Forum Discussion
Cory_50405
May 01, 2014Noctilucent
Is the name of your ACS group "adm"? It has to match verbatim what your remote role group name is.
- judascow_106704May 01, 2014NimbostratusIndeed it is. "cloned an existing ACS group... and renamed it 'adm'"
- Cory_50405May 01, 2014NoctilucentApologies for my reading comprehension fail. Did you remove any local usernames that may be conflicting with the remote user attempting to login?
- judascow_106704May 01, 2014NimbostratusJust confirmed that there is no local user with the same username.
- Cory_50405May 01, 2014NoctilucentYour remote role configuration looks good. Do you see any helpful information in/var/log/audit or/var/log/secure that identifies a problem?
- judascow_106704May 02, 2014NimbostratusSuccess! I was editing the wrong custom attribute and enabling PPP in the wrong section of the TACACS group configuration. I had to add the PPP IP section to the Group config. In ACS 4.2, open Interface Configuration -> TACACS+ (Cisco IOS). Under Group, check the box for PPP IP, then Submit. In Group Config for 'adm' under TACACS+ Settings, check PPP IP and add the following in the first TACACS+ Settings Custom Attributes box: F5-LTM-User-Info-1=adm On the F5, my remoterole is remoterole { role info adm { attribute F5-LTM-User-Info-1=adm console enable line order 1 deny disable role administrator user partition all } } Thanks for all of your help, Cory!
- Cory_50405May 05, 2014NoctilucentGlad to hear you got it working.
- Dan_22262Dec 12, 2014Nimbostratus@Cory @judascow Great post guys. Using this, I got LTM BIGIP-11.6.0.0.0.401.ALL-scsi.ova + Cisco Secure ACS 4.2 up and running on basically the first shot. I made the same mistake above, I didn't originally put the custom attribute under PPP but under "shell". If anyone needs screenshots of the setup on both LTM and on ACS, I took them. Feel free to hit me up.
- h_paredes_19017Mar 02, 2015NimbostratusDan, can you please share those screenshots?
- gcave_213109Sep 18, 2015NimbostratusWould it be possible for someone to share the screenshots with 4.1. I have setup: auth remote-role { role-info { /Common/adm { attribute F5-LTM-User-Info-1=adm console tmsh line-order 1 role administrator user-partition All } } } auth remote-user { default-role admin remote-console-access tmsh } auth source { type tacacs } auth tacacs /Common/system-auth { protocol ip secret $M$HO$rkzM7osX510D2HjVYcvnZw== servers { 165.249.239.32 } service ppp } I am getting a 'authorization failure, service ppp denied' on ACS 4.1