Issues authing F5 BIG-IP devices

[Eirik Zakariassen]

Hi Marc, and thanks for making this awesome product, I have successfully onboarded some Aruba switches and I'm currently trying to onboard some F5 devices, but struggling.

I found users who have done it with tacplus but not tacplus_ng, so curious if this is a missing feature in _ng or if my google-foo is just terrible.

Per this repo https://github.com/f5-rahm/tacacs_server it seems that F5 devices expect the following group bits

group = adm {
  service = ppp protocol = ip {
      F5-LTM-User-Info-1 = adm
      F5-LTM-User-Console = 1
      F5-LTM-User-Role = 0
      F5-LTM-User-Partition = all
  }
}

However that is not allowed when I try to add it to tacplus_ng, it says it did not expect "service"

Auth appears successful in tacplus_ng, however the F5 reports "login failed"

/var/log/messages:Jan  6 13:05:46 tacplusserver tac_plus-ng[754034]: 10.20.30.40 looking for user AD-user in MAVIS backend
/var/log/messages:Jan  6 13:05:46 tacplusserver tac_plus-ng[754034]: 10.20.30.40 result for user AD-user is ACK [20 ms]
/var/log/messages:Jan  6 13:05:46 tacplusserver tac_plus-ng[754034]: 10.20.30.40 pap login for 'AD-user' on unknown succeeded (profile=admins)

Relevant config bits

device = f5 {
address file = /etc/tacplus-ng/f5
welcome banner = "Welcome\n to the machine"
anonymous-enable = deny # ask for user authentication on enable
key = randomstring

profile admins {
script {
if (service == shell) {
if (cmd == "") {
set priv-lvl = 15
permit
}
permit
}
}
}

    group = f5adm

        rule f5 {
enabled = yes
script {
if (group == f5adm) {
profile = admins
permit
}
if (group == f5aud) {
profile = auditors
permit
}
deny
}
}
}
}

[Marc Huber]

Hi Eirik,

that legacy configuration should translate to

profile admins {
script {
if (service == shell) {
if (cmd == "") {
    set priv-lvl = 15
permit
}
permit
}

          if (service == ppp && protocol == ip) {
              set F5-LTM-User-Info-1 = adm
              set F5-LTM-User-Console = 1
              set F5-LTM-User-Role = 0
              set F5-LTM-User-Partition = all
              permit
          }
}
}

(Checking for "service == ppp" would likely sufficient, but checking for "protocol == ip" doesn't hurt.)

Cheers,

Marc

--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/event-driven-servers/64c10467-9160-47f2-a904-626bb507795cn%40googlegroups.com.

[Eirik Zakariassen]

Thanks a lot Marc, that is accepted and seems to be working, however the F5 devices still fail login, since tacplus-ng gets an ACK from LDAP, and it is added to the profile admins per the message I'm assuming the issue is somewhere on the F5 side, so I'll have to open a case to them for assistance.

[Eirik Zakariassen]

Update from my end.

Needed to change the syntax a bit for it to work, not sure if it is just that I'm an idiot, but this works and gives the user admin privileges

profile f5-admins {
            script {
                   if (service == ppp) {
                   if (protocol == ip) {

                       set F5-LTM-User-Info-1 = adm
                       set F5-LTM-User-Console = 1
                       set F5-LTM-User-Role = 0
                       set F5-LTM-User-Partition = all
                       permit
                     }

                       permit
               }

        }

}

[Marc Huber]

Hi Eirik,

thanks, the "protocol" keyword wasn't actually handled correctly, bfa870b20579ebd5fa34cedf17f761110d1e6410 does fix that.

Cheers,

Marc