In this post, I’ll go over the configuration of F5 Local Traffic Manager (LTM) for administrator Role-Based Access Control (RBAC) with Cisco ISE. In case you do not have TACACS license on ISE this post is for you.
Components:
F5 LTM 12.1.1
Cisco ISE: 2.0
First, get vendor attribute information from F5 support site.
VENDOR f5 3375
BEGIN-VENDOR f5
ATTRIBUTE F5-LTM-User-Role 1 integer
ATTRIBUTE F5-LTM-User-Role-Universal 2 integer # enable/disable
ATTRIBUTE F5-LTM-User-Partition 3 string
ATTRIBUTE F5-LTM-User-Console 4 integer # enable/disable
ATTRIBUTE F5-LTM-User-Shell 5 string # supported values are disable, tmsh and bpsh
ATTRIBUTE F5-LTM-User-Context-1 10 integer
ATTRIBUTE F5-LTM-User-Context-2 11 integer
ATTRIBUTE F5-LTM-User-Info-1 12 string
ATTRIBUTE F5-LTM-User-Info-2 13 string
ATTRIBUTE F5-LTM-Audit-Msg 14 string
VALUE F5-LTM-User-Role Administrator 0
VALUE F5-LTM-User-Role Resource-Admin 20
VALUE F5-LTM-User-Role User-Manager 40
VALUE F5-LTM-User-Role Auditor 80
VALUE F5-LTM-User-Role Manager 100
VALUE F5-LTM-User-Role App-Editor 300
VALUE F5-LTM-User-Role Advanced-Operator 350
VALUE F5-LTM-User-Role Operator 400
VALUE F5-LTM-User-Role Firewall-Manager 450
VALUE F5-LTM-User-Role Fraud-Protection-Manager 480
VALUE F5-LTM-User-Role Certificate-Manager 500
VALUE F5-LTM-User-Role IRule-Manager 510
VALUE F5-LTM-User-Role Guest 700
VALUE F5-LTM-User-Role Web-Application-Security-Administrator 800
VALUE F5-LTM-User-Role Web-Application-Security-Editor 810
VALUE F5-LTM-User-Role Acceleration-Policy-Editor 850
VALUE F5-LTM-User-Role No-Access 900
VALUE F5-LTM-User-Role-Universal Disabled 0
VALUE F5-LTM-User-Role-Universal Enabled 1
VALUE F5-LTM-User-Console Disabled 0
VALUE F5-LTM-User-Console Enabled 1
END-VENDOR f5
Next, upload text file to ISE under Policy > Policy Elements > Dictionaries > Radius > Radius Vendors
It will populate all the fields in Dictionary and Dictionary Attributes tabs.
Now these information can be used to build authorization policy. First, build authorization profile. Add Advance Attribute for RBAC identification. I’ve tried using User Role attribute as discussed in F5 documentation but it did not work.
So instead I’ve used F5-LTM-User-Info-1 with value adm for administrator access.
Next, build authentication/authorization policies. I recommend braking down policies into Policy Sets which helps keep it clean and easier to navigate. I’ve placed device management IP into device group and assigned this group to device access policy. Sample authentication policy is below.
And lastly the following authorization policy assigns users that are part of NetworkAdmins AD group to F5Admin profile which grants administrator level access to the device.
Now login to F5 and add Radius servers under System > Users > Authentication
Select Remote Role Groups tab and create mapping for Administrator role. Make sure there are no spaces in the Attribute String.
That’s all you need to do to setup admin level remote access on F5. To add more roles just add attribute value on ISE and map it to proper role on F5.
4 comments On F5: Radius authentication with Cisco ISE
Hi, this is a very nice tutorial. How about for Cisco ISE 2.3 version and creating Operator account in F5 (TACACS+) setup?
Thanks!
Hi, I am also looking into F5 Management Authentication via Cisco ISE TACACS+ setup. Any help?
Same here. Do you have TACACS+ equivalent of this?
just note, i had an issue after copying paste the above dictionaryfile, its too risky, better download official F5 radius dictionary