

      a) LDAPServer stays on 127.0.0.1:389 (check with "dsquery user -samid " from cli on Windows AD Server)

       

      b) LDAPUserDirectorySubtree updated to your AD setup (w/ input taken from above B-a)

       

      c) LDAPGroupName set on Domain Users

       

      d) LDAPAccessUserName set on the user tacacs.net will use to connect to LDAP (say, it's called "ldap_user")

       

      e) LDAPAccessUserPassword ClearText="" DES="???" (find it with "tacdes in cmd on Windows Server)

       

    3. Verify tacacs.net connection to AD works by executing following command in Window Server's cli: "tacacs -s 10.1.20.30 -k "pass_set_during_tacacs.net_setup" -u user user_a -p user_a_pass"

       

    4. authorization.xml - equally important. Without this, authentication will pass but authorization will fail and LTM login will fail.

       

      a) Add UserGroup with value Users

       

      b) Set / Uncoment section with service=ppp and protocol=ip

       

    Having done this,the last bit would be to set LTM (System -> Users -> Authentication = Remote - TACACS+ w/ servicename=ppp,protocolname=ip, Role=Administrator, Encryption=enabled, secret=pass_set_during_tacacs.net_setup, TerminalAccess=tmsh {or according to your need})

     

    Once done & saved, a "tail -f" on Windows Server c:\ProgramData\TACACS.net\Logs\Debug*.log will show:

     

    $ tail -f Debug_2019-03-11_9.log IsSingleConnect=False SessionID=1327763209 DataLength=18 Authorization Status=PassAdd User= Port= Args: protocol=ip

     

    <87> 2019-03-11 12:50:38 [10.1.20.251:1386] Removing session 1327763209 <87> 2019-03-11 12:51:17 Removed 2 old connections. Remaining connections=0

     

    <87> 2019-03-11 13:09:43 Device 10.1.20.251:25366 is allowed to connect based on settings for group INTERNAL <94> 2019-03-11 13:09:43 New client connection opened for 10.1.20.251:25366 TID:7 <87> 2019-03-11 13:09:43 TOTAL connections: 1 <87> 2019-03-11 13:09:43 [10.1.20.251:25366] Received 1 packets on connection <87> 2019-03-11 13:09:43 [10.1.20.251:25366] Received: MajorVersion=12 MinorVersion=1 Type=Authentication SeqNum=1 IsEncrypted=True IsSingleConnect=False SessionID=-1286258581 DataLength=33 Authentication Start: Action=Login Priv_Lvl=0 Type=PAP Service=PPP User=user_a Port=unknown RemAddr= Data=************** <87> 2019-03-11 13:09:43 [10.1.20.251:25366] Trying to authenticate user-user_a <87> 2019-03-11 13:09:43 [10.1.20.251:25366] Trying to authenticate user against group Network Engineering <87> 2019-03-11 13:09:43 [10.1.20.251:25366] User user_a does not belong to group Network Engineering <87> 2019-03-11 13:09:43 [10.1.20.251:25366] Local file Authentication result: user-user_a specified in group Network Engineering=InvalidUserOrPassword <87> 2019-03-11 13:09:43 [10.1.20.251:25366] Result of authentication user against group Network Engineering is InvalidUserOrPassword. Trying to authentiate against next group in list <87> 2019-03-11 13:09:43 [10.1.20.251:25366] Trying to authenticate user against group Users <87> 2019-03-11 13:09:43 [10.1.20.251:25366] Performing authentication of user user_a against group Domain Users for LDAPServer=127.0.0.1:389 UseSSL=False DomainName= UserDirectoryDN=cn=Users,DC=f5demo,DC=com UserObjectClass=user UserNameAttribute=sAMAccountName MemberOfAttribute=memberOf AdminUserName=user_a AuthType=Ntlm <87> 2019-03-11 13:09:43 [10.1.20.251:25366] AD:Checking if user user_a belongs to group Domain Users for LDAPServer=127.0.0.1:389 UseSSL=False DomainName= UserDirectoryDN=cn=Users,DC=f5demo,DC=com UserObjectClass=user UserNameAttribute=sAMAccountName MemberOfAttribute=memberOf AdminUserName=user_a AuthType=Ntlm <87> 2019-03-11 13:09:43 [10.1.20.251:25366] AD:User user_a belong to group Domain Users - from cache <87> 2019-03-11 13:09:43 [10.1.20.251:25366] AD: User user_a belongs to group Domain Users <87> 2019-03-11 13:09:43 [10.1.20.251:25366] AD:LDAP auth result = Passed. AD:Authentication passed <87> 2019-03-11 13:09:43 [10.1.20.251:25366] AD Authentication result: user-user_a against group Users=Passed <87> 2019-03-11 13:09:43 [10.1.20.251:25366] Authentication for user user_a passed against group Users - Passed <87> 2019-03-11 13:09:43 [10.1.20.251:25366] Received 2 packets on connection <87> 2019-03-11 13:09:43 [10.1.20.251:25366] Sending: MajorVersion=12 MinorVersion=1 Type=Authentication SeqNum=2 IsEncrypted=True IsSingleConnect=False SessionID=-1286258581 DataLength=6 Authentication AuthReply: Status=Pass Flags=Debug UserMsg= Data= <87> 2019-03-11 13:09:44 [10.1.20.251:25366] Removing session -1286258581 <87> 2019-03-11 13:09:44 [10.1.20.251:25366] Device 10.1.20.251:3478 is allowed to connect based on settings for group INTERNAL <94> 2019-03-11 13:09:44 [10.1.20.251:25366] New client connection opened for 10.1.20.251:3478 TID:7 <87> 2019-03-11 13:09:44 [10.1.20.251:25366] TOTAL connections: 2 <87> 2019-03-11 13:09:44 [10.1.20.251:3478] Received 1 packets on connection <87> 2019-03-11 13:09:44 [10.1.20.251:3478] Received: MajorVersion=12 MinorVersion=0 Type=Authorization SeqNum=1 IsEncrypted=True IsSingleConnect=False SessionID=1732981209 DataLength=45 Authorization Method=TACACSPLUS Priv lvl=0 Auth Type=PAP Service=PPP User=user_a Port=unknown Rem Addr= Args: service=ppp protocol=ip

     

    <87> 2019-03-11 13:09:44 [10.1.20.251:3478] AD:Checking if user user_a belongs to group Domain Users for LDAPServer=127.0.0.1:389 UseSSL=False DomainName= UserDirectoryDN=cn=Users,DC=f5demo,DC=com UserObjectClass=user UserNameAttribute=sAMAccountName MemberOfAttribute=memberOf AdminUserName=user_a AuthType=Ntlm <87> 2019-03-11 13:09:44 [10.1.20.251:3478] AD:User user_a belong to group Domain Users - from cache <87> 2019-03-11 13:09:44 [10.1.20.251:3478] Authorization Entry 1 is being applied based on Client configuration <87> 2019-03-11 13:09:44 [10.1.20.251:3478] Received 2 packets on connection <87> 2019-03-11 13:09:44 [10.1.20.251:3478] Sending: MajorVersion=12 MinorVersion=0 Type=Authorization SeqNum=2 IsEncrypted=True IsSingleConnect=False SessionID=1732981209 DataLength=18 Authorization Status=PassAdd User= Port= Args: protocol=ip

     

    <87> 2019-03-11 13:09:44 [10.1.20.251:3478] Removing session 1732981209