Tuesday, September 27, 2016

Cisco ACS 5.x and BIG-IQ 5.0 Radius Attributes

In this post I will show you  the relevant  radius cfg on the cisco ACS for attributes and the F5 BIG-IQ.

1st I download the VSA template that we will use for  inserting the f5 vendor specific attributes

I found it's much easier to export the cisco ACS template, modify, replace, and edit and re-import. The time trying to download the f5-support template and getting a flawless import is very time consuming.

2nd, we  after a successful import is wise  to click the show vendor attribute and check things over.

I kept my  radius attribute small and just only the attribute that I  required so the full VSA dictionary was not included.

Now we can define the attribute in our network authorization profiles mapping the attributes that's required such a specific  role.

Here's  a sample of my F5 authorization profiles.  They where generic defined to match a f5 "role" . Notice the  attributes are defined along with the generic_reply  which will we  help in further diagnostics & analysis.

by applingy a unique reply message per ACS  authorization_profile and then using just that profile in a policy,  can help you  narrow down what policy and  authorization_profile that's being used & matched

So here's the final  policies

On the BIG-IQ you will need to define the radius settings and remote-role. It's a good ideal to define a default  role of guest . If no role is found, the "no-access" becomes your default role btw.

( cli  cfg   BIG-IQ 5.0 )

Main Package
  Product     BIG-IQ
  Version     5.0.0
  Build       0.0.3026
  Edition     Final

  Date        Tue Jun  7 00:17:51 PDT 2016

admin@(BIGIQCALITECH01)(Active)(/Common)(tmos)# list auth 
auth password-policy { }
auth radius system-auth {
    debug enabled
    servers {
    service-type default
auth radius-server RAD01  {
    secret test1234567890
    timeout 30
auth radius-server RAD02 {
    secret test1234567890
    timeout 30
auth radius-server RAD03 {
    secret test1234567890 
    timeout 30
auth remote-role {
    role-info {
        operator {
            attribute F5-LTM-User-Info-1=operator
            console tmsh
            line-order 2
            role 400
            user-partition All
        resource-admin {
            attribute F5-LTM-User-Info-1=resource
            console tmsh
            line-order 3
            role 20
            user-partition All
auth remote-user {
    default-role guest
    remote-console-access tmsh
auth source {
    type radius
auth user admin {
    description "Predefned Admin User"
    encrypted-password  myencpsssword_admin_user
    partition Common
    partition-access {
        all-partitions {
            role admin
    shell tmsh


During  debugging my  lack of attributes being sent via cisco ACS, I found out depending on what means you access  BIG-IQ the  radius request is pretty much different.

Check out this WebGUI and then SSHd access and notice the  attributes sent via the radius_client ( BIGIQ )

Also ,  another finding; "  the  security and audit logs" via the cli , will never shows the WebGUI access success or failures and nor do we have audit logging from  command-executions  that are done via the WebGUI.

(audit logging via cli)

( security logging via cli )

TIP: The   f5 security logs typically  display  either RAW: sshd(pam_audit): for SSH access  or RAW: httpd(mod_auth_pam): for webgui access


In the WebGUI, it's was  unclear to me if you need to define  user-groups, but if you do, the  groups needs to match the  F5 attributes that are being sent via ciscoACS ( see the above  Vendor-3375-Attr-12 =  aka  F5-LTM-User-Info-1   attribute#12 for VSA  F5 )

( example radius servers configuration and user-group via the webgui  )

(user-group  and specific RAdius-VSA attribute that's  expected for this role )

(  BIG-IQ roles  numbers-2-names  )

And lastly, I used the wrong browser initially ( safari ) and then later Firefox  rls.48 and the same bug where corrupt our ACS policies database. So even tho the  webgui of the cisco ACS shows the authorization_profile and policy being correctly configured, the  cisco ACS instance did not send the radius-attribute.

So we will look at the next patch ( #5 ) and see what the release note shows.

Tip if you are trying ssh access and can not get a shell, the log will show the following

Tip use the ACS reporter if your experiencing  authentication issues

Ken Felix

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=

        /  \

No comments:

Post a Comment