To enable tacacs+ accounting on a LTM you need to make the changes from the tmsh. This our configured on 11.6.x
ken.felix@(BIGGIESMALLS)(cfg-sync Standalone)(Active)(/Common)(tmos)# list auth tacacs
auth tacacs system-auth {
debug enabled
protocol ip
secret T3jd83k3l31GE00f
servers { 172.16.18.11 172.16.19.11}
service ppp
}
ken.felix@(BIGGIESMALLS)(cfg-sync Standalone)(Active)(/Common)(tmos)# list auth tacacs
auth tacacs system-auth {
debug enabled
protocol ip
secret T3jd83k3l31GE00f
servers { 172.16.18.11 172.16.19.11}
service ppp
}
and the following for the logging accounting was set via the modify;
ken.felix@(BIGGIESMALLS)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys db config.audit* sys db config.auditing { value "enable" } sys db config.auditing.forward.destination { value "10.52.1.10" } sys db config.auditing.forward.sharedsecret { value " T3jd83k3l31GE00f*" } sys db config.auditing.forward.type { value "tacacs+" } sys db config.auditing.truncate { value "disable" }
e.g
modify sys db config.auditing.forward.sharedsecret value T3jd83k3l31GE00f
For tacacs+ roles ;
auth remote-role {
role-info {
F5operator {
attribute F5-LTM-User-Info-1=operator
console tmsh
line-order 4
role operator
user-partition All
}
ResourceAdministrator {
attribute F5-LTM-User-Info-1=resource
console tmsh
line-order 3
role resourceadmin
user-partition All
}
auditor {
attribute F5-LTM-User-Info-1=auditor
console tmsh
line-order 1
role auditor
user-partition All
}
guest {
attribute F5-LTM-User-Info-1=guest
line-order 2
role guest
user-partition All
}
}
}
And for tac_plusd
group = F5admin {
default service = permit
pap = PAM
service = ppp protocol = ip {
F5-LTM-User-Console = 0
}
}
group = F5resource {
pap = PAM
service = ppp protocol = ip {
F5-LTM-User-Info-1 = resource
F5-LTM-User-Console = 1
F5-LTM-User-Role = 20
}
}
group = F5operator {
pap = PAM
service = ppp protocol = ip {
F5-LTM-User-Info-1 = operator
F5-LTM-User-Console = 1
F5-LTM-User-Role = 400
}
}
group = F5manager {
pap = PAM
service = ppp protocol = ip {
F5-LTM-User-Info-1 = manager
F5-LTM-User-Console = 1
F5-LTM-User-Role = 100
}
}
group = F5guest {
pap = PAM
service = ppp protocol = ip {
F5-LTM-User-Info-1 = guest
F5-LTM-User-Console = 1
F5-LTM-User-Role = 700
F5-LTM-User-Partition = all
}
}
group = F5admin {
default service = permit
pap = PAM
service = ppp protocol = ip {
F5-LTM-User-Console = 0
}
}
group = F5resource {
pap = PAM
service = ppp protocol = ip {
F5-LTM-User-Info-1 = resource
F5-LTM-User-Console = 1
F5-LTM-User-Role = 20
}
}
group = F5operator {
pap = PAM
service = ppp protocol = ip {
F5-LTM-User-Info-1 = operator
F5-LTM-User-Console = 1
F5-LTM-User-Role = 400
}
}
group = F5manager {
pap = PAM
service = ppp protocol = ip {
F5-LTM-User-Info-1 = manager
F5-LTM-User-Console = 1
F5-LTM-User-Role = 100
}
}
group = F5guest {
pap = PAM
service = ppp protocol = ip {
F5-LTM-User-Info-1 = guest
F5-LTM-User-Console = 1
F5-LTM-User-Role = 700
F5-LTM-User-Partition = all
}
}
No comments:
Post a Comment