F5 LTM and ISE 2.0 TACACS Integration

I googled around and did not find any specific and comprehensive tutorial to integrate F5 and ISE 2.0 TACACS service. So I lab it out and turns out pretty easy as the flow is simple and straight forward. Using RADIUS between F5 LTM and ISE 2.0 is a bit more complicated in my opinion.

Our goal is logging into F5 LTM GUI with AD user account using ISE 2.0 as TACACS server.

The steps are same with the other devices:

Cisco ISE Part

1. Create NAD on ISE
2. Create TACACS Command Set
3. Create TACACS Profiles
4. Create Policy Sets

F5 LTM Part

1. Setting user authentication, only 1 page to configure.

Since we are using Active Directory, we do not need to create local user on ISE.

Cisco ISE Part

Create Network Device Definition in Cisco ISE

This menu can be accessed from Work Centers > Device Administration > Network Resources > Network Devices page.

• Choose Administration > Network Resources > Network Devices.
• Click Add.
• Fill in all mandatory fields.
• Network Device Group, leave the default parameters.
• Check on RADIUS Authentication Settings check box to configure RADIUS authentication protocol.
• Check on TACACS Authentication Settings check box to configure TACACS authentication protocol.
• Click Submit (or Save if you edited the Network Devices).

Create TACACS Command Set

Command sets enforce the specified list of commands that can be executed by a device administrator. When a device administrator issues operational commands on a network device, ISE is queried to determine whether the administrator is authorized to issue these commands. This is also referred to as command authorization.

• Navigate to Work Centers > Device Administration > Policy Results > TACACS Command Sets.
• Click Add.
• Fill in the name of Command Set and description.
• Check Permit any command that is not listed below check box to allow command and argument that not specify as Permit, Deny or Deny Always at Grant columns. Empty column means all commands will be allowed by Cisco ISE.

Create TACACS Profiles

TACACS+ profiles control the initial login session of the device administrator. A session refers to each individual authentication, authorization, or accounting request. A session authorization request to a network device elicits an ISE response. The response includes a token that is interpreted by the network device, which limits the commands that may be executed for the duration of a session. The authorization policy for a device administration access service can contain a single shell profile and multiple command sets. The TACACS+ profile definitions are split into two components:

• Common tasks
• Custom attributes

The Common Tasks section allows you to select and configure the frequently used attributes for the profile. The Custom Attributes section allows you to configure additional attributes. It provides a list of attributes that are not recognized by the Common Tasks section. Each definition consists of the attribute name, an indication of whether the attribute is mandatory or optional, and the value for the attribute.

The attributes entered in the Raw View are reflected in the Custom Attributes section in the Task Attribute View and vice versa. The Raw View is also used to copy paste the attribute list (for example, another product’s attribute list) from the clipboard onto ISE.

• Choose Work Centers > Device Administration > Policy Elements > Results > TACACS Profiles.
• Click Add.
• In the TACACS Profile section, enter a name and description.
• In the Task Attribute View tab, check the required Common Tasks. Refer to the Common Tasks Settings page. Fill in number 15 to give this user maximum privilege.
• There is nothing to add in the Task Attribute View tab, in the Custom Attributes section. We don’t need it yet, save it for later (^_^)v.

Create Device Administration Policy Sets

Before You Begin

• Ensure that the Enable Device Admin Service checkbox in the Administration > System > Deployment > Edit Node > General Settings page is enabled for TACACS+ operations.
• Ensure that the User Identity Group, (for example, System_Admin, Helpdesk) is created. (Work Centers > Device Administration> User Identity Groups > page)
• Ensure that the member users (for example, ABC, XYZ) is included in the User Identity Group. (Work Centers > Device Administration > Identities > Users page)
• Ensure to configure TACACS settings on devices that need to be administered. (Work Centers > Device Administration >Network Resources > Network Devices > Add > TACACS Authentication Settings check box is enabled and the shared secret for TACACS and devices are identical to facilitate the devices to query ISE.)
• Ensure that the Network Device Group, based on the Device Type and Location, is created. (Work Centers > Device Administration > Network Device Groups page)

F5 LTM Part

• Login to F5 LTM and navigate to System > Users > Authentication. Fill in parameters needed:
  User Directory: Remote – TACACS+
  IP Address of Cisco ISE
  Secret Key – Must be the same as shared secret configured on ISE
  Encryption – Mark enabled. According to my lab, it is mandatory for ISE version 2.0.0.306. Other version I tried, version 2.1.0.474 does not affected with this setting.

• Click Finished.

Validation

Try to login with AD account and check the result on ISE TACACS Livelog (Operations > TACACS Livelog).

There are two separate actions recorded, one for authentication and the other for authorization. Click the magnifying glass icon for detailed flow.

Authentication Flow

Authorization Flow

Reference:
Cisco Identity Services Engine Administrator Guide, Release 2.0