Forum Discussion

Nimbostratus

Jun 12, 2023

Configuring remote authentication fallback on BIG-IP systems does still not work!

Hi all, According to https://my.f5.com/manage/s/article/K67025432 local user authentication should work even when remote server (in my example Windows AD) is still reachable (fallback option enabled...

application delivery

security

CA_Valli

MVP

thrillseeker wrote:
In our situation we need to give some local users readonly access to the BIGIP system. Unfortunately having those users in the same external userdirectory is currently not an viable option. For me it seems that this 2nd bullet point isn't realy correct!

You should understand that authentication fallback triggers when the AAA server is unavailable.

As far as I know, local users can't access the system if you configure -for example- TACACS authentication, unless the TACACS server is unreachable by F5 - that's why they named it "failback". Unless, an user with the same name is configured in the TACACS server.

From same article:

User type	Fallback option de-selected (default)	Fallback option selected
Local, without remote counterpart	Unable to access the device.	Access the device using SSH public-key authentication. Access the device using local device authentication when remote authentication server is unavailable.

thrillseeker

Nimbostratus

Jun 13, 2023

You are right, BUT according to the article (see 2nd bullet point in red) below it should still be possible to use local accounts.

https://my.f5.com/manage/s/article/K67025432

You should consider using this procedure when your BIG-IP system is configured for remote authentication for BIG-IP system users.

You want a local users to be able to access the BIG-IP system when the remote authentication server is unavailable.
You want a local users to be able to access to the BIG-IP system when the users are locally configured on the BIG-IP and are not configured on the remote authentication server.

So it could be that this fallback feautre works as expectetd but than this article is a bit missleading...

Regards

Lukas

CA_Valli
MVP
Jun 13, 2023
You're right, it's a little misleading.

What the bullet point refers to (I believe), is that this configuration supports users that CAN access the unit, and AREN'T configured on the remote server. BUT, those will ONLY work when TACACS is not reacheable, which will be the failback scenario.

Without failback enabled, local users WILL NOT work, even if TACACS is down, and this is the difference that the BP wants to highlight.

For local users to work when TACACS is up, I'm pretty sure you need to map them in the auth server.

( thrillseeker I have edited the comment a couple times, I'm tagging you so it triggers a notification and I'm sure you don't miss latest update )

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Configuring remote authentication fallback on BIG-IP systems does still not work!

Recent Discussions

Decode ObjectSID from Base64-encode string

iRule - Url rewrite and header replace and pool selection not working

ip x-forwarding

F5 ASM API-Protection Policy

ports are showing open on online scanning tool

Related Content

Transparent Kerberos Authentication and APM fallback authentication

Configuring APM Client Side NTLM Authentication

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

APM Kerberos Auth or fallback to another authentication method

Configuring Smart Card Authentication to BIG-IP Management Interface

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS