Manual Chapter : Configuring Remote TACACS Authentication

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP APM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP GTM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP Link Controller

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP Analytics

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP LTM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP AFM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP PEM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP ASM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

Configuring Remote TACACS+ Authentication

Overview of remote authentication for application traffic

As an administrator in a large computing environment, you can set up the BIG-IP® system to use this server to authenticate any network traffic passing through the BIG-IP system. This type of traffic passes through a virtual server and through Traffic Management Microkernel (TMM) interfaces. Remote authentication servers typically use one of these protocols:

  • Lightweight Directory Access Protocol (LDAP)
  • Remote Authentication Dial-in User Service (RADIUS)
  • TACACS+ (derived from Terminal Access Controller Access Control System [TACACS])
  • Online Status Certificate Protocol (OCSP)
  • Certificate Revocation List Distribution Point (CRLDP)
  • Kerberos

To configure remote authentication for this type of traffic, you must create a configuration object and a profile that correspond to the type of authentication server you are using to store your user accounts. For example, if your remote authentication server is an LDAP server, you create an LDAP configuration object and an LDAP profile. When implementing a RADIUS, SSL OCSP, or CRLDP authentication module, you must also create a third type of object. For RADIUS and CRLDP authentication, this object is referred to as a server object. For SSL OCSP authentication, this object is referred to as an OCSP responder.

Task Summary

To configure remote authentication for this type of traffic, you must create a configuration object and a profile that correspond to the type of authentication server you are using to store your user accounts.

Task list

Creating a TACACS+ configuration object

A TACACS+ configuration object specifies information that the BIG-IP system needs to perform the remote authentication. For example, the configuration object specifies the IP address of the remote TACACS+ server.
  1. On the Main tab of the navigation pane, click Local Traffic > Profiles .
  2. From the Authentication menu, choose Configurations.
  3. Click Create.
  4. In the Name field, type a unique name for the configuration object, such asmy_tacacs_config.
  5. From the Type list, select TACACS+.
  6. For the Servers setting, select a server name in the Available list, and using the Move button, move the name to the Selected list.
  7. In the Secret field, type the secret key used to encrypt and decrypt packets sent or received from the server.
    Do not use the pound sign ( # ) in the secret for TACACS+ servers.
  8. In the Confirm Secret field, re-type the secret you specified in the Secret field.
  9. From the Encryption list, select an encryption option:
    Option Description
    Enabled Choose this option if you want the system to encrypt the TACACS+ packets.
    Disabled Choose this option if you want the system to send unencrypted TACACS+ packets.
  10. In the Service Name field, type the name of the service that the user is requesting to be authenticated for use; typically, ppp.
    Specifying the service makes it possible for the TACACS+ server to behave differently for different types of authentication requests. Examples of service names that you can specify are: ppp, slip, arap, shell, tty-daemon, connection, system, and firewall.
  11. In the Protocol Name field, type the name of the protocol associated with the value specified in the Service Name field.
    This value is usually ip. Examples of protocol names that you can specify are: ip, lcp, ipx, stalk, vines, lat, xremote, tn3270, telnet, rlogin, pad, vpdn, ftp, http, deccp, osicp, and unknown.
  12. Click Finished.
You now have a configuration object that a TACACS+ authentication profile can reference.

Creating a custom TACACS+ profile

The next task in configuring TACACS+-based remote authentication on the BIG-IP® system is to create a custom TACACS+ profile.
  1. On the Main tab, click Local Traffic > Profiles > Authentication > Profiles .
    The Profiles list screen opens.
  2. Click Create.
    The New Authentication Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. Select TACACS+ from the Type list.
  5. Select tacacs in the Parent Profile list.
  6. Select the TACACS+ configuration object that you created from the Configuration list.
  7. Click Finished.
The custom TACACS+ profile appears in the Profiles list.

Modifying a virtual server for TACACS+ authentication

The final task in the process of implementing authentication using a remote TACACS+ server is to assign the custom TACACS+ profile and an existing default authentication iRule to a virtual server that is configured to process HTTP traffic (that is, a virtual server to which an HTTP profile is assigned).
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of a virtual server.
  3. From the Configuration list, select Advanced.
  4. For the Authentication Profiles setting, in the Available field, select a custom TACACS+ profile, and using the Move button, move the custom TACACS+ profile to the Selected field.
  5. Click Update to save the changes.
The virtual server is assigned the custom TACACS+ profile.