F5 Read Only In ISE with TACACS

Question

Hello, can someone assist in setting up ISE to authorize users login in to the F5 LB with a read only account?

drj · Answer

I've used AD group membership for this, but I'm guessing you already have admin auth working?

On the F5, create your F5 Remote Role Group (specify attribute string eg: F5-LTM-User-Info-1=monitoring) and the required Assigned Role level.

In ISE, add a rule in the Auth policy in the relevant Device Admin Policy Set. Match the device/AD user group, create your command set/shell profile as needed (create and match custom attribute to attribute string created for F5 Remote Role Group).

If I recall correctly I think that's pretty much all that's needed, but I could be forgetting something.

sleiman · Answer

Thanks for the reply DRJ. Here's what I've done. I'm able to login but I still have read/write rights.

drj · Answer

So in your example, in the Custom Attribute in ISE (the last screenshot), specify the NAME as F5-LTM-USER-Info-1 and the Value as monitoring

I can't recall if this is required or not, but if you're still having issues after fixing the attribute, try set the shell privilege levels from 15 to something like 2.

sleiman · Answer

You are the man. Setting the NAME as F5-LTM-USER-Info-1 and the Value as monitoring did it. Hopefully this works in production :) Thanks for your help.

Forum Discussion

F5 Read Only In ISE with TACACS

4 Replies

Recent Discussions

Cannot turn off strict updates

Mix NTLMv2 & Kerberos SSO in the same policy for different sub-URL

Nature's Leaf CBD Gummies Is Right For You See Here

Custom https health monitor

LTM - Pool members active standby failover

Related Content

F5 402 Exam reading list and notes

TACACS+ External Monitor (Python)

How To Read An F5 Security Advisory

Read only account to read logs in cli

TACACS+ Remote Role Configuration for BIG-IP