Requirement:
Clearpass software 6.5 and above version.
BIG-IP F5 version 11.6 (Tested).
Solution:
You can configure the BIG-IP F5 system to use Clearpass TACACS+ server for authenticating BIG-IP system user accounts (through MGMT interface). On the BIG-IP system, you can configure access control privileges for users that are defined on Clearpass authentication server. For example, if the configuration of Clearpass TACACS+ authentication server to reply the attribute string ADC-user=Ent-Admin, you can assign a specific set of access control properties to that user account.
Configuration:
Specifying TACACS+ server information:
From the Main tab of the navigation page, click System > Users > Authentication, click change and select Remote – TACACS+. Enter Clearpass server details, service name, protocol name and default access permissions.
- In the Service Name field, type the name of the service that the user is requesting to be authenticated to use (usually ppp). Specifying the service enables the TACACS+ server to behave differently for different types of authentication requests. Examples of service names that you can specify are: ppp, slip, arap, shell,tty-daemon, connection, system, and firewall.
- In the Protocol Name field, type the name of the protocol associated with the value specified in the Service Name field. This value is usually ip. Examples of protocol names that you can specify are: ip, lcp, ipx, atalk, vines, lat, xremote, tn3270, telnet, rlogin, pad, vpdn, ftp, http, deccp, osicp, and unknown.
- From the Role list, select the user role that you want the BIG-IP system to assign by default to all BIG-IP user accounts stored on the remote server:
- From the Partition Access list, select the default administrative partition that all remotely-authenticated BIG-IP user accounts can access.
- From the Terminal Access list, select one of the following options as the default terminal access for remotely-authenticated user accounts.
Assigning access control properties to user groups:
From the Main tab, click System > Users > Remote Role Groups > Click Create. In the Group Name field, type the group name that is defined on the Clearpass server. An example of a group name is Ent-Admin.
- In the Attribute String field, type an attribute. An example of an attribute string is ADC-user=Ent-Admin. The BIG-IP system attempts to match this attribute with an attribute on the remote authentication server. On finding a match, the BIG-IP system applies the access control settings defined here to the users in that group. If a match is not found, the system applies the default access control settings to all remotely-stored user accounts.
Enabling Clearpass for BIG-IP TACACS+ authentication:
You can update TACACS+ dictionary for ppp:ip and add attribute ADC-User, Create a TACACS+ service to authenticate users and then reply enforcement profile with attribute ADC-User value.
From Administration > Dictionaries > TACACS+ services, add ADC-User attribute to ppp:ip service dictionary by doing an export/modify/import xml option.
Configure TACACS+ service with enforcement policy rules to assign appropriate level of privileges.
Enforcement Policy rules:
Enforcement Profile:
Verification
From Clearpass Access tracker, verify the authentication request after performing a test authentication.
From BIG-IP F5 home page, verify the role assigned to user.
Troubleshooting :
Enabling debug logging for Remote-TACACS+ authentication:
You can enable debug logging for TACACS+ authentication, attempt to log in using remote user accounts, and then review the debug log files. To do so, perform the following procedure:
From BIG-IP:
Note: F5 recommends that you return the log level to the default value after you complete the troubleshooting steps. Leaving debug logging enabled when the system is in normal production mode may generate excessive logging and affect performance.
- Log in to the Traffic Management Shell (tmsh) by typing the following command:
tmsh
- Enable debug logging by typing the following command:
modify /auth tacacs all debug enabled
- Test TACACS+ authentication by attempting to log in using remote user accounts.
- After testing TACACS+ authentication, disable debug logging by typing the following command:
modify /auth tacacs all debug disabled
- Review the /var/log/secure file for debug log messages.
From Clearpass:
Note: Leaving debug logging enabled when the system is in normal production mode may generate excessive logging and affect performance.
- From Administration > Server Manager > Log Configuration, select TACACS server, then select default log level to debug.
- From Administration > Server Manager > Log Configuration, select Clearpass Network services, then select default log level to debug.
- Test TACACS+ authentication by attempting to log in using remote user accounts.
- After testing TACACS+ authentication, disable debug logging by using the option ‘Restore defaults’ for TACACS server and Clearpass Network services.
- Review the /tacacs-server/tacacs-server.log, /tips-network-services/network-services.log file from collect logs for debug log messages.