F5: Radius authentication with Cisco ISE

In this post, I’ll go over the configuration of F5 Local Traffic Manager (LTM) for administrator Role-Based Access Control (RBAC) with Cisco ISE. In case you do not have TACACS license on ISE this post is for you.

Components:
F5 LTM 12.1.1
Cisco ISE: 2.0

First, get vendor attribute information from F5 support site or create a file by copying the text below.

VENDOR f5 3375
 BEGIN-VENDOR f5

 ATTRIBUTE F5-LTM-User-Role 1 integer
 ATTRIBUTE F5-LTM-User-Role-Universal 2 integer # enable/disable
 ATTRIBUTE F5-LTM-User-Partition 3 string
 ATTRIBUTE F5-LTM-User-Console 4 integer # enable/disable
 ATTRIBUTE F5-LTM-User-Shell 5 string # supported values are disable, tmsh and bpsh
 ATTRIBUTE F5-LTM-User-Context-1 10 integer
 ATTRIBUTE F5-LTM-User-Context-2 11 integer
 ATTRIBUTE F5-LTM-User-Info-1 12 string
 ATTRIBUTE F5-LTM-User-Info-2 13 string
 ATTRIBUTE F5-LTM-Audit-Msg 14 string

 VALUE F5-LTM-User-Role Administrator 0
 VALUE F5-LTM-User-Role Resource-Admin 20
 VALUE F5-LTM-User-Role User-Manager 40
 VALUE F5-LTM-User-Role Auditor 80
 VALUE F5-LTM-User-Role Manager 100
 VALUE F5-LTM-User-Role App-Editor 300
 VALUE F5-LTM-User-Role Advanced-Operator 350
 VALUE F5-LTM-User-Role Operator 400
 VALUE F5-LTM-User-Role Firewall-Manager 450
 VALUE F5-LTM-User-Role Fraud-Protection-Manager 480
 VALUE F5-LTM-User-Role Certificate-Manager 500
 VALUE F5-LTM-User-Role IRule-Manager 510
 VALUE F5-LTM-User-Role Guest 700
 VALUE F5-LTM-User-Role Web-Application-Security-Administrator 800
 VALUE F5-LTM-User-Role Web-Application-Security-Editor 810
 VALUE F5-LTM-User-Role Acceleration-Policy-Editor 850
 VALUE F5-LTM-User-Role No-Access 900
 VALUE F5-LTM-User-Role-Universal Disabled 0
 VALUE F5-LTM-User-Role-Universal Enabled 1
 VALUE F5-LTM-User-Console Disabled 0
 VALUE F5-LTM-User-Console Enabled 1

 END-VENDOR f5

Next, upload text file to ISE under Policy > Policy Elements > Dictionaries > Radius > Radius Vendors

It will populate all the fields in Dictionary and Dictionary Attributes tabs.

Now these information can be used to build authorization policy. First, build authorization profile. Add Advance Attribute for RBAC identification. I’ve tried using User Role attribute as discussed in F5 documentation but it did not work.

So instead I’ve used F5-LTM-User-Info-1 with value adm for administrator access.

Next, build authentication/authorization policies.  I recommend braking down policies into Policy Sets which helps keep it clean and easier to navigate. I’ve placed device management IP into device group and assigned this group to device access policy. Sample authentication policy is below.

And lastly the following authorization policy assigns users that are part of NetworkAdmins AD group to F5Admin profile which grants administrator level access to the device.

Now login to F5 and add Radius servers under System > Users > Authentication

Select Remote Role Groups tab and create mapping for Administrator role. Make sure there are no spaces in the Attribute String.

That’s all you need to do to setup admin level remote access on F5. To add more roles just add attribute value on ISE and map it to proper role on F5.

 

2 comments On F5: Radius authentication with Cisco ISE

Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar