Forum Discussion
- DRJAltocumulus
I've used AD group membership for this, but I'm guessing you already have admin auth working?
On the F5, create your F5 Remote Role Group (specify attribute string eg: F5-LTM-User-Info-1=monitoring) and the required Assigned Role level.
In ISE, add a rule in the Auth policy in the relevant Device Admin Policy Set. Match the device/AD user group, create your command set/shell profile as needed (create and match custom attribute to attribute string created for F5 Remote Role Group).
If I recall correctly I think that's pretty much all that's needed, but I could be forgetting something.
- SleimanAltostratus
Thanks for the reply DRJ. Here's what I've done. I'm able to login but I still have read/write rights.
- DRJAltocumulus
So in your example, in the Custom Attribute in ISE (the last screenshot), specify the NAME as F5-LTM-USER-Info-1 and the Value as monitoring
I can't recall if this is required or not, but if you're still having issues after fixing the attribute, try set the shell privilege levels from 15 to something like 2.
- SleimanAltostratus
You are the man. Setting the NAME as F5-LTM-USER-Info-1 and the Value as monitoring did it. Hopefully this works in production :) Thanks for your help.