1st I download the VSA template that we will use for inserting the f5 vendor specific attributes
I found it's much easier to export the cisco ACS template, modify, replace, and edit and re-import. The time trying to download the f5-support template and getting a flawless import is very time consuming.
2nd, we after a successful import is wise to click the show vendor attribute and check things over.
I kept my radius attribute small and just only the attribute that I required so the full VSA dictionary was not included.
Now we can define the attribute in our network authorization profiles mapping the attributes that's required such a specific role.
Here's a sample of my F5 authorization profiles. They where generic defined to match a f5 "role" . Notice the attributes are defined along with the generic_reply which will we help in further diagnostics & analysis.
by applingy a unique reply message per ACS authorization_profile and then using just that profile in a policy, can help you narrow down what policy and authorization_profile that's being used & matched
So here's the final policies
On the BIG-IQ you will need to define the radius settings and remote-role. It's a good ideal to define a default role of guest . If no role is found, the "no-access" becomes your default role btw.
( cli cfg BIG-IQ 5.0 )
Sys::Version
Main Package
Product BIG-IQ
Version 5.0.0
Build 0.0.3026
Edition Final
Date Tue Jun 7 00:17:51 PDT 2016
admin@(BIGIQCALITECH01)(Active)(/Common)(tmos)# list auth
auth password-policy { }
auth radius system-auth {
debug enabled
servers {
RAD1
RAD2
RAD3
}
service-type default
}
auth radius-server RAD01 {
secret test1234567890
server 10.3.1.11
timeout 30
}
auth radius-server RAD02 {
secret test1234567890
server 10.4.1.11
timeout 30
}
auth radius-server RAD03 {
secret test1234567890
server 10.5.1.11
timeout 30
}
auth remote-role {
role-info {
operator {
attribute F5-LTM-User-Info-1=operator
console tmsh
line-order 2
role 400
user-partition All
}
resource-admin {
attribute F5-LTM-User-Info-1=resource
console tmsh
line-order 3
role 20
user-partition All
}
}
}
auth remote-user {
default-role guest
remote-console-access tmsh
}
auth source {
type radius
}
auth user admin {
description "Predefned Admin User"
encrypted-password myencpsssword_admin_user
partition Common
partition-access {
all-partitions {
role admin
}
}
shell tmsh
}
(END)
During debugging my lack of attributes being sent via cisco ACS, I found out depending on what means you access BIG-IQ the radius request is pretty much different.
Check out this WebGUI and then SSHd access and notice the attributes sent via the radius_client ( BIGIQ )
Also , another finding; " the security and audit logs" via the cli , will never shows the WebGUI access success or failures and nor do we have audit logging from command-executions that are done via the WebGUI.
(audit logging via cli)
( security logging via cli )
TIP: The f5 security logs typically display either RAW: sshd(pam_audit): for SSH access or RAW: httpd(mod_auth_pam): for webgui access
BTW:
In the WebGUI, it's was unclear to me if you need to define user-groups, but if you do, the groups needs to match the F5 attributes that are being sent via ciscoACS ( see the above Vendor-3375-Attr-12 = aka F5-LTM-User-Info-1 attribute#12 for VSA F5 )
( example radius servers configuration and user-group via the webgui )
(user-group and specific RAdius-VSA attribute that's expected for this role )
( BIG-IQ roles numbers-2-names )
And lastly, I used the wrong browser initially ( safari ) and then later Firefox rls.48 and the same bug where corrupt our ACS policies database. So even tho the webgui of the cisco ACS shows the authorization_profile and policy being correctly configured, the cisco ACS instance did not send the radius-attribute.
So we will look at the next patch ( #5 ) and see what the release note shows.
Tip if you are trying ssh access and can not get a shell, the log will show the following
Tip use the ACS reporter if your experiencing authentication issues
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment