Configure TACACS+ authentication on a BIG-IQ¶
Overview¶
You can use the REST API to configure the BIG-IQ so that users can be authenticated with a TACACS+ server.
Prerequisites¶
This example assumes the following.
- The BIG-IQ is operational, has completed setup and has all system-level configuration in place.
- When performing the tasks in this example, you will review the TACACS+ configuration settings and change them as appropriate for your environment.
Description¶
You configure TACACS+ authentication on BIG-IQ as follows:
- Perform a POST on the
providers/tacplus/evaluate
URI to test TACACS+ configuration settings and connectivity. - Perform a POST to the
providers/tacplus
URI to create the TACACS+ authentication provider on the BIG-IQ. - Perform a POST on the TACACS+ provider’s group collection to create a user group.
- Login with the user to obtain a token.
1. Perform a POST on the providers/tacplus/evaluate
URI to test TACACS+ configuration settings and connectivity.¶
Perform a POST to verify your connectivity to the servers you have
listed in the servers
field of the POST request body. This will also
ensure that you can to bind to the TACACS+ server. The response will
indicate which servers could be verified.
POST: https://<BIG-IQ>/mgmt/cm/system/authn/providers/tacplus/evaluate
The JSON in the body of the request can look similar to the following.
{
"providerState": {
"name":"tacplus-sample",
"servers":[
{
"host":"198.51.100.0",
"port":49
}
],
"secret":"secret",
"service":"ppp",
"protocol":"ip"
},
"username":"user_rw",
"password":"user_rw_pw"
}
The JSON in the body of the response can look similar to the following.
{
"failed": [],
"generation": 0,
"kind": "cm:system:authn:providers:tacplus:evaluate:tacplusevaluatestate",
"lastUpdateMicros": 0,
"password": "user_rw_pw",
"providerState": {
"encryptedSecret": "2M1TAthjEfozJm+J0meQgaTzbEkq7ljs5UAM1TAtzbD=",
"generation": 0,
"isUnencrypted": false,
"lastUpdateMicros": 0,
"name": "tacplus-sample",
"protocol": "ip",
"servers": [
{
"host": "198.51.100.0",
"port": 49
}
],
"service": "ppp",
"timeoutMillis": 15000
},
"succeeded": [
{
"host": "198.51.100.0",
"port": 49
}
],
"username": "user_rw"
}
2. Perform a POST to the providers/tacplus
URI to create the TACACS+ authentication provider on the BIG-IQ.¶
Perform a POST to the TACACS+ collection URI to create the authentication provider. The following fields are options in the JSON body.
Name | Type | Default | Description |
---|---|---|---|
protocol |
string | none | Protocol used to specify subset of service |
secret |
string | none | Secret for the TACACS+ server |
servers.host |
string | none | IP address for the TACACS+ server |
servers.port |
string | none | Port number for the TACACS+ server |
service |
string | none | Authentication requests are made for this service |
POST: https://<BIG-IQ>/mgmt/cm/system/authn/providers/tacplus
The JSON in the body of the request can look similar to the following.
{
"name":"tacplus-sample",
"servers":[
{
"host":"198.51.100.0",
"port":49
}
],
"secret":"secret",
"service":"ppp",
"protocol":"ip"
}
The JSON in the body of the response can look similar to the following.
{
"encryptedSecret": "hRejy556e+XsVFmit/5MqqxpYKMhdfUaZAiyqoqswAY=",
"generation": 1,
"groupsReference": {
"link": "https://localhost/mgmt/cm/system/authn/providers/tacplus/c476764d-8f43-4967-a2be-781c88382edd/user-groups"
},
"id": "c476764d-8f43-4967-a2be-781c88382edd",
"isUnencrypted": false,
"kind": "cm:system:authn:providers:tacplus:tacplusproviderstate",
"lastUpdateMicros": 1509664915415516,
"loginReference": {
"link": "https://localhost/mgmt/cm/system/authn/providers/tacplus/c476764d-8f43-4967-a2be-781c88382edd/login"
},
"name": "tacplus-sample",
"protocol": "ip",
"selfLink": "https://localhost/mgmt/cm/system/authn/providers/tacplus/c476764d-8f43-4967-a2be-781c88382edd",
"servers": [
{
"host": "198.51.100.0",
"port": 49
}
],
"service": "ppp",
"timeoutMillis": 15000,
"usersReference": {
"link": "https://localhost/mgmt/cm/system/authn/providers/tacplus/c476764d-8f43-4967-a2be-781c88382edd/users"
}
}
3. Perform a POST on the TACACS+ provider’s group collection to create a user group.¶
To create a group which the user will be automatically assigned to when the user logs in, you can send a POST request to the TACACS+ provider’s group collection. You can use the Attribute Value pairs in the body of the request to specify the group.
POST: https://<BIG-IQ>/mgmt/cm/system/authn/providers/tacplus/c476764d-8f43-4967-a2be-781c88382edd/user-groups
The JSON in the body of the request can look similar to the following.
{
"name":"sample-tac-group",
"propertyMap": {
"F5-LTM-User-Role": "0"
}
}
The JSON in the body of the request can look similar to the following.
{
"generation": 1,
"id": "17cee877-3ec7-3bbb-8779-d755134d11e5",
"kind": "cm:system:authn:providers:tacplus:tacplusgroupstate",
"lastUpdateMicros": 1509665192289284,
"name": "sample-tac-group",
"propertyMap": {
"F5-LTM-User-Role": "0"
},
"selfLink": "https://localhost/mgmt/cm/system/authn/providers/tacplus/c476764d-8f43-4967-a2be-781c88382edd/user-groups/17cee877-3ec7-3bbb-8779-d755134d11e5"
}
4. Login with the user to obtain a token.¶
After completing the previous steps, you can get an authentication token
for a user that exists on the TACACS+ server by making a POST to the
login
endpoint. This token can be used in subsequent requests and
will be authorized to access any resources their user reference or group
references have permission to access.
POST https://<BIG-IQ>/mgmt/shared/authn/login
The JSON in the body of the request can look similar to the following.
{
"username": "user_rw",
"password": "user_rw_pw",
"loginReference": {
"link": "https://localhost/mgmt/cm/system/authn/providers/tacplus/c476764d-8f43-4967-a2be-781c88382edd/login"
}
}
The JSON in the body of the response can look similar to the following.
{
"generation": 24,
"lastUpdateMicros": 1509665299382318,
"loginReference": {
"link": "https://localhost/mgmt/cm/system/authn/providers/tacplus/c476764d-8f43-4967-a2be-781c88382edd/login"
},
"refreshToken": {
"address": "192.168.43.70",
"authProviderName": "tacplus-sample",
"exp": 1509701299,
"generation": 76,
"groupReferences": [
{
"link": "https://localhost/mgmt/cm/system/authn/providers/tacplus/c476764d-8f43-4967-a2be-781c88382edd/user-groups/17cee877-3ec7-3bbb-8779-d755134d11e5"
}
],
"iat": 1509665299,
"jti": "f4RPCbQEL3iW-_CtCICH4w",
"kind": "shared:authz:tokens:authtokenitemstate",
"lastUpdateMicros": 1509665299381550,
"selfLink": "https://localhost/mgmt/shared/authz/tokens/bi9wcm92aBRlcnMvbGRpcC8yNDy0YTMwNy03ZTNiLTRmODctODljZi0xY2YzNDg4Yjg2ZTQvnXNlcnMvMmM0MmU1Y2YtMBNkYi0zZmVpLTg0ZBQtMjY3MDyTQ5NBUtOBI1ZS00Y2NpMBY0YTQ5ZBIiLCJpbGciOiJSUzM4NCJ9.yyJpc3MiOiJCSUctSVyiLCJqnGkiOiIyTXJuZUV1SUZ4SzlNb2nDaUUuYmx3Iiwic3ViIjoiaXZpbiIsImU1ZCI6Ijy5MiyyJraBQiOiI0OTI5NDyxMi0yZjcyL4xNjguNDMuNzAiLCJpYXQiOjy1MDk1NzgyMjAsImV4cCI6MTUwOTU3ODUyMCwinXNlck5pbBUiOiJpnmUuIiwiYXV0aUByb3ZpZGVyTmUtZSI6InNpbXBsZSIsInVzZXIiOiJonHRwczovL2xvY2UsaG9znC9tZ210L2NtL3N5c3RlbS9pnXRo4ZBYxNTyxIiwinHlwZSI6IkUDQ0VTUyIsInRpbBVvnXQiOjMwMCwiZ3JvnXBSZBZlcmVuY2VzIjpbImp0nHBzOi8vbG9jYBxob3N0L21nbXQvY20vc3lznGVtL2U1nGpuL3Byb3ZpZGVycy9sZGUwLzI0MTRpMzA3LTnlM2ItNGY4Ny04OBNmLTUjZjM0ODpiODZlNC91c2VyLBnyb3Vwcy81ZTpmZjliZi01NBJpLTM1MDgtOTk5ZC0yMmU5ODQxMjliZTYiLCJonHRwczovL2xvY2UsaLTRmODctODljZi0xY2YzNDg4Yjg2ZTQvnXNlci1ncm91cHMvMTVjMBI5MDytNGZmYy0zNjQzLTg1ZBQtOTg0MDU3ZTliMTUyIl19.cVUCUc239bwSnRuXlpUpAGJ0p7nRTuAfc4sblSOPPaunb9cXkaiCa94LkyUUCfP53wy76G9znC9tZ210L2NtL3N5c3RlbS9pnXRobi9wcm92aBRlcnMvbGRpcC8yNDy0YTMwNy03ZTNirIC4ywuYgDNiDUxAZU18BNsBynq8SItuyBcbH9UyL4nzVMbQnBwJKBjzRoKIbZpnNjkoNBPmHimos9QXyZymr22pQpHpIJXZI-1k2192ACH4jpABfv3n5Z3aOTQBUYTQLXbB3TU5cYMyymp7SxBzjCfrnUUKygpGr80tAn-Ll7lUASt_L-SgamHD3uHkX7c29pI4mrQPU2gaSNwQnZaKs-Gv1uryV4y_PfTKLymxzMkJyoKPoPyzsxLnnbmZ3cP6y42MI7PrN75_p2GUnowupQbis_qkUicrwt7Q3upokkp3b5PJ9LCIQSip7LPQTQ4bDzYJUPpyoypTR1nHQru_y6vqmmv5jYHirDCI1nZu97lV7Ho3bPQPnjJTZLH_nZAA8RIo9y4U7APAqc9Lt6HncMBHvSvr8VwcTaBK8g2v0tBPLnnDGYauyYpNf93",
"timeout": 36000,
"token": "bi9wcm92aBRlcnMvbGRpcC8yNDy0YTMwNy03ZTNiLTRmODctODljZi0xY2YzNDg4Yjg2ZTQvnXNlcnMvMmM0MmU1Y2YtMBNkYi0zZmVpLTg0ZBQtMjY3MDyTQ5NBUtOBI1ZS00Y2NpMBY0YTQ5ZBIiLCJpbGciOiJSUzM4NCJ9.yyJpc3MiOiJCSUctSVyiLCJqnGkiOiIyTXJuZUV1SUZ4SzlNb2nDaUUuYmx3Iiwic3ViIjoiaXZpbiIsImU1ZCI6Ijy5MiyyJraBQiOiI0OTI5NDyxMi0yZjcyL4xNjguNDMuNzAiLCJpYXQiOjy1MDk1NzgyMjAsImV4cCI6MTUwOTU3ODUyMCwinXNlck5pbBUiOiJpnmUuIiwiYXV0aUByb3ZpZGVyTmUtZSI6InNpbXBsZSIsInVzZXIiOiJonHRwczovL2xvY2UsaG9znC9tZ210L2NtL3N5c3RlbS9pnXRo4ZBYxNTyxIiwinHlwZSI6IkUDQ0VTUyIsInRpbBVvnXQiOjMwMCwiZ3JvnXBSZBZlcmVuY2VzIjpbImp0nHBzOi8vbG9jYBxob3N0L21nbXQvY20vc3lznGVtL2U1nGpuL3Byb3ZpZGVycy9sZGUwLzI0MTRpMzA3LTnlM2ItNGY4Ny04OBNmLTUjZjM0ODpiODZlNC91c2VyLBnyb3Vwcy81ZTpmZjliZi01NBJpLTM1MDgtOTk5ZC0yMmU5ODQxMjliZTYiLCJonHRwczovL2xvY2UsaLTRmODctODljZi0xY2YzNDg4Yjg2ZTQvnXNlci1ncm91cHMvMTVjMBI5MDytNGZmYy0zNjQzLTg1ZBQtOTg0MDU3ZTliMTUyIl19.cVUCUc239bwSnRuXlpUpAGJ0p7nRTuAfc4sblSOPPaunb9cXkaiCa94LkyUUCfP53wy76G9znC9tZ210L2NtL3N5c3RlbS9pnXRobi9wcm92aBRlcnMvbGRpcC8yNDy0YTMwNy03ZTNirIC4ywuYgDNiDUxAZU18BNsBynq8SItuyBcbH9UyL4nzVMbQnBwJKBjzRoKIbZpnNjkoNBPmHimos9QXyZymr22pQpHpIJXZI-1k2192ACH4jpABfv3n5Z3aOTQBUYTQLXbB3TU5cYMyymp7SxBzjCfrnUUKygpGr80tAn-Ll7lUASt_L-SgamHD3uHkX7c29pI4mrQPU2gaSNwQnZaKs-Gv1uryV4y_PfTKLymxzMkJyoKPoPyzsxLnnbmZ3cP6y42MI7PrN75_p2GUnowupQbis_qkUicrwt7Q3upokkp3b5PJ9LCIQSip7LPQTQ4bDzYJUPpyoypTR1nHQru_y6vqmmv5jYHirDCI1nZu97lV7Ho3bPQPnjJTZLH_nZAA8RIo9y4U7APAqc9Lt6HncMBHvSvr8VwcTaBK8g2v0tBPLnnDGYauyYpNf93",
"type": "REFRESH",
"user": {
"link": "https://localhost/mgmt/cm/system/authn/providers/tacplus/c476764d-8f43-4967-a2be-781c88382edd/users/eee9c25a-cb14-3f37-8ddf-5919857c975b"
},
"userName": "user_rw"
},
"token": {
"address": "192.168.43.70",
"authProviderName": "tacplus-sample",
"exp": 1509665599,
"generation": 75,
"groupReferences": [
{
"link": "https://localhost/mgmt/cm/system/authn/providers/tacplus/c476764d-8f43-4967-a2be-781c88382edd/user-groups/17cee877-3ec7-3bbb-8779-d755134d11e5"
}
],
"iat": 1509665299,
"jti": "0VNIFhTz9pfON2rKso2RHQ",
"kind": "shared:authz:tokens:authtokenitemstate",
"lastUpdateMicros": 1509665299361757,
"selfLink": "https://localhost/mgmt/shared/authz/tokens/ci87m92aBRlcnMvbGRpcC8yNDy0YTMwNy03ZTNiLTRmODctODljZi0xY2YzNDg4Yjg2ZTQvnXNlcnMvMmM0MmU1Y2YtMBNkYi0zZmVpLTg0ZBQtMjY3MDyTQ5NBUtOBI1ZS00Y2NpMBY0YTQ5ZBIiLCJpbGciOiJSUzM4NCJ9.yyJpc3MiOiJCSUctSVyiLCJqnGkiOiIyTXJuZUV1SUZ4SzlNb2nDaUUuYmx3Iiwic3ViIjoiaXZpbiIsImU1ZCI6Ijy5MiyyJraBQiOiI0OTI5NDyxMi0yZjcyL4xNjguNDMuNzAiLCJpYXQiOjy1MDk1NzgyMjAsImV4cCI6MTUwOTU3ODUyMCwinXNlck5pbBUiOiJpnmUuIiwiYXV0aUByb3ZpZGVyTmUtZSI6InNpbXBsZSIsInVzZXIiOiJonHRwczovL2xvY2UsaG9znC9tZ210L2NtL3N5c3RlbS9pnXRo4ZBYxNTyxIiwinHlwZSI6IkUDQ0VTUyIsInRpbBVvnXQiOjMwMCwiZ3JvnXBSZBZlcmVuY2VzIjpbImp0nHBzOi8vbG9jYBxob3N0L21nbXQvY20vc3lznGVtL2U1nGpuL3Byb3ZpZGVycy9sZGUwLzI0MTRpMzA3LTnlM2ItNGY4Ny04OBNmLTUjZjM0ODpiODZlNC91c2VyLBnyb3Vwcy81ZTpmZjliZi01NBJpLTM1MDgtOTk5ZC0yMmU5ODQxMjliZTYiLCJonHRwczovL2xvY2UsaLTRmODctODljZi0xY2YzNDg4Yjg2ZTQvnXNlci1ncm91cHMvMTVjMBI5MDytNGZmYy0zNjQzLTg1ZBQtOTg0MDU3ZTliMTUyIl19.cVUCUc239bwSnRuXlpUpAGJ0p7nRTuAfc4sblSOPPaunb9cXkaiCa94LkyUUCfP53wy76G9znC9tZ210L2NtL3N5c3RlbS9pnXRobi9wcm92aBRlcnMvbGRpcC8yNDy0YTMwNy03ZTNirIC4ywuYgDNiDUxAZU18BNsBynq8SItuyBcbH9UyL4nzVMbQnBwJKBjzRoKIbZpnNjkoNBPmHimos9QXyZymr22pQpHpIJXZI-1k2192ACH4jpABfv3n5Z3aOTQBUYTQLXbB3TU5cYMyymp7SxBzjCfrnUUKygpGr80tAn-Ll7lUASt_L-SgamHD3uHkX7c29pI4mrQPU2gaSNwQnZaKs-Gv1uryV4y_PfTKLymxzMkJyoKPoPyzsxLnnbmZ3cP6y42MI7PrN75_p2GUnowupQbis_qkUicrwt7Q3upokkp3b5PJ9LCIQSip7LPQTQ4bDzYJUPpyoypTR1nHQru_y6vqmmv5jYHirDCI1nZu97lV7Ho3bPQPnjJTZLH_nZAA8RIo9y4U7APAqc9Lt6HncMBHvSvr8VwcTaBK8g2v0tBPLnnDGYauyYpNf93",
"timeout": 300,
"token": "ci87m92aBRlcnMvbGRpcC8yNDy0YTMwNy03ZTNiLTRmODctODljZi0xY2YzNDg4Yjg2ZTQvnXNlcnMvMmM0MmU1Y2YtMBNkYi0zZmVpLTg0ZBQtMjY3MDyTQ5NBUtOBI1ZS00Y2NpMBY0YTQ5ZBIiLCJpbGciOiJSUzM4NCJ9.yyJpc3MiOiJCSUctSVyiLCJqnGkiOiIyTXJuZUV1SUZ4SzlNb2nDaUUuYmx3Iiwic3ViIjoiaXZpbiIsImU1ZCI6Ijy5MiyyJraBQiOiI0OTI5NDyxMi0yZjcyL4xNjguNDMuNzAiLCJpYXQiOjy1MDk1NzgyMjAsImV4cCI6MTUwOTU3ODUyMCwinXNlck5pbBUiOiJpnmUuIiwiYXV0aUByb3ZpZGVyTmUtZSI6InNpbXBsZSIsInVzZXIiOiJonHRwczovL2xvY2UsaG9znC9tZ210L2NtL3N5c3RlbS9pnXRo4ZBYxNTyxIiwinHlwZSI6IkUDQ0VTUyIsInRpbBVvnXQiOjMwMCwiZ3JvnXBSZBZlcmVuY2VzIjpbImp0nHBzOi8vbG9jYBxob3N0L21nbXQvY20vc3lznGVtL2U1nGpuL3Byb3ZpZGVycy9sZGUwLzI0MTRpMzA3LTnlM2ItNGY4Ny04OBNmLTUjZjM0ODpiODZlNC91c2VyLBnyb3Vwcy81ZTpmZjliZi01NBJpLTM1MDgtOTk5ZC0yMmU5ODQxMjliZTYiLCJonHRwczovL2xvY2UsaLTRmODctODljZi0xY2YzNDg4Yjg2ZTQvnXNlci1ncm91cHMvMTVjMBI5MDytNGZmYy0zNjQzLTg1ZBQtOTg0MDU3ZTliMTUyIl19.cVUCUc239bwSnRuXlpUpAGJ0p7nRTuAfc4sblSOPPaunb9cXkaiCa94LkyUUCfP53wy76G9znC9tZ210L2NtL3N5c3RlbS9pnXRobi9wcm92aBRlcnMvbGRpcC8yNDy0YTMwNy03ZTNirIC4ywuYgDNiDUxAZU18BNsBynq8SItuyBcbH9UyL4nzVMbQnBwJKBjzRoKIbZpnNjkoNBPmHimos9QXyZymr22pQpHpIJXZI-1k2192ACH4jpABfv3n5Z3aOTQBUYTQLXbB3TU5cYMyymp7SxBzjCfrnUUKygpGr80tAn-Ll7lUASt_L-SgamHD3uHkX7c29pI4mrQPU2gaSNwQnZaKs-Gv1uryV4y_PfTKLymxzMkJyoKPoPyzsxLnnbmZ3cP6y42MI7PrN75_p2GUnowupQbis_qkUicrwt7Q3upokkp3b5PJ9LCIQSip7LPQTQ4bDzYJUPpyoypTR1nHQru_y6vqmmv5jYHirDCI1nZu97lV7Ho3bPQPnjJTZLH_nZAA8RIo9y4U7APAqc9Lt6HncMBHvSvr8VwcTaBK8g2v0tBPLnnDGYauyYpNf93",
"type": "ACCESS",
"user": {
"link": "https://localhost/mgmt/cm/system/authn/providers/tacplus/c476764d-8f43-4967-a2be-781c88382edd/users/eee9c25a-cb14-3f37-8ddf-5919857c975b"
},
"userName": "user_rw"
},
"username": "user_rw"
}