Just upgraded from 10.2.0 to 10.2.3. Had TACACS working before the upgrade, now getting login failures. ACS reports that I successfully passed authentication. The /var/log/secure states that it could not identify user (from getpwnam. Is there something new I need to configure in the upgrade to make the F5 pass tacacs authentications.

can you check authorization configuration? there is a bug 337871 which is fixed in 10.2.2. before 10.2.2, when tacacs remote auth is enabled, bigip is allowing login access even if authorization phase with the tacacs server fails. Bug 337871 - pam_tacplus: authorization phase is ignored in 10.2.0 and beyond

We had this issue when we upgraded to 10.2.3. There is an easy fix. In the BIG-IP configuration under System, Users, Authentication, some parameters need changed. Service Name needs to be ppp and Protocol Name needs to be ip. Under the group configuration in ACS in the TACACS+ Settings section, ensure PPP IP is checked. That should get your authentication working again.

@Cory, thanks! That worked! had to add the ip to protocol name in the LTM and check the box. Back to working like normal!

Hi, I have to change to Service Name: sytem Protocol: ip and in the ACS as well.. then the access has been restored.

Hi all, There's a document http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13456.html?sr=27153757 saying that "The BIG-IP system does not allow using local authentication as a backup method when remote authentication fails" My question: If the F5 failed to authenticate via Tacacs or other centralise authentication method, how do one get into fix the problem? Does the local root account work via console?

failed login attempts after upgrade on LTM

nitass
Employee
Feb 08, 2012
can you check authorization configuration?

there is a bug 337871 which is fixed in 10.2.2. before 10.2.2, when tacacs remote auth is enabled, bigip is allowing login access even if

authorization phase with the tacacs server fails.

Bug 337871 - pam_tacplus: authorization phase is ignored in 10.2.0 and beyond
Cory_50405
Noctilucent
Feb 08, 2012
We had this issue when we upgraded to 10.2.3. There is an easy fix.

In the BIG-IP configuration under System, Users, Authentication, some parameters need changed. Service Name needs to be ppp and Protocol Name needs to be ip.

Under the group configuration in ACS in the TACACS+ Settings section, ensure PPP IP is checked. That should get your authentication working again.
D_Miller_23555
Nimbostratus
Feb 08, 2012
@Cory,

thanks! That worked! had to add the ip to protocol name in the LTM and check the box. Back to working like normal!
Ayzon_112108
Nimbostratus
Apr 02, 2012
Hi,

I have to change to

Service Name: sytem

Protocol: ip

and in the ACS as well..

then the access has been restored.
Tino_92393
Nimbostratus
Feb 06, 2013
Hi all,

There's a document http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13456.html?sr=27153757

saying that "The BIG-IP system does not allow using local authentication as a backup method when remote authentication fails"

My question: If the F5 failed to authenticate via Tacacs or other centralise authentication method, how do one get into fix the problem?

Does the local root account work via console?
What_Lies_Bene1
Cirrostratus
Feb 06, 2013
It's my belief that local administrative user accounts can still be used even when remote authentication is working.
Tino_92393
Nimbostratus
Feb 06, 2013
Thanks. So what does the statement from F5 refers to?
What_Lies_Bene1
Cirrostratus
Feb 06, 2013
I think it's simply incorrect, or refers to local accounts configured solely to allow Advanced Shell access, even though the accounts are remotely authenticated.

You should be able to test this very easily.
Tino_92393
Nimbostratus
Feb 06, 2013
Wish i have a test box to try it out. Doing it in Prod so have to make sure that i don't get lock out.

So just to confirm, regardless if remote authentication is working or not, one can always login via GUI using local admin account or via SSH using root account?
What_Lies_Bene1
Cirrostratus
Feb 07, 2013
That is my belief yes. It's still testable really as you can try logging in as admin or root once you've configured remote authentication. Before you do, make sure you have a specific route (the default won't do) to your authentication servers configured in the HMS (not LTM). Use this command to create one: [tmsh] create sys management-route name network/prefix gateway gateway-ip