Forum Discussion

getnyce_157084's avatar
getnyce_157084
Icon for Nimbostratus rankNimbostratus
May 24, 2014
Solved

Multiple AAA authetication groups to TACACS

Currently I authenticate to a TACACS for my read/write account. Anyone who needs to manage the LTM will be added to that group. However I need to give auditor access to a group of users. When I gr...
aaa
application delivery
LTM
management
security
tacacs
  • Cory_50405's avatar
    Cory_50405
    May 25, 2014

    You need to use remote role with your TACACS+ server. Essentially this involves setting up remote roles and eliminating local user accounts. There have been several threads lately about remote authentication via TACACS+ lately. Here's one:

     

    https://devcentral.f5.com/questions/how-to-configure-tacacs-on-cisco-acs-53-for-authenticate-administrative-users-on-ltm-1120

     

    Also, here is some info regarding remote role:

     

    http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-1-0/16.html

     

Cory_50405's avatar
Cory_50405
Icon for Noctilucent rankNoctilucent

You need to use remote role with your TACACS+ server. Essentially this involves setting up remote roles and eliminating local user accounts. There have been several threads lately about remote authentication via TACACS+ lately. Here's one:

 

https://devcentral.f5.com/questions/how-to-configure-tacacs-on-cisco-acs-53-for-authenticate-administrative-users-on-ltm-1120

 

Also, here is some info regarding remote role:

 

http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-1-0/16.html

 

Cory_50405's avatar
Cory_50405
Icon for Noctilucent rankNoctilucent
May 27, 2014
The first link in my comment contains some screenshots of ACS 5.3. I don't know of any walk-through documents, but the process is involves creating a shell profile where you set the custom attribute that you defined on the remote role configuration. Then you would apply that shell profile to an ACS user group (Access Policies > Access Services > Default Device Admin > Authorization, then click on the group to modify. Towards the bottom, there'll be a field to specify a shell profile).