LTM 10.2.1 TACACS+ Authentication with ACS 4.2

Hello F5 Guru's,

 

 

Would really appreciate some help (and a lot of patience) as I have spent hours trying to get this working to no avail. I have followed the steps in solution 8808 and also read following the tech tip which looks to be more foussed on authorization with remote roles. I am only interested in granting a group of admin accounts access to the configuration utility (GUI).

 

 

http://support.f5.com/kb/en-us/solutions/public/8000/800/sol8808.html

 

 

http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/2316/v10--Remote-Authorization-via-TACACS43.aspx

 

 

The steps I have taken are as follows:

 

 

 

*******************************************

 

On F5 LTM configuration tool (users > authentication):

 

 

Authentication

 

User Directory: Remote - TACACS+

 

 

Configuration (Advanced)

 

Servers: xxx

 

Secret: xxx

 

Encryption: Disabled

 

Service Name: PPP

 

Protocol Name: IP

 

Authentication: Authenticate to first server

 

Accounting information: Send to first available server

 

Debug Logging: Enabled

 

 

External Users

 

Role: Administrator

 

Terminal Access

 

 

*******************************************

 

On ACS 4.2 GUI:

 

 

Group Setup (Default config unless specified below)

 

 

Enable Options: No enable privilege

 

TACACS+ Settings: PPP IP

 

 

User Setup (Default config / group settings used unless specified below)

 

 

Password Authentication: ACS Internal Database

 

CiscoSecurePAP Password: xxx

 

 

AAA Client Setup:

 

 

AAA Client IP Address: xxx

 

Shared Secret: xxx

 

Networ Device Group: xxx

 

Authenticate Using: TACACS+ (Cisco IOS)

 

 

*******************************************

 

 

Debugging:

 

 

On ACS Reports and Activity, failed attempts I'm seeing the Authentication Failure code: Key Mismatch (Have sanity checked the keys a number of times).

 

 

TCPDUMP on F5 shows the TACACS+ request going throug but the reply from the ACS shows a malformed packet and closes the session (see attached).

 

 

 

*******************************************

 

 

So I'm assuming that there needs to be some modifications on either the ACS and / or F5 to make them talk the same type of TACACS+ but I have no clue where to start with this. I'm pretty stuck with this so would be really pleased if anyone could help me find a solution or at least point me in the right direction.

 

 

Thanks and regards,

 

 

Dylan