Manual Chapter :
TACACS+ User Authentication
Applies To:
Show VersionsBIG-IQ Centralized Management
- 8.3.0, 8.2.0, 8.1.0
TACACS+ User Authentication
Use my TACACS+ server to authenticate BIG-IQ users
BIG-IQ Centralized Management can verify user credentials against your company's TACACS+ server. After you set up BIG-IQ to use your TACACS+ server, you can add users and user groups that are authenticated by your TACACS+ server.
After you decide exactly who you want to perform certain tasks, you can provide them access to particular areas of BIG-IQ by adding them as a user and assigning the appropriate standardized role.
Before integrating BIG-IQ with your TACACS+ server for authentication and authorization
Before you set up BIG-IQ Centralized Management for authentication and authorization with your TACACS+ server, you should gather this information.
Required Information | This is |
---|---|
Name | The name of your TACACS+ server. |
Host | The IP address or host name of your TACACS+ server. |
Port | The port number of your TACACS+ server. |
Secret | The case-sensitive text string used to validate communication. |
Primary Service | The service that the authorization requests are made for, such as system, shell, or connection. |
Protocol | An optional subset of a service, such as telnet , ip , or http . |
Test user name and password | A user name and password, authenticated on your TACACS+ server. |
Set up BIG-IQ to use my TACACS+ server for user authentication
Before you can set up authentication, you must have specified your DNS settings. You usually do this when you license F5 BIG-IQ Centralized Management. You must also complete all the tasks outlined in
Before integrating BIG-IQ with your TACACS+ server
.You can set up BIG-IQ to use your company's TACACS+ server for user authentication.
- At the top of the screen, clickSystem.
- On the left, click.
- Click theAddbutton.
- From theProvider Typelist, selectTACACS+.
- In theNamefield, type a name for this new provider.This must be a unique name, and can be a maximum of 152 characters.
- For theServerssetting, in theHostandPortfields, type the address (or fully qualified domain name) and port number for each of the servers you want to configure.To add more servers, just click the+button.
- In thePrimary Servicefield, specify what type of authorization requests will be made for this service.For example:system,connection, orPPP.
- In theProtocolfield, specify an optional subset of a service.For example:ip,telnet, orhttp.
- In theConnect Timeoutfield, type the number of seconds after which the BIG-IQ system stops trying to authenticate a user or user group.
- In theRead Timeoutfield, type the number of seconds the BIG-IQ system will wait for a response to a query.
- To encrypt the data, select theYescheck box for theEncryptsetting.
- To verify that BIG-IQ can reach the authentication server, in theTest UserandTest Passwordfields, type a valid user name and password, and click theTestbutton.
- Click theSave & Closebutton at the bottom of the screen.
You can now associate TACACS+ server users with BIG-IQ system roles.
Add a TACACS+ authenticated user and associate it with a
role
You must set up F5 BIG-IQ Centralized Management with your TACACS+ server settings
before you can add a TACACS+ authenticated user.
Once you understand exactly who you want to
perform certain tasks, you can provide them access to particular areas of BIG-IQ by
adding them as a user and assigning the appropriate built-in or custom role. You can
assign as many roles as required to cover the user's responsibilities.
You must associate this user with a TACACS+
authenticated role, or authentication will fail.
- At the top of the screen, clickSystem.
- On the left, click.
- Click theAddbutton.
- From theAuth Providerlist, selectTACACS+.
- In theUser Namefield, type a name for this user. In thePasswordandConfirm Passwordfields, type a password for this new user.
- In theFull Namefield, type a name to identify this user.The full name can contain a combination of symbols, letters, numbers and spaces.
- To associate this user with one or more user group, select the user group from theUser Groupslist.This is only an option if you've already created a user group.
- To associate this user with a one or more roles, select it from theAvailablelist and move it to theSelectedlist.
- Click theSave & Closebutton.
If this BIG-IQ is part of an HA pair, you must log in to the secondary BIG-IQ
system, click
System
-> BIG-IQ HA
, click the BIG-IQ HA Settings
button, then
click the Log Out &
Refresh
button. This procedure is required because BIG-IQ handles
users and user groups differently than other data synchronized between BIG-IQ
systems in an HA pair. If you don't perform this procedure, this new user cannot
successfully log in to the secondary system.Create a TACACS+ authenticated user group
Before you can add a TACACS+ authenticated user group, you must set up BIG-IQ to use your company's TACACS+ server for user authentication.
You can create a user group for multiple users to authenticate through a TACACS+ server.
If a user does not belong to a TACACS+ authenticated user group, authentication will fail.
- At the top of the screen, clickSystem.
- At the left, click.The User Groups screen opens.
- Click theAddbutton.
- In theNamefield, type a name for this new user group.
- From theAuth Providerlist, select yourTACACS+provider.
- For theAuthorization Attributessetting, in theAttributeandValuefields, type the attribute and value pair for this group's TACACS+ server.
- From theAvailable Roleslist, select the user roles that have the privileges you want to grant to this user group and move them to theSelectedlist.
- Click theSave & Closebutton.
If this BIG-IQ is part of an HA pair, you must log in to the secondary BIG-IQ system, click
System
-> BIG-IQ HA
, click the BIG-IQ HA Settings
button, then click the Log Out & Refresh
button. This procedure is required because BIG-IQ handles users and user groups differently than other data synchronized between BIG-IQ systems in an HA pair. If you don't perform this procedure, this new user cannot successfully log in to the secondary system.