For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Techgeeeg_28888's avatar
Techgeeeg_28888
Icon for Nimbostratus rankNimbostratus
Dec 05, 2013

External Users Authentication & on box authentication

Hi Guys, If I have configured my F5 box to use TACAS server for user authentication what will happen to the users locally created on the box will it work or not? Also if my TACAS Server fails what will happen? The authentication will fall down to the local authentication on the box or user access will be completely locked and what will be left for authentication under such situation?

 

Regards,

 

4 Replies

  • Kevin_K_51432's avatar
    Kevin_K_51432
    Historic F5 Account
    Dec 05, 2013

    Hi, not my area of expertise, but it looks pretty binary (either local or remote). I created a local user and authenticated the LTM UI just fine. Then flipped authentication to remote and was unable to authenticate any longer. This TACACS+ server hasn't been working properly for some time. Two thoughts: The TACACS authentication screen lets you add multiple TACACS servers for resiliency. If there is any authentication issue blocking user access, the admin and root accounts remain local for you to access and perform any necessary config tweeks.

     

  • PeteWhite's avatar
    PeteWhite
    Icon for Employee rankEmployee
    Dec 05, 2013

    As said above, the admin and root account remain on the box even with TACACS authentication.

     

    Test this whilst logged in as root or admin so that you can be sure to roll back any changes you make. If it's not working, check the config on the TACACS and LTM twice and then get someone else to check it. After that, do a tcpdump to see whether network connectivity is OK.

     

    You can also use remote roles where you assign a role on the LTM and assign users to the role via TACACS using AVPs.

     

  • Brian_Saunders1's avatar
    Brian_Saunders1
    Icon for Altostratus rankAltostratus
    Dec 05, 2013

    We use Cisco ACS as our authentication server and have our F5's configured for radius authentication and a remote role configured on the F5's that is returned by the radius server (this way we don't have to configure users on the F5's).

     

    Any accounts other than root or admin will attempt to use the remote authentication method that is configured, even if it's down. So in the event that your authentication servers fail only the root or admin accounts will be able to log into the F5.