Manual Chapter : Use my TACACS server to authenticate and authorize BIG-IQ users

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.4.0
Manual Chapter

F5® BIG-IQ® Centralized Management can verify user credentials against your company's TACACS+ server. After you set up BIG-IQ to use your TACACS+ server, you can add users and user groups that are authenticated by your TACACS+ server.

Before integrating BIG-IQ with your TACACS+ server for authentication and authorization

Before you set up BIG-IQ® Centralized Management for authentication and authorization with your TACACS+ server, you should gather this information.

Required Information This is For my TACACS+ server
Name The name of your TACACS+ server.  
Host The IP address or host name of your TACACS+ server.  
Port The port number of your TACACS+ server.  
Secret The case-sensitive text string used to validate communication.  
Primary Service The service that the authorization requests are made for, such as system, shell, or connection.  
Protocol An optional subset of a service, such as telnet, ip, or http.  
Test user name and password A user name and password, authenticated on your TACACS+ server.  

Set up BIG-IQ to use my TACACS+ server for user authentication

Before you can set up authentication, you must have specified your DNS settings. You usually do this when you license F5® BIG-IQ® Centralized Management. You must also complete all the tasks outlined in Before integrating BIG-IQ with your TACACS+ server.

You can set up BIG-IQ to use your company's TACACS+ server for user authentication.

  1. At the top of the screen, click System.
  2. On the left, click USER MANAGEMENT > Auth Providers .
  3. Click the Add button.
  4. From the Provider Type list, select TACACS+.
  5. For the Servers setting, in the Host and Port fields, type the TACACS+ server's IP address (or fully qualified domain name) and port number for each of the servers you want to configure.
    To add more servers, just click the + button.
  6. In the Name field, type a name for this new provider.
    This must be a unique name, and can be a maximum of 152 characters.
  7. In the Primary Service field, specify what type of authorization requests will be made for this service.
    For example: system, connection, or PPP.
  8. In the Protocol field, specify an optional subset of a service.
    For example: ip, telnet, or http.
  9. To encrypt the data, select the Yes check box for the Encrypt setting.
  10. To verify that BIG-IQ can reach the TACACS+ server, in the Test User and Test Password fields, type a valid user name and password, and click the Test button.
  11. Click the Save & Close button at the bottom of the screen.
You can now associate TACACS+ server users with BIG-IQ system roles.

Add a TACAS+ authenticated user and associate it with a role

You must set up F5® BIG-IQ® Centralized Management with your TACAS+ server settings before you can add a TACAS+ authenticated user.
Once you understand exactly who you want to perform certain tasks, you can provide them access to particular areas of BIG-IQ by adding them as a user and assigning the appropriate standardized role. You can assign as many roles as required to cover the user's responsibilities.
Important: You must associate this user with a TACAS+ authenticated role, or authentication will fail.
  1. At the top of the screen, click System.
  2. On the left, click USER MANAGEMENT > Users .
  3. Click the Add button.
  4. From the Auth Providerrlist, select TACAS+.
  5. From the Auth Provider list, select LDAP.
  6. In the User Name field, type the user name for this new user.
  7. In the Full Name field, type a name to identify this user.
    The full name can contain a combination of symbols, letters, numbers and spaces.
  8. In the Password and Confirm Password fields, type the password for this new locally-authenticated user.
    You can change the password any time.
  9. From the Available list, select each user role you want to associate it with this user, and move it to the Selected list.
    Important: Be sure to let your users know that their access to certain parts of the BIG-IQ user interface depends on which role they are assigned.
  10. From the Available list, select each user role you want to associate it with this user, and move it to the Selected list.
    Important: Be sure to let your users know that their access to certain parts of the BIG-IQ user interface depends on which role they are assigned.
  11. Click the Save & Close button at the bottom of the screen.

Create a TACACS+ authenticated user group

Before you can add a TACACS+ authenticated user group, you must set up BIG-IQ® to use your company's TACACS+ server for user authentication.
You can create a user group for multiple users to authenticate through a TACACS+ server.
Important: If a user does not belong to a TACACS+ authenticated user group, authentication will fail.
  1. At the top of the screen, click System.
  2. At the left, click USER MANAGEMENT > User Groups .
    The User Groups screen opens.
  3. Click the Add button.
  4. In the Name field, type a name for this new user group.
  5. From the Auth Provider list, select TACACS+.
  6. For the Authorization Attributes setting, in the Attribute and Value fields, type the attribute and value pair for this group's TACACS+ server.
  7. From the User Roles list, select the user role that has the privileges you want to grant to this user group.
  8. Click the Save & Close button at the bottom of the screen.