Forum Discussion

thrillseeker's avatar
thrillseeker
Icon for Nimbostratus rankNimbostratus
Jun 12, 2023

Configuring remote authentication fallback on BIG-IP systems does still not work!

Hi all, According to https://my.f5.com/manage/s/article/K67025432 local user authentication should work even when remote server (in my example Windows AD) is still reachable (fallback option enabled...
application delivery
security
thrillseeker's avatar
thrillseeker
Icon for Nimbostratus rankNimbostratus

You are right, BUT according to the article (see 2nd bullet point in red) below it should still be possible to use local accounts.

https://my.f5.com/manage/s/article/K67025432

You should consider using this procedure when your BIG-IP system is configured for remote authentication for BIG-IP system users.

  • You want a local users to be able to access the BIG-IP system when the remote authentication server is unavailable.
  • You want a local users to be able to access to the BIG-IP system when the users are locally configured on the BIG-IP and are not configured on the remote authentication server.

So it could be that this fallback feautre works as expectetd but than this article is a bit missleading...

Regards

Lukas

 

 

CA_Valli's avatar
CA_Valli
Icon for MVP rankMVP
Jun 13, 2023

You're right, it's a little misleading.

What the bullet point refers to (I believe), is that this configuration supports users that CAN access the unit, and AREN'T configured on the remote server. BUT, those will ONLY work when TACACS is not reacheable, which will be the failback scenario.

Without failback enabled, local users WILL NOT work, even if TACACS is down, and this is the difference that the BP wants to highlight.

For local users to work when TACACS is up, I'm pretty sure you need to map them in the auth server.

( thrillseeker I have edited the comment a couple times, I'm tagging you so it triggers a notification and I'm sure you don't miss latest update )