Configure TACACS+ authentication on a BIG-IQ

Overview

You can use the REST API to configure the BIG-IQ so that users can be authenticated with a TACACS+ server.

Prerequisites

This example assumes the following.

  • The BIG-IQ is operational, has completed setup and has all system-level configuration in place.
  • When performing the tasks in this example, you will review the TACACS+ configuration settings and change them as appropriate for your environment.

Description

You configure TACACS+ authentication on BIG-IQ as follows:

  1. Perform a POST on the providers/tacplus/evaluate URI to test TACACS+ configuration settings and connectivity.
  2. Perform a POST to the providers/tacplus URI to create the TACACS+ authentication provider on the BIG-IQ.
  3. Perform a POST on the TACACS+ provider’s group collection to create a user group.
  4. Login with the user to obtain a token.

1. Perform a POST on the providers/tacplus/evaluate URI to test TACACS+ configuration settings and connectivity.

Perform a POST to verify your connectivity to the servers you have listed in the servers field of the POST request body. This will also ensure that you can to bind to the TACACS+ server. The response will indicate which servers could be verified.

POST: https://<BIG-IQ>/mgmt/cm/system/authn/providers/tacplus/evaluate

The JSON in the body of the request can look similar to the following.

{
  "providerState": {
    "name":"tacplus-sample",
    "servers":[
      {
        "host":"198.51.100.0",
        "port":49
      }
    ],
    "secret":"secret",
    "service":"ppp",
    "protocol":"ip"
  },
  "username":"user_rw",
  "password":"user_rw_pw"
}

The JSON in the body of the response can look similar to the following.

{
    "failed": [],
    "generation": 0,
    "kind": "cm:system:authn:providers:tacplus:evaluate:tacplusevaluatestate",
    "lastUpdateMicros": 0,
    "password": "user_rw_pw",
    "providerState": {
        "encryptedSecret": "2M1TAthjEfozJm+J0meQgaTzbEkq7ljs5UAM1TAtzbD=",
        "generation": 0,
        "isUnencrypted": false,
        "lastUpdateMicros": 0,
        "name": "tacplus-sample",
        "protocol": "ip",
        "servers": [
            {
                "host": "198.51.100.0",
                "port": 49
            }
        ],
        "service": "ppp",
        "timeoutMillis": 15000
    },
    "succeeded": [
        {
            "host": "198.51.100.0",
            "port": 49
        }
    ],
    "username": "user_rw"
}

2. Perform a POST to the providers/tacplus URI to create the TACACS+ authentication provider on the BIG-IQ.

Perform a POST to the TACACS+ collection URI to create the authentication provider. The following fields are options in the JSON body.

Name Type Default Description
protocol string none Protocol used to specify subset of service
secret string none Secret for the TACACS+ server
servers.host string none IP address for the TACACS+ server
servers.port string none Port number for the TACACS+ server
service string none Authentication requests are made for this service 
POST: https://<BIG-IQ>/mgmt/cm/system/authn/providers/tacplus

The JSON in the body of the request can look similar to the following.

{
    "name":"tacplus-sample",
    "servers":[
      {
        "host":"198.51.100.0",
        "port":49
      }
    ],
    "secret":"secret",
    "service":"ppp",
    "protocol":"ip"
}

The JSON in the body of the response can look similar to the following.

{
    "encryptedSecret": "hRejy556e+XsVFmit/5MqqxpYKMhdfUaZAiyqoqswAY=",
    "generation": 1,
    "groupsReference": {
        "link": "https://localhost/mgmt/cm/system/authn/providers/tacplus/c476764d-8f43-4967-a2be-781c88382edd/user-groups"
    },
    "id": "c476764d-8f43-4967-a2be-781c88382edd",
    "isUnencrypted": false,
    "kind": "cm:system:authn:providers:tacplus:tacplusproviderstate",
    "lastUpdateMicros": 1509664915415516,
    "loginReference": {
        "link": "https://localhost/mgmt/cm/system/authn/providers/tacplus/c476764d-8f43-4967-a2be-781c88382edd/login"
    },
    "name": "tacplus-sample",
    "protocol": "ip",
    "selfLink": "https://localhost/mgmt/cm/system/authn/providers/tacplus/c476764d-8f43-4967-a2be-781c88382edd",
    "servers": [
        {
            "host": "198.51.100.0",
            "port": 49
        }
    ],
    "service": "ppp",
    "timeoutMillis": 15000,
    "usersReference": {
        "link": "https://localhost/mgmt/cm/system/authn/providers/tacplus/c476764d-8f43-4967-a2be-781c88382edd/users"
    }
}

3. Perform a POST on the TACACS+ provider’s group collection to create a user group.

To create a group which the user will be automatically assigned to when the user logs in, you can send a POST request to the TACACS+ provider’s group collection. You can use the Attribute Value pairs in the body of the request to specify the group.

POST: https://<BIG-IQ>/mgmt/cm/system/authn/providers/tacplus/c476764d-8f43-4967-a2be-781c88382edd/user-groups

The JSON in the body of the request can look similar to the following.

{
    "name":"sample-tac-group",
    "propertyMap": {
        "F5-LTM-User-Role": "0"
    }
}

The JSON in the body of the request can look similar to the following.

{
    "generation": 1,
    "id": "17cee877-3ec7-3bbb-8779-d755134d11e5",
    "kind": "cm:system:authn:providers:tacplus:tacplusgroupstate",
    "lastUpdateMicros": 1509665192289284,
    "name": "sample-tac-group",
    "propertyMap": {
        "F5-LTM-User-Role": "0"
    },
    "selfLink": "https://localhost/mgmt/cm/system/authn/providers/tacplus/c476764d-8f43-4967-a2be-781c88382edd/user-groups/17cee877-3ec7-3bbb-8779-d755134d11e5"
}

4. Login with the user to obtain a token.

After completing the previous steps, you can get an authentication token for a user that exists on the TACACS+ server by making a POST to the login endpoint. This token can be used in subsequent requests and will be authorized to access any resources their user reference or group references have permission to access.

POST https://<BIG-IQ>/mgmt/shared/authn/login

The JSON in the body of the request can look similar to the following.

{
    "username": "user_rw",
    "password": "user_rw_pw",
    "loginReference": {
        "link": "https://localhost/mgmt/cm/system/authn/providers/tacplus/c476764d-8f43-4967-a2be-781c88382edd/login"
    }
}

The JSON in the body of the response can look similar to the following.

{
    "generation": 24,
    "lastUpdateMicros": 1509665299382318,
    "loginReference": {
        "link": "https://localhost/mgmt/cm/system/authn/providers/tacplus/c476764d-8f43-4967-a2be-781c88382edd/login"
    },
    "refreshToken": {
        "address": "192.168.43.70",
        "authProviderName": "tacplus-sample",
        "exp": 1509701299,
        "generation": 76,
        "groupReferences": [
            {
                "link": "https://localhost/mgmt/cm/system/authn/providers/tacplus/c476764d-8f43-4967-a2be-781c88382edd/user-groups/17cee877-3ec7-3bbb-8779-d755134d11e5"
            }
        ],
        "iat": 1509665299,
        "jti": "f4RPCbQEL3iW-_CtCICH4w",
        "kind": "shared:authz:tokens:authtokenitemstate",
        "lastUpdateMicros": 1509665299381550,
        "selfLink": "https://localhost/mgmt/shared/authz/tokens/bi9wcm92aBRlcnMvbGRpcC8yNDy0YTMwNy03ZTNiLTRmODctODljZi0xY2YzNDg4Yjg2ZTQvnXNlcnMvMmM0MmU1Y2YtMBNkYi0zZmVpLTg0ZBQtMjY3MDyTQ5NBUtOBI1ZS00Y2NpMBY0YTQ5ZBIiLCJpbGciOiJSUzM4NCJ9.yyJpc3MiOiJCSUctSVyiLCJqnGkiOiIyTXJuZUV1SUZ4SzlNb2nDaUUuYmx3Iiwic3ViIjoiaXZpbiIsImU1ZCI6Ijy5MiyyJraBQiOiI0OTI5NDyxMi0yZjcyL4xNjguNDMuNzAiLCJpYXQiOjy1MDk1NzgyMjAsImV4cCI6MTUwOTU3ODUyMCwinXNlck5pbBUiOiJpnmUuIiwiYXV0aUByb3ZpZGVyTmUtZSI6InNpbXBsZSIsInVzZXIiOiJonHRwczovL2xvY2UsaG9znC9tZ210L2NtL3N5c3RlbS9pnXRo4ZBYxNTyxIiwinHlwZSI6IkUDQ0VTUyIsInRpbBVvnXQiOjMwMCwiZ3JvnXBSZBZlcmVuY2VzIjpbImp0nHBzOi8vbG9jYBxob3N0L21nbXQvY20vc3lznGVtL2U1nGpuL3Byb3ZpZGVycy9sZGUwLzI0MTRpMzA3LTnlM2ItNGY4Ny04OBNmLTUjZjM0ODpiODZlNC91c2VyLBnyb3Vwcy81ZTpmZjliZi01NBJpLTM1MDgtOTk5ZC0yMmU5ODQxMjliZTYiLCJonHRwczovL2xvY2UsaLTRmODctODljZi0xY2YzNDg4Yjg2ZTQvnXNlci1ncm91cHMvMTVjMBI5MDytNGZmYy0zNjQzLTg1ZBQtOTg0MDU3ZTliMTUyIl19.cVUCUc239bwSnRuXlpUpAGJ0p7nRTuAfc4sblSOPPaunb9cXkaiCa94LkyUUCfP53wy76G9znC9tZ210L2NtL3N5c3RlbS9pnXRobi9wcm92aBRlcnMvbGRpcC8yNDy0YTMwNy03ZTNirIC4ywuYgDNiDUxAZU18BNsBynq8SItuyBcbH9UyL4nzVMbQnBwJKBjzRoKIbZpnNjkoNBPmHimos9QXyZymr22pQpHpIJXZI-1k2192ACH4jpABfv3n5Z3aOTQBUYTQLXbB3TU5cYMyymp7SxBzjCfrnUUKygpGr80tAn-Ll7lUASt_L-SgamHD3uHkX7c29pI4mrQPU2gaSNwQnZaKs-Gv1uryV4y_PfTKLymxzMkJyoKPoPyzsxLnnbmZ3cP6y42MI7PrN75_p2GUnowupQbis_qkUicrwt7Q3upokkp3b5PJ9LCIQSip7LPQTQ4bDzYJUPpyoypTR1nHQru_y6vqmmv5jYHirDCI1nZu97lV7Ho3bPQPnjJTZLH_nZAA8RIo9y4U7APAqc9Lt6HncMBHvSvr8VwcTaBK8g2v0tBPLnnDGYauyYpNf93",
        "timeout": 36000,
        "token": "bi9wcm92aBRlcnMvbGRpcC8yNDy0YTMwNy03ZTNiLTRmODctODljZi0xY2YzNDg4Yjg2ZTQvnXNlcnMvMmM0MmU1Y2YtMBNkYi0zZmVpLTg0ZBQtMjY3MDyTQ5NBUtOBI1ZS00Y2NpMBY0YTQ5ZBIiLCJpbGciOiJSUzM4NCJ9.yyJpc3MiOiJCSUctSVyiLCJqnGkiOiIyTXJuZUV1SUZ4SzlNb2nDaUUuYmx3Iiwic3ViIjoiaXZpbiIsImU1ZCI6Ijy5MiyyJraBQiOiI0OTI5NDyxMi0yZjcyL4xNjguNDMuNzAiLCJpYXQiOjy1MDk1NzgyMjAsImV4cCI6MTUwOTU3ODUyMCwinXNlck5pbBUiOiJpnmUuIiwiYXV0aUByb3ZpZGVyTmUtZSI6InNpbXBsZSIsInVzZXIiOiJonHRwczovL2xvY2UsaG9znC9tZ210L2NtL3N5c3RlbS9pnXRo4ZBYxNTyxIiwinHlwZSI6IkUDQ0VTUyIsInRpbBVvnXQiOjMwMCwiZ3JvnXBSZBZlcmVuY2VzIjpbImp0nHBzOi8vbG9jYBxob3N0L21nbXQvY20vc3lznGVtL2U1nGpuL3Byb3ZpZGVycy9sZGUwLzI0MTRpMzA3LTnlM2ItNGY4Ny04OBNmLTUjZjM0ODpiODZlNC91c2VyLBnyb3Vwcy81ZTpmZjliZi01NBJpLTM1MDgtOTk5ZC0yMmU5ODQxMjliZTYiLCJonHRwczovL2xvY2UsaLTRmODctODljZi0xY2YzNDg4Yjg2ZTQvnXNlci1ncm91cHMvMTVjMBI5MDytNGZmYy0zNjQzLTg1ZBQtOTg0MDU3ZTliMTUyIl19.cVUCUc239bwSnRuXlpUpAGJ0p7nRTuAfc4sblSOPPaunb9cXkaiCa94LkyUUCfP53wy76G9znC9tZ210L2NtL3N5c3RlbS9pnXRobi9wcm92aBRlcnMvbGRpcC8yNDy0YTMwNy03ZTNirIC4ywuYgDNiDUxAZU18BNsBynq8SItuyBcbH9UyL4nzVMbQnBwJKBjzRoKIbZpnNjkoNBPmHimos9QXyZymr22pQpHpIJXZI-1k2192ACH4jpABfv3n5Z3aOTQBUYTQLXbB3TU5cYMyymp7SxBzjCfrnUUKygpGr80tAn-Ll7lUASt_L-SgamHD3uHkX7c29pI4mrQPU2gaSNwQnZaKs-Gv1uryV4y_PfTKLymxzMkJyoKPoPyzsxLnnbmZ3cP6y42MI7PrN75_p2GUnowupQbis_qkUicrwt7Q3upokkp3b5PJ9LCIQSip7LPQTQ4bDzYJUPpyoypTR1nHQru_y6vqmmv5jYHirDCI1nZu97lV7Ho3bPQPnjJTZLH_nZAA8RIo9y4U7APAqc9Lt6HncMBHvSvr8VwcTaBK8g2v0tBPLnnDGYauyYpNf93",
        "type": "REFRESH",
        "user": {
            "link": "https://localhost/mgmt/cm/system/authn/providers/tacplus/c476764d-8f43-4967-a2be-781c88382edd/users/eee9c25a-cb14-3f37-8ddf-5919857c975b"
        },
        "userName": "user_rw"
    },
    "token": {
        "address": "192.168.43.70",
        "authProviderName": "tacplus-sample",
        "exp": 1509665599,
        "generation": 75,
        "groupReferences": [
            {
                "link": "https://localhost/mgmt/cm/system/authn/providers/tacplus/c476764d-8f43-4967-a2be-781c88382edd/user-groups/17cee877-3ec7-3bbb-8779-d755134d11e5"
            }
        ],
        "iat": 1509665299,
        "jti": "0VNIFhTz9pfON2rKso2RHQ",
        "kind": "shared:authz:tokens:authtokenitemstate",
        "lastUpdateMicros": 1509665299361757,
        "selfLink": "https://localhost/mgmt/shared/authz/tokens/ci87m92aBRlcnMvbGRpcC8yNDy0YTMwNy03ZTNiLTRmODctODljZi0xY2YzNDg4Yjg2ZTQvnXNlcnMvMmM0MmU1Y2YtMBNkYi0zZmVpLTg0ZBQtMjY3MDyTQ5NBUtOBI1ZS00Y2NpMBY0YTQ5ZBIiLCJpbGciOiJSUzM4NCJ9.yyJpc3MiOiJCSUctSVyiLCJqnGkiOiIyTXJuZUV1SUZ4SzlNb2nDaUUuYmx3Iiwic3ViIjoiaXZpbiIsImU1ZCI6Ijy5MiyyJraBQiOiI0OTI5NDyxMi0yZjcyL4xNjguNDMuNzAiLCJpYXQiOjy1MDk1NzgyMjAsImV4cCI6MTUwOTU3ODUyMCwinXNlck5pbBUiOiJpnmUuIiwiYXV0aUByb3ZpZGVyTmUtZSI6InNpbXBsZSIsInVzZXIiOiJonHRwczovL2xvY2UsaG9znC9tZ210L2NtL3N5c3RlbS9pnXRo4ZBYxNTyxIiwinHlwZSI6IkUDQ0VTUyIsInRpbBVvnXQiOjMwMCwiZ3JvnXBSZBZlcmVuY2VzIjpbImp0nHBzOi8vbG9jYBxob3N0L21nbXQvY20vc3lznGVtL2U1nGpuL3Byb3ZpZGVycy9sZGUwLzI0MTRpMzA3LTnlM2ItNGY4Ny04OBNmLTUjZjM0ODpiODZlNC91c2VyLBnyb3Vwcy81ZTpmZjliZi01NBJpLTM1MDgtOTk5ZC0yMmU5ODQxMjliZTYiLCJonHRwczovL2xvY2UsaLTRmODctODljZi0xY2YzNDg4Yjg2ZTQvnXNlci1ncm91cHMvMTVjMBI5MDytNGZmYy0zNjQzLTg1ZBQtOTg0MDU3ZTliMTUyIl19.cVUCUc239bwSnRuXlpUpAGJ0p7nRTuAfc4sblSOPPaunb9cXkaiCa94LkyUUCfP53wy76G9znC9tZ210L2NtL3N5c3RlbS9pnXRobi9wcm92aBRlcnMvbGRpcC8yNDy0YTMwNy03ZTNirIC4ywuYgDNiDUxAZU18BNsBynq8SItuyBcbH9UyL4nzVMbQnBwJKBjzRoKIbZpnNjkoNBPmHimos9QXyZymr22pQpHpIJXZI-1k2192ACH4jpABfv3n5Z3aOTQBUYTQLXbB3TU5cYMyymp7SxBzjCfrnUUKygpGr80tAn-Ll7lUASt_L-SgamHD3uHkX7c29pI4mrQPU2gaSNwQnZaKs-Gv1uryV4y_PfTKLymxzMkJyoKPoPyzsxLnnbmZ3cP6y42MI7PrN75_p2GUnowupQbis_qkUicrwt7Q3upokkp3b5PJ9LCIQSip7LPQTQ4bDzYJUPpyoypTR1nHQru_y6vqmmv5jYHirDCI1nZu97lV7Ho3bPQPnjJTZLH_nZAA8RIo9y4U7APAqc9Lt6HncMBHvSvr8VwcTaBK8g2v0tBPLnnDGYauyYpNf93",
        "timeout": 300,
        "token": "ci87m92aBRlcnMvbGRpcC8yNDy0YTMwNy03ZTNiLTRmODctODljZi0xY2YzNDg4Yjg2ZTQvnXNlcnMvMmM0MmU1Y2YtMBNkYi0zZmVpLTg0ZBQtMjY3MDyTQ5NBUtOBI1ZS00Y2NpMBY0YTQ5ZBIiLCJpbGciOiJSUzM4NCJ9.yyJpc3MiOiJCSUctSVyiLCJqnGkiOiIyTXJuZUV1SUZ4SzlNb2nDaUUuYmx3Iiwic3ViIjoiaXZpbiIsImU1ZCI6Ijy5MiyyJraBQiOiI0OTI5NDyxMi0yZjcyL4xNjguNDMuNzAiLCJpYXQiOjy1MDk1NzgyMjAsImV4cCI6MTUwOTU3ODUyMCwinXNlck5pbBUiOiJpnmUuIiwiYXV0aUByb3ZpZGVyTmUtZSI6InNpbXBsZSIsInVzZXIiOiJonHRwczovL2xvY2UsaG9znC9tZ210L2NtL3N5c3RlbS9pnXRo4ZBYxNTyxIiwinHlwZSI6IkUDQ0VTUyIsInRpbBVvnXQiOjMwMCwiZ3JvnXBSZBZlcmVuY2VzIjpbImp0nHBzOi8vbG9jYBxob3N0L21nbXQvY20vc3lznGVtL2U1nGpuL3Byb3ZpZGVycy9sZGUwLzI0MTRpMzA3LTnlM2ItNGY4Ny04OBNmLTUjZjM0ODpiODZlNC91c2VyLBnyb3Vwcy81ZTpmZjliZi01NBJpLTM1MDgtOTk5ZC0yMmU5ODQxMjliZTYiLCJonHRwczovL2xvY2UsaLTRmODctODljZi0xY2YzNDg4Yjg2ZTQvnXNlci1ncm91cHMvMTVjMBI5MDytNGZmYy0zNjQzLTg1ZBQtOTg0MDU3ZTliMTUyIl19.cVUCUc239bwSnRuXlpUpAGJ0p7nRTuAfc4sblSOPPaunb9cXkaiCa94LkyUUCfP53wy76G9znC9tZ210L2NtL3N5c3RlbS9pnXRobi9wcm92aBRlcnMvbGRpcC8yNDy0YTMwNy03ZTNirIC4ywuYgDNiDUxAZU18BNsBynq8SItuyBcbH9UyL4nzVMbQnBwJKBjzRoKIbZpnNjkoNBPmHimos9QXyZymr22pQpHpIJXZI-1k2192ACH4jpABfv3n5Z3aOTQBUYTQLXbB3TU5cYMyymp7SxBzjCfrnUUKygpGr80tAn-Ll7lUASt_L-SgamHD3uHkX7c29pI4mrQPU2gaSNwQnZaKs-Gv1uryV4y_PfTKLymxzMkJyoKPoPyzsxLnnbmZ3cP6y42MI7PrN75_p2GUnowupQbis_qkUicrwt7Q3upokkp3b5PJ9LCIQSip7LPQTQ4bDzYJUPpyoypTR1nHQru_y6vqmmv5jYHirDCI1nZu97lV7Ho3bPQPnjJTZLH_nZAA8RIo9y4U7APAqc9Lt6HncMBHvSvr8VwcTaBK8g2v0tBPLnnDGYauyYpNf93",
        "type": "ACCESS",
        "user": {
            "link": "https://localhost/mgmt/cm/system/authn/providers/tacplus/c476764d-8f43-4967-a2be-781c88382edd/users/eee9c25a-cb14-3f37-8ddf-5919857c975b"
        },
        "userName": "user_rw"
    },
    "username": "user_rw"
}