Forum Discussion
D_Miller_23555
Nimbostratus
Nimbostratusfailed login attempts after upgrade on LTM
Just upgraded from 10.2.0 to 10.2.3. Had TACACS working before the upgrade, now getting login failures. ACS reports that I successfully passed authentication. The /var/log/secure states that it could not identify user (from getpwnam.
Is there something new I need to configure in the upgrade to make the F5 pass tacacs authentications.
12 Replies
- nitass
Employee
can you check authorization configuration?
there is a bug 337871 which is fixed in 10.2.2. before 10.2.2, when tacacs remote auth is enabled, bigip is allowing login access even if
authorization phase with the tacacs server fails.
Bug 337871 - pam_tacplus: authorization phase is ignored in 10.2.0 and beyond 
Cory_50405Noctilucent
We had this issue when we upgraded to 10.2.3. There is an easy fix.
In the BIG-IP configuration under System, Users, Authentication, some parameters need changed. Service Name needs to be ppp and Protocol Name needs to be ip.
Under the group configuration in ACS in the TACACS+ Settings section, ensure PPP IP is checked. That should get your authentication working again.
D_Miller_23555@Cory,
thanks! That worked! had to add the ip to protocol name in the LTM and check the box. Back to working like normal!- Ayzon_112108Hi,
I have to change to
Service Name: sytem
Protocol: ip
and in the ACS as well..
then the access has been restored. 
Tino_92393Hi all,
There's a document http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13456.html?sr=27153757
saying that "The BIG-IP system does not allow using local authentication as a backup method when remote authentication fails"
My question: If the F5 failed to authenticate via Tacacs or other centralise authentication method, how do one get into fix the problem?
Does the local root account work via console?
What_Lies_Bene1Cirrostratus
It's my belief that local administrative user accounts can still be used even when remote authentication is working.- Tino_92393
Thanks. So what does the statement from F5 refers to?
- What_Lies_Bene1
I think it's simply incorrect, or refers to local accounts configured solely to allow Advanced Shell access, even though the accounts are remotely authenticated.
You should be able to test this very easily.
- Tino_92393Wish i have a test box to try it out. Doing it in Prod so have to make sure that i don't get lock out.
So just to confirm, regardless if remote authentication is working or not, one can always login via GUI using local admin account or via SSH using root account? - What_Lies_Bene1That is my belief yes. It's still testable really as you can try logging in as admin or root once you've configured remote authentication. Before you do, make sure you have a specific route (the default won't do) to your authentication servers configured in the HMS (not LTM). Use this command to create one: [tmsh] create sys management-route name network/prefix gateway gateway-ip
