F5 Logo MyF5
Search
  1. MyF5 Home
  2. Managing Authentication, Roles, and Users from BIG-IQ
  3. TACACS+ User Authentication
Manual Chapter : TACACS+ User Authentication

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.3.0, 8.2.0, 8.1.0
Manual Chapter

TACACS+ User Authentication

Use my TACACS+ server to authenticate BIG-IQ users

BIG-IQ Centralized Management can verify user credentials against your company's TACACS+ server. After you set up BIG-IQ to use your TACACS+ server, you can add users and user groups that are authenticated by your TACACS+ server.
After you decide exactly who you want to perform certain tasks, you can provide them access to particular areas of BIG-IQ by adding them as a user and assigning the appropriate standardized role.

Before integrating BIG-IQ with your TACACS+ server for authentication and authorization

Before you set up BIG-IQ Centralized Management for authentication and authorization with your TACACS+ server, you should gather this information.
Required Information
This is
Name
The name of your TACACS+ server.
Host
The IP address or host name of your TACACS+ server.
Port
The port number of your TACACS+ server.
Secret
The case-sensitive text string used to validate communication.
Primary Service
The service that the authorization requests are made for, such as system, shell, or connection.
Protocol
An optional subset of a service, such as
telnet
,
ip
, or
http
.
Test user name and password
A user name and password, authenticated on your TACACS+ server.

Set up BIG-IQ to use my TACACS+ server for user authentication

Before you can set up authentication, you must have specified your DNS settings. You usually do this when you license F5 BIG-IQ Centralized Management. You must also complete all the tasks outlined in
Before integrating BIG-IQ with your TACACS+ server
.
You can set up BIG-IQ to use your company's TACACS+ server for user authentication.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    USER MANAGEMENT
    Auth Providers
    .
  3. Click the
    Add
     button.
  4. From the
    Provider Type
     list, select
    TACACS+.
  5. In the
    Name
     field, type a name for this new provider.
    This must be a unique name, and can be a maximum of 152 characters.
  6. For the
    Servers
     setting, in the
    Host
     and
    Port
     fields, type the address (or fully qualified domain name) and port number for each of the servers you want to configure.
    To add more servers, just click the
    +
     button.
  7. In the
    Primary Service
     field, specify what type of authorization requests will be made for this service.
    For example:
    system
    ,
    connection
    , or
    PPP
    .
  8. In the
    Protocol
     field, specify an optional subset of a service.
    For example:
    ip
    ,
    telnet
    , or
    http
    .
  9. In the
    Connect Timeout
     field, type the number of seconds after which the BIG-IQ system stops trying to authenticate a user or user group.
  10. In the
    Read Timeout
     field, type the number of seconds the BIG-IQ system will wait for a response to a query.
  11. To encrypt the data, select the
    Yes
     check box for the
    Encrypt
     setting.
  12. To verify that BIG-IQ can reach the authentication server, in the
    Test User
     and
    Test Password
     fields, type a valid user name and password, and click the
    Test
     button.
  13. Click the
    Save & Close
     button at the bottom of the screen.
You can now associate TACACS+ server users with BIG-IQ system roles.

Add a TACACS+ authenticated user and associate it with a role

You must set up F5 BIG-IQ Centralized Management with your TACACS+ server settings before you can add a TACACS+ authenticated user.
Once you understand exactly who you want to perform certain tasks, you can provide them access to particular areas of BIG-IQ by adding them as a user and assigning the appropriate built-in or custom role. You can assign as many roles as required to cover the user's responsibilities.
You must associate this user with a TACACS+ authenticated role, or authentication will fail.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    USER MANAGEMENT
    Users
    .
  3. Click the
    Add
     button.
  4. From the
    Auth Provider
     list, select
    TACACS+
    .
  5. In the
    User Name
     field, type a name for this user. In the
    Password
     and
    Confirm Password
     fields, type a password for this new user.
  6. In the
    Full Name
     field, type a name to identify this user.
    The full name can contain a combination of symbols, letters, numbers and spaces.
  7. To associate this user with one or more user group, select the user group from the
    User Groups
     list.
    This is only an option if you've already created a user group.
  8. To associate this user with a one or more roles, select it from the
    Available
     list and move it to the
    Selected
     list.
  9. Click the
    Save & Close
     button.
If this BIG-IQ is part of an HA pair, you must log in to the secondary BIG-IQ system, click
System
 ->
BIG-IQ HA
, click the
BIG-IQ HA Settings
 button, then click the
Log Out & Refresh
 button. This procedure is required because BIG-IQ handles users and user groups differently than other data synchronized between BIG-IQ systems in an HA pair. If you don't perform this procedure, this new user cannot successfully log in to the secondary system.

Create a TACACS+ authenticated user group

Before you can add a TACACS+ authenticated user group, you must set up BIG-IQ to use your company's TACACS+ server for user authentication.
You can create a user group for multiple users to authenticate through a TACACS+ server.
If a user does not belong to a TACACS+ authenticated user group, authentication will fail.
  1. At the top of the screen, click
    System
    .
  2. At the left, click
    USER MANAGEMENT
    User Groups
    .
    The User Groups screen opens.
  3. Click the
    Add
     button.
  4. In the
    Name
     field, type a name for this new user group.
  5. From the
    Auth Provider
     list, select your
    TACACS+
     provider.
  6. For the
    Authorization Attributes
     setting, in the
    Attribute
     and
    Value
     fields, type the attribute and value pair for this group's TACACS+ server.
  7. From the
    Available Roles
     list, select the user roles that have the privileges you want to grant to this user group and move them to the
    Selected
     list.
  8. Click the
    Save & Close
     button.
If this BIG-IQ is part of an HA pair, you must log in to the secondary BIG-IQ system, click
System
 ->
BIG-IQ HA
, click the
BIG-IQ HA Settings
 button, then click the
Log Out & Refresh
 button. This procedure is required because BIG-IQ handles users and user groups differently than other data synchronized between BIG-IQ systems in an HA pair. If you don't perform this procedure, this new user cannot successfully log in to the secondary system.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information