Manual Chapter :
Configuring Remote TACACS+ Authentication
Applies To:
Show Versions
BIG-IP LTM
- 15.0.1, 15.0.0
Configuring Remote TACACS+ Authentication
Overview of remote authentication for application traffic
As an administrator in a large computing environment, you can set up the BIG-IP® system to use this server to authenticate any
network traffic passing through the BIG-IP system. This type of traffic passes through a virtual
server and through Traffic Management Microkernel (TMM) interfaces. Remote authentication servers
typically use one of these protocols:
- Lightweight Directory Access Protocol (LDAP)
- Remote Authentication Dial-in User Service (RADIUS)
- TACACS+ (derived from Terminal Access Controller Access Control System [TACACS])
- Online Status Certificate Protocol (OCSP)
- Certificate Revocation List Distribution Point (CRLDP)
To configure remote authentication for this type of traffic, you must
create a configuration object and a profile that correspond to the type of authentication server
you are using to store your user accounts. For example, if your remote authentication server is
an LDAP server, you create an LDAP configuration object and an LDAP profile. When implementing a
RADIUS, SSL OCSP, or CRLDP authentication module, you must also create a third type of object.
For RADIUS and CRLDP authentication, this object is referred to as a server object. For SSL OCSP
authentication, this object is referred to as an OCSP responder.
Task
summary for configuring remote TACACS authentication
To configure remote authentication for this type of traffic, you must create a configuration
object and a profile that correspond to the type of authentication server
you are using to store your user accounts.
Creating a TACACS+ configuration object
A
TACACS+ configuration object
specifies information that the BIG-IP
system needs to perform the remote authentication. For example, the
configuration object specifies the IP address of the remote TACACS+
server.
- On the Main tab of the navigation pane, click .
- From the Authentication menu, chooseConfigurations.
- ClickCreate.
- In theNamefield, type a unique name for the configuration object, such asmy_tacacs_config.
- From theTypelist, selectTACACS+.
- For theServerssetting, select a server name in theAvailablelist, and using the Move button, move the name to theSelectedlist.
- In theSecretfield, type the secret key used to encrypt and decrypt packets sent or received from the server.Do not use the pound sign ( # ) in the secret for TACACS+ servers.
- In theConfirm Secretfield, re-type the secret you specified in theSecretfield.
- From theEncryptionlist, select an encryption option:EnabledChoose this option if you want the system to encrypt the TACACS+ packets.DisabledChoose this option if you want the system to send unencrypted TACACS+ packets.
- In theService Namefield, type the name of the service that the user is requesting to be authenticated for use; typically,ppp.Specifying the service makes it possible for the TACACS+ server to behave differently for different types of authentication requests. Examples of service names that you can specify are:ppp,slip,arap, shell,tty-daemon,connection,system, andfirewall.
- In theProtocol Namefield, type the name of the protocol associated with the value specified in theService Namefield.This value is usuallyip. Examples of protocol names that you can specify are:ip,lcp,ipx,stalk,vines,lat,xremote,tn3270,telnet,rlogin,pad,vpdn,ftp,http,deccp,osicp, andunknown.
- ClickFinished.
You now have a configuration object that a TACACS+ authentication profile can reference.
Creating a custom TACACS+ profile
The next task in configuring TACACS+-based remote authentication on the BIG-IP system is to create a custom TACACS+ profile.
- On the Main tab, click .The Profiles list screen opens.
- ClickCreate.The New Authentication Profile screen opens.
- In theNamefield, type a unique name for the profile.
- SelectTACACS+from theTypelist.
- Selecttacacsin theParent Profilelist.
- Select the TACACS+ configuration object that you created from theConfigurationlist.
- ClickFinished.
The custom TACACS+ profile appears in the
Profiles
list.Modifying a virtual server for TACACS+ authentication
The final task in the process of implementing authentication using a remote
TACACS+ server is to assign the custom TACACS+ profile and an existing default
authentication iRule to a virtual server that is configured to process HTTP traffic
(that is, a virtual server to which an HTTP profile is assigned).
- On the Main tab, click .The Virtual Server List screen opens.
- Click the name of a virtual server.
- From theConfigurationlist, selectAdvanced.
- For theAuthentication Profilessetting, in theAvailablefield, select a custom TACACS+ profile, and using theMovebutton, move the custom TACACS+ profile to theSelectedfield.
- ClickUpdateto save the changes.
The virtual server is assigned the custom TACACS+ profile.
