F5 ISE Integration using TACACS+

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi everyone my name is vini and welcome to this short tutorial in which I will be explaining you how to integrate ice with f5 so that you can provide a rule-based access to various users in your environment to f5 some users might have the requirement of getting admin access some other from a development folks pulley might need read-only access so if you have icy new environment and f5 and you're thinking how to integrate both of these using the tags I'm here to help let's get started first and foremost thing which is important important is you need to have admin access to f5 and Ice in this video I am going to use a 5 version 13.1 a nice version 2 dot do immediately making this tutorial for administrators who work day in day out with f5 and they want to give access to their infrastructure folks with various levels based on their roles I have divided this tutorial in four sections to start with in the first section we are going to do the configuration on ice for tacacs then we'll move on to the 5 configuration and after this will test the access in the third section and in the fourth section we'll see about troubleshooting before I get started the basic configuration which I have used in my environment is there for management IP address I have set it to 10.1.1.1 the ice IP address which is I am going to use for authentication is 10.1.1.1 and this is the tacacs secret key which I am going to set up on my eyes as well as their five let's get started before you start with the eyes configuration the first major important aspect which you need to look at in your eyes is that you have enabled the device admin access service for tech acts on your eyes so if you navigate to these options you will get that specific feature let me show you a screenshot which are taken from eyes so in here the last option which you see enabled device admin service this must be enabled on your eyes after this let's try to understand what are the steps which are involved on ice first step you have to introduce f5 as an ADD component network access device component in your eyes and make sure when you are adding f5 in your eyes configuration the tacacs protocol is enabled then step two we are going to create a user identity group on eyes if you are going to use the user accounts from your ad no need to create any user groups or eyes in my case I am trying to use local user account on my eyes which I have created so I will be creating various groups group of users maybe for admin I'll create one for guest users I'll create other group and within those groups I will be creating multiple users I'll create different users and assign them to the space groups which I've created then the next requirement is to create a tacacs command set this enables you to identify which command you can run in terms of ice and after this the last step is the tacacs profile which will be useful for f5 to provide you with attributes so that you can give different level of access to different set of users so let's get going with all these five steps that we have seen and check how do we configure it on ice and yes before we move ahead after creating the tacacs profile you also need to have administration policy set which will give f5 with the authorization details the authorization attributes so that if I can give the specific role to different group of users let's get started with ice configuration so my first step would be introducing f5 in my ice core Federation once you log in I'll go to work Center device administration and network resources in here I'll click on add give any name as per my requirement and then I'll specify the management IP address of my f5 unless Abel this IPSec option then you need to expand this tacacs authentication settings and here I will be setting the tacacs secret key which I'm going to use in my f5 configuration as well after this I'll just click on submit so now I have added my f5 as a network access device in my eyes configuration the next part I will be creating different groups of users so I will go to work center user identity groups these are the default groups which you can see exists are existing on eyes if you click on add I'll give it a name as f5 yest then I will create another group for f5 operatives now inside these two groups I am going to create some specific users and assign it to these groups so I go to work center device administration and identities now I click on add this will be my username already enter the username password here [Music] then from this drop-down option I'll see that this user can be mapped to as basic user growth so I will map this to have five guests group you see the username that I've given is user 1 user when is a guest user which I have added to a5 underscore guests group now I will create a one more user user to set the password and the problems from the drop-down I'll assign this to the admin group now my first step is done which was addition of f5 in my eyes configuration next I created the groups then I added the users in that group now I have to create deck acts profile so if I go to work Center device administration policy elements and in here in the results section you go to take acts command set here I am going to add command set for perform it all the name of the command set is for midterm and then I'll go I am going to do permit all the commands here so I'll an able this option then click on submit after creating the command set I am going to create the tacacs profile this is where we are going to specify the attributes let's say the tech axe profile for guest user is a 5 guest and then from this row view section I have to specify specific attribute I'll specify the attribute as f5 f5 LTM user or - 1 and then equal to I'll give the group name the group name which I created is f5 underscores yest then click Submit similarly I am going to create one more tax profile this point min and in the rock view I'm going to provide that rebuke f5 - Earl TM user in for one equal to the group name the group name is five under school let me just Reeve Arif I the group names which I just created if I go to user identity groups okay the f5 underscore test is current but here it should be f5 underscore operators underscore admin so I'll just add it to policy elements edit check same so now the dot next step would be after you create the command set and the profiles you have to specify the admin policy sets to be used in authorization so if I go to work center you go to device administration and device admin policy sets now in here click on default you will see a default authentication policy which this should work fine because it is going to use all ID stores one of which is local as well and then in terms of the authorization policy we are going to add the command set that we just created so by default you will see that it is fingers denied on shell so just before this I am going to add a new rule say the five yes rule in here I am going to specify the condition selecting the user identity group and select their five against and in the command strain Command said I will click on the drop-down and select the permit on and in the shell profile I'll select their five guests then click on done similarly I have to create one more rule for my admin account so I will just click on insert new rule above five admin rule from here are mentioned the user identity groups or five operator then from the command set I'll select permit on and in the steel section shall profile I'll select this as a fire thing then done once you are done with this you can see so with this your ice configuration is ready now let's move on to the next section so we have completed all the steps on ice configuration and now let's move on to the next section which is f5 configuration for tacacs on f5 if a configuration is even simpler if you compare it with ice configuration whatever we have done so far the first step on f5 would be to introduce ice as authentication server and to be enable it enabled attack acts protocol the second step would be to define the remote roll groups that we have created in in our eyes we are just going to reference the same attributes in our a file to define what access level has to be provided for a specific user so with this let's go ahead and do these steps okay once you log into f5 you need to go to system users and authentication by default you will see that the authentication user directory is set to local which means only locally user accounts will be able to access to the device so now I am going to change this from user directory I'll select this - remote tech acts then once I select that ik acts in here I have to add my ice IP address which I see is already added and then from here I will set the secret this is the same secret key which I have set in my eyes and the service name I'll choose it as PPP in the protocol name would be IP then I'll click on finish now this completes our first step the next step would be to create the different groups and assign them different privileges so I'll go to remote role groups and create a group mean say f5 guest this is the first group which I'm creating a link get the line out of one and the attribute should be same as what you have set in your eyes so we'll just type in f5 l TM user in for one equal to fi guests and for this group of users the access role which I am going to provide is guest finished at present I am giving partitioning access for all partitions if you want to restrict the partition axis you can do that as well by choosing the specific partition for which you want these group of users to have access to and similar to this I will create one more group of user is the second group and this attribute will be same as what I have said on my eyes and from here the assigned role will be the administrator that matter click on finished so with this we are done with the configuration on a file so with this we have completed the two steps of our f5 configuration now let's get going to the next section in here we are going to test our axis to f5 and see whether based on specific privileges that we are defined on f5 are going to work or not so let's get going so I am back on my FF screen since this specific session is already authenticated let me open up a new session and here I'll be using the different username and passwords which I created on my eyes account in my guest grow I created a username as user one I'll enter the credentials I'm able to login successfully and I can see the role which is assigned to me is of guests now let me log out and this time I am going to try using username user do which is part of my admin group and after logging in I can see that the role which I have been assigned is a resource administrator and this meets our need before we wind up this section let us go ahead and check on the eyes the authentication requests which were received with respect to these two users username 1 and username - so on eyes in order to check the logs you have to go to operations take acts and live locks in here you can see the attempts per using m1 and username - both for authentication and authorization let's say if I click on user name one I can see the tacacs authentic authorization request received and this was checked up in internal user authentication past selected the shell profile and this was given up authorization policy of f5 guest based on the specification that we have assigned to guest users and similarly if I check for user to click on details I can see the authentication fast it was checked in internally users and then the specific selected shell has been assigned and this went through the authorization policy of underdeck x-default if I'm admin rule which we created with this we'll find a distinction now let's move forward to the next section which is troubleshooting so most often we see we think to do mistakes in our configurations which in turn or sometimes even if the configuration is right some component maybe it is the network which is not letting you be successful in terms of achieving what you are trying to do so let's see what are the steps that we need to take in case of when you're troubleshooting there five take X configuration the first step always is to verify the configuration of both ends first is your f5 and next is ice the next step would be to check the reach ability from a network aspect is the detector or reachable you can even review the log messages on f5 to understand what is it happening what is it that is actually happening when you are trying to log in to the device and as a last step you can also perform packet captures to understand the communication which is happening between your f5 and your authentication server when you are trying to log in with a specific user account so let's see how do we perform all these steps on f5 so one of the common mistakes that we end up doing when performing the tacacs configuration is a key mismatch the secret key what you have set on your f5 is different from the key which is set on ice let's see if we set the key as a wrong key I'm changing this to a wrong key intentionally now after changing it let's try accessing the device using our new account let me login with user 1 [Music] it will say that remote authentication server unreachable local authentication failed let's see now I find CLI very useful in terms of troubleshooting this I'll be using Cal comma to view my logs when I am logging in so specifically when I am trying to see the log files I will see here it is saying error communicating with the server I can even enable debug locks when I am troubleshooting so by default it will show us an error communicating with the server the authentication server is unavailable and then it is for falling back to the local authentication you know let me login now this time you see it is saying unable to obtain the user name user is unknown let's check on the eyes what is it that we see we can see the authentications fading let's click on this from here you will clearly get the information as the invalid shared secret the key which is matching which is presently in your eyes and which is on on your FF is not matching because of which the authentication is failure this is one of the common mistakes now let's change it back to the correct key now after changing the key to the correct key let me try logging in again I am logged in successfully now after changing the key let's say if I log out and this time I am entering the correct username but I am entering the wrong password for this user so it is not letting me through it is saying login field now let's check what is it that we see on eyes so first time they use it named after changing the authentic the secret key I can see the other user name was authentication was successful this is this was my last attempt so let's go well check here it is same authentication field the user is formed but it is showing wrong password then you can also check this from CLI in terms of if I want to see the configuration of meta tags from come online and use TM SH there are two ways to view it I can view it from the fashion itself EI message list or a cat's service so it will show me the so IP address I can check the network connectivity it is reachable I can add change between your f5 and your authentication server there is a possible possibility of having firewall in between so you can also check talent it's working fine so I'll just come out of this you can also see the configuration of whatever I have typed in here from the team or shell in order to view it from T Michelle you just type in TM SS first then the specific module then from here I will give the command since I want to see the configuration I've used Lester month and then take ax service I will get the same output what I got from my bastard these are just different ways of running your configuration so even I can go inside metic axe for you and then I can type list servers now in order to come out of the model I can type quit with quit I'll just come out directly into bash then I'll go back into TM SH if let's say I want to view more in-depth logs with respect to tacacs I can even enable the people who enable the debug I'll go to modify ax all ebook then if I if you click on tab you will get the possible options enabled or disabled click on enabled with this debug lot is enabled now after enabling this you can do pertains for thank you this is my last instant 4:49 after this let me try logging in again this time I'm entering a wrong credential now let's go back to our f5 we can see here user name not authenticated this for user 1 let's say if I try to login and this time I'm going to give the correct connection [Music] you can see this Authenticator successfully so this user is authenticated with the role of 700 and being assigned the access level of guests if I want to stop this I will just use control-c now at times I also have to take packet capture to understand the communication which is happening between your f5 and your authentication server so I'll use TCP dump let me just log out first TCP dump I'll specify the interface and with a filter either of the tacacs away you can use or the specific port which tacacs is using so for me I am currently just using a filter of tacacs and then writing it to a specific file for which I can later view I'm giving it a name as the GAX test then giving entering this so packet capture has already started now if I try to log in using my account I can see I'm authenticated successfully now let's go back and in here if I stop the capture I will see there are zero packets captured by this vendor the reason being with by default for the tacacs communication it is going to use the management interface but here I have given the interfaces 0.0 this represents all your TMM traffic handling interfaces not the management interface so now let me take a one more capture but here I will mention my management interface which is e zero and this is for bubbles then I'll start the capture now this time let me log out again and log back in [Music] successfully logged in now let's go back to their five command line and I will see that 26 packets have been captured this was for user one account now let me log out this is my guest account let me talk about from here now let's go and login with user - this is my admin account resource administrator I have got now let's go back I can see if if it is two packets from Tipperary packets have been captured until now so I'll just stop this and now I have to take out this packet capture from f5 I can use winscp to get the packet capture file out format for the Ramblas okay I have taken out the packet capture from f5 let's have a look so in here I can see this is my F IP address and this is my authentication server I can see three-way handshake happening and then at the end went occation request also is going from the five towards the authentication server if I open up the details I can see only just the versions but I am not able to find any more details about these this request this authentication request I can see authentication is going and then from the authentication server I have a response coming back and then after a while I can see or that authorization requests going from my FF and then authorization response coming back but if I click and expand the tacacs+ packet I am not able to see more details with respect to what is the payload information because this is encrypted communication but if you have the key you can decrypt if you know that attack secret you can decrypt this in specific packet information to see what is the communication happening between unifies and your server so any Wireshark how do you do that you need to click on edit preferences and you go to protocols then from here you just search for the caps click on tacacs+ and here you will have option of tacacs encryption key you enter them against encryption key which we are used in our configuration and after this select ok the moment we click OK we will be able to see if now I click on the authentication required can expand the dick axe packet you can see the decrypted request which is going this is a username password user 1 this is the password for that specific user and then if I click on the response packet I can see the decrypted reply that both indication is fast similar to this if I click on the next otter ization request which is going from my client from f5 towards the authentication server and if I expand this the decrypted packet I can see [Music] this is the specific portent what I mentioned request which is going on let's check out the authorization response which came back so this is the response now in the authorization response which is coming from my eyes to my f5 I can see the decrypted reply has the argument which we have sent the specific attribute which we have set in our eyes and based on this attribute f5 provides you the level of access what we have defined on our f5 so this way you can analyze the packet captures and see where is the problem in terms of communicating between your f5 and your authentication server with this I will conclude this specific topic thank you for watching I hope this has been informative and useful for every one of you keep watching
Info
Channel: F5 Trainer
Views: 2,104
Rating: undefined out of 5
Keywords:
Id: nuqjct_ImA4
Channel Id: undefined
Length: 48min 28sec (2908 seconds)
Published: Sun May 17 2020
Related Videos
TACACS+ For IOS
Katherine McNamara
5.4K
Learn to Deploy your Website on AWS infrastructure using Terraform
F5 Trainer
2.9K
F5 HIGH AVAILABILITY (HA)
Varun Agrawal
1.9K
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.2M
How To Speak by Patrick Winston
MIT OpenCourseWare
5.1M
DeviceID+ APM Integration Technical Overview - A Free Capability from Shape and F5
F5 Government Solutions
891
Azure RBAC : The deep dark secrets of role based access control
KnowOps
7.9K
Configuring Remote Access for remote users with F5 BIG-IP APM
F5 with Alex
3.4K
ISE 2.6 Policy Sets & Using Network Device Groups
Katherine McNamara
31K
Cisco ACS 5.5 configuring Tacacs+ using Active Directory & Tested with Cisco Device
siddharaj vansia
14K
Configuring Route Domains in F5 Big-IP LTM 11.x
f5fpc
32K
4. ISE 2 3: Device Administration (TACACS+)
Jason Maynard
54K
BIG-IP Device Service Clustering - Part 5: Traffic Groups
F5 DevCentral
4.2K
BIG IP F5 IRULE CONFIGURATION
Varun Agrawal
3.7K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.