Dylan_25501
Sep 21, 2011Nimbostratus
LTM 10.2.1 TACACS+ Authentication with ACS 4.2
Hello F5 Guru's,
Would really appreciate some help (and a lot of patience) as I have spent hours trying to get this working to no avail. I have followed the steps in solution 8808 and also read following the tech tip which looks to be more foussed on authorization with remote roles. I am only interested in granting a group of admin accounts access to the configuration utility (GUI).
http://support.f5.com/kb/en-us/solutions/public/8000/800/sol8808.html
http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/2316/v10--Remote-Authorization-via-TACACS43.aspx
The steps I have taken are as follows:
*******************************************
On F5 LTM configuration tool (users > authentication):
Authentication
User Directory: Remote - TACACS+
Configuration (Advanced)
Servers: xxx
Secret: xxx
Encryption: Disabled
Service Name: PPP
Protocol Name: IP
Authentication: Authenticate to first server
Accounting information: Send to first available server
Debug Logging: Enabled
External Users
Role: Administrator
Terminal Access
*******************************************
On ACS 4.2 GUI:
Group Setup (Default config unless specified below)
Enable Options: No enable privilege
TACACS+ Settings: PPP IP
User Setup (Default config / group settings used unless specified below)
Password Authentication: ACS Internal Database
CiscoSecurePAP Password: xxx
AAA Client Setup:
AAA Client IP Address: xxx
Shared Secret: xxx
Networ Device Group: xxx
Authenticate Using: TACACS+ (Cisco IOS)
*******************************************
Debugging:
On ACS Reports and Activity, failed attempts I'm seeing the Authentication Failure code: Key Mismatch (Have sanity checked the keys a number of times).
TCPDUMP on F5 shows the TACACS+ request going throug but the reply from the ACS shows a malformed packet and closes the session (see attached).
*******************************************
So I'm assuming that there needs to be some modifications on either the ACS and / or F5 to make them talk the same type of TACACS+ but I have no clue where to start with this. I'm pretty stuck with this so would be really pleased if anyone could help me find a solution or at least point me in the right direction.
Thanks and regards,
Dylan