Forum Discussion

Dylan_25501's avatar
Icon for Nimbostratus rankNimbostratus
Sep 21, 2011

LTM 10.2.1 TACACS+ Authentication with ACS 4.2

Hello F5 Guru's,



Would really appreciate some help (and a lot of patience) as I have spent hours trying to get this working to no avail. I have followed the steps in solution 8808 and also read following the tech tip which looks to be more foussed on authorization with remote roles. I am only interested in granting a group of admin accounts access to the configuration utility (GUI).



The steps I have taken are as follows:






On F5 LTM configuration tool (users > authentication):





User Directory: Remote - TACACS+



Configuration (Advanced)


Servers: xxx


Secret: xxx


Encryption: Disabled


Service Name: PPP


Protocol Name: IP


Authentication: Authenticate to first server


Accounting information: Send to first available server


Debug Logging: Enabled



External Users


Role: Administrator


Terminal Access





On ACS 4.2 GUI:



Group Setup (Default config unless specified below)



Enable Options: No enable privilege


TACACS+ Settings: PPP IP



User Setup (Default config / group settings used unless specified below)



Password Authentication: ACS Internal Database


CiscoSecurePAP Password: xxx



AAA Client Setup:



AAA Client IP Address: xxx


Shared Secret: xxx


Networ Device Group: xxx


Authenticate Using: TACACS+ (Cisco IOS)









On ACS Reports and Activity, failed attempts I'm seeing the Authentication Failure code: Key Mismatch (Have sanity checked the keys a number of times).



TCPDUMP on F5 shows the TACACS+ request going throug but the reply from the ACS shows a malformed packet and closes the session (see attached).







So I'm assuming that there needs to be some modifications on either the ACS and / or F5 to make them talk the same type of TACACS+ but I have no clue where to start with this. I'm pretty stuck with this so would be really pleased if anyone could help me find a solution or at least point me in the right direction.



Thanks and regards,







No RepliesBe the first to reply