How to: Configure TACACS+ Auth Provider using BIG-IP Next Central Manager¶
Overview¶
Terminal Access Controller Access-Control System Plus (TACACS+) is a protocol that remotely authenticates and authorizes users. You can configure the TACACS+ protocol for authenticating BIG-IP Next Central Manager users.
Summary¶
Procedure¶
Configure TACACS+ for user authentication
Log in to BIG-IP Next Central Manager as admin.
Click the Workspace icon next to the F5 icon, click System, and then click Auth Providers. The New Auth Providers screen opens.
Select the TACACS+ checkbox from the Select Provider Types drop-down in the External Authentication Provider section.
Click the Configure button next to the TACACS+ A new screen appears, allowing you to enable and configure the TACACS+ authentication provider.
Turn on the radio button to Enable this Auth Provider.
Note: The administrator can Enable or Disable the Auth provider. When disabled, users will be unable to log in using the TACACS+ Auth provider on the BIG-IP Next Central Manager login screen.
In the Server settings, click the Start Adding button or click + Add Row to add an authentication server.
Host: Specifies the name of the primary TACACS+ server.
Port: Specifies the port for primary TACACS+ server communications. The default is 49.
Note: You can click + Add Row to add more number of servers.
Secret: specify the secret of the TACACS+ server.
To delete a server from the list, select the checkbox next to the server, then click Remove in the top right corner.
Note: At least one server is required to enable the Remove button.
For the Secret, specify the secret password for your TACACS+ server.
In the Primary Service field, type the name of the service the user requests to be authenticated for use, typically, ppp.
In the Protocol field, type the name of the protocol associated with the value specified in the Primary Service field.
In the Socket Connect Timeout field, type the number of seconds after which the BIG-IP Next Central Manager stops trying to authenticate a user or user group.
In the Read Timeout field, type the number of seconds BIG-IP Next Central Manager will wait for a response to a query.
To verify these settings, type a Test User Name and the Test Password, and click the Test button. If the test connection is successful, a Success message will appear.
Click Save. The Auth Providers screen displays with TACACS+ Configured as the External Authentication Provider.
Add a TACACS+ user to the BIG-IP Next Central Manager
Log in to BIG-IP Next Central Manager as admin.
Click the Workspace icon next to the F5 logo and then click System.
On the left, click Users.
Click the + Add button on the right. The New User panel opens.
In the Properties Section, select the TACACS+ as the **Auth Provider **from the drop-down.
Enter a Username and optional Display Name and Email Address.
Select the Standard Role or Administrator role you want to assign to this user.
Note: If you choose the Standard role, you can assign multiple roles to a single user. Refer: How to: Assign standard roles to users.
Click the Add User button.
Log in as a TACACS+ user on the BIG-IP Next Central Manager
On the BIG-IP Next Central Manager Login screen, select TACACS+ as the Auth Provider from the drop-down menu, then enter your User Name and Password.
Note: If you select TACACS+ as the Auth Provider, users will not have the option to change their passwords.
Edit the TACACS+ Configuration
Log in to BIG-IP Next Central Manager as admin.
Click the Workspace icon next to the F5 icon, click System, and then click Auth Providers.
In the External Authentication Provider section, click the edit icon next to TACACS+ Configured. A new screen displays to enable and configure the TACACS+ Auth provider.
Modify the settings for the TACACS+ server and click Save.
Modify a Role for the TACACS+ User
Log in to BIG-IP Next Central Manager as admin.
Click the Workspace icon next to the F5 logo and then click System.
On the left, click Users.
Click on the username for which you want to modify the role. The User Information screen displays.
In the Assign Role(s) section, you can change a user role from Standard Role to Administrator or from Administrator to Standard Role.
Click the Save button.
Prerequisite
Authenticate with the BIG-IP Next Central Manager API. For details refer to How to: Authenticate with the BIG-IP Next Central Manager API.
Procedures
To configure TACACS users using Central Manager APIs:
Configure TACACS server by sending the POST request to
/v1/spaces/default/auth-providers
endpoint.
POST https://{{cm_mgmt_ip}}/api/v1/spaces/default/auth-providers
For the request payload, use the following example and substitute appropriate values as required.
{
"provider_type": "TACACS+",
"content": {
"primary_service": "ppp",
"servers": [
{
"host": "{{tacacs_server}}",
"port": {{tacacs_port}}
}
],
"secret": "xyznetworks"
}
}
For more information about configuring TACACS server using BIG-IP Next Central Manager APIs, see OpenAPI dcoumentation.
Test the user availability in TACACS server by sending a POST request to
/spaces/default/auth-providers/validate
endpoint.
POST https://{{cm_mgmt_ip}}/api/v1/spaces/default/auth-providers/validate
For the request payload, use the following example, substituting appropriate values for the roles you want to create.
{
"provider_type": "TACACS+",
"validation_type": "authenticateUser",
"name": "TACACS+",
"content": {
"servers": [
{
"host": "{{tacacs_host}}",
"port": {{tacacs_port}}
}
],
"secret": "xyznetworks"
},
"username": "{{tacacs_user}}",
"password": "{{tacacs_user_password}}"
}
For more information about validating TACACS server using BIG-IP Next Central Manager APIs, see OpenAPI dcoumentation.
Create TACACS user with roles such as administrator or standard role by sending the POST request to the
/system/v1/users
endpoint.
POST https://{{cm_mgmt_ip}}/api/system/v1/users
For the request payload, use the following example, modifying the values as required. role_type: Change role type to Administrator or Standard role as per the requirement. For a TACACS user, provider_type and provider_name must be TACACS+.
{
"username": "{{tacacs_user}}",
"password": "",
"role_type": "Administrator",
"provider_type": "TACACS+",
"provider_name": "TACACS+"
}
For more information about creating users using BIG-IP Next Central Manager APIs, see OpenAPI documentation.
Retrieve the list of roles with IDs by sending the GET request to
/system/v1/roles
endpoint.
GET https://{{cm_mgmt_ip}}/api/system/v1/roles
For more information about retrieving the list of roles using BIG-IP Next Central Manager APIs, see OpenAPI documentation.
Assign roles to TACACS users, by sending the POST request to
/system/v1/users/{tacacs_user_id}/roles
endpoint.
POST https://{{cm_mgmt_ip}}/api/system/v1/users/{tacacs_user_id}/roles
For the request payload, use the following example, substituting appropriate values as required.
role_ids: Change the role ids as per the requirement.
{
"role_ids": [
"{{admin-role-id}}"
]
}
For more information about assigning roles to users using BIG-IP Next Central Manager APIs, see OpenAPI documentation.
Test the TACACS server connection by sending the POST request to
system/v1/auth-providers/login
endpoint.
POST https://{{cm_mgmt_ip}}/api/system/v1/auth-providers/login
For the request payload, use the following example, substituting appropriate values as required.
{
"provider_type": "TACACS+",
"name": "TACACS+",
"username": "{{tacacs_user_1}}",
"password": "{{tacacs_user_1_password}}"
}
Login as created user by sending the POST request to
/api/login
endpoint.
POST https://{{cm_mgmt_ip}}/api/login
{
"username": "test",
"password": "test",
"provider_type": "TACACS+",
"provider_name": "TACACS+"
}
Logout a user by sending the POST request to
/api/logout
endpoint.
POST https://{{cm_mgmt_ip}}/api/logout
For more information about this request, see OpenAPI documentation.