Thursday, 8 August 2019

F5 tacacs accounting

To enable tacacs+ accounting on a LTM you need to make the changes from the tmsh. This our configured on  11.6.x


ken.felix@(BIGGIESMALLS)(cfg-sync Standalone)(Active)(/Common)(tmos)# list auth tacacs
auth tacacs system-auth {
    debug enabled
    protocol ip
    secret  T3jd83k3l31GE00f
    servers { 172.16.18.11  172.16.19.11}
    service ppp
}



and the following for  the logging accounting was set via the modify;

ken.felix@(BIGGIESMALLS)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys db config.audit*
sys db config.auditing {
    value "enable"
}
sys db config.auditing.forward.destination {
    value "10.52.1.10"
}
sys db config.auditing.forward.sharedsecret {
    value " T3jd83k3l31GE00f*"
}
sys db config.auditing.forward.type {
    value "tacacs+"
}
sys db config.auditing.truncate {
    value "disable"
}


e.g

modify sys db config.auditing.forward.sharedsecret value T3jd83k3l31GE00f




For tacacs+ roles ;


auth remote-role {
    role-info {
        F5operator {
            attribute F5-LTM-User-Info-1=operator
            console tmsh
            line-order 4
            role operator
            user-partition All
        }
        ResourceAdministrator {
            attribute F5-LTM-User-Info-1=resource
            console tmsh
            line-order 3
            role resourceadmin
            user-partition All
        }
        auditor {
            attribute F5-LTM-User-Info-1=auditor
            console tmsh
            line-order 1
            role auditor
            user-partition All
        }
        guest {
            attribute F5-LTM-User-Info-1=guest
            line-order 2
            role guest
            user-partition All
        }
    }
}


And for tac_plusd


group = F5admin {
     default service = permit
     pap = PAM
      service = ppp protocol = ip {
      F5-LTM-User-Console = 0
      }

}




group = F5resource {
 pap = PAM
 service = ppp protocol = ip {
 F5-LTM-User-Info-1 = resource
 F5-LTM-User-Console = 1
 F5-LTM-User-Role = 20
 }
}


group = F5operator  {
 pap = PAM
 service = ppp protocol = ip {
 F5-LTM-User-Info-1 = operator
 F5-LTM-User-Console = 1
 F5-LTM-User-Role = 400
 }
}


group = F5manager {
 pap = PAM
 service = ppp protocol = ip {
 F5-LTM-User-Info-1 = manager
 F5-LTM-User-Console = 1
 F5-LTM-User-Role = 100
 }
}



group = F5guest {
 pap = PAM
 service = ppp protocol = ip {
 F5-LTM-User-Info-1 = guest
 F5-LTM-User-Console = 1
 F5-LTM-User-Role = 700
 F5-LTM-User-Partition = all
 }
}

No comments:

Post a Comment

iRule

  iRule: -- o iRule is a powerful and flexible feature within the BIG-IP local traffic management (LTM). o IRule is a powerful & flexibl...