Forum Discussion
Tamer_Ezzat_235
Nimbostratus
Nimbostratustacacs authentication from active/standby nodes
Hi Team,
I have a cluster env. and I have configured F5 to use ACS for authentication However it is working on one node only and not working on the other node
What I miss in this ?
Thanks
Tamer_Ezzat_235I am getting the following error msg
err httpd[16421]: tac_authen_pap_read: error reading PAP authen header, read -1 of 12: Connection reset by peer
_KT_Sorry to revive this old thread. I am having a very similar issue and was wondering if you found the answer?
boneyardMVP
very similar as the same error or just not working on either of the BIG-IPs?
are both BIG-IPs in your TACACS server client list?
- quattroginger
anyone find a resolution to this?
- boneyard
i doubt someone i going to solve this without some more information shared.
so quattroginger do you have exactly the same issue? configured both tacacs+ servers in big-ip for admin authentication? which IP adresses did you use on the tacacs+ server side?
Samuel_RydénAltocumulus
I just experienced this trying to implement this on an r5600 platform tenant with Clearpass as the TACACS+ service.
We got that same error message, "tac_authen_pap_read: error reading PAP authen header, read -1 of 12: Connection reset by peer".
After a bit of digging in Clearpass (Access Tracker), it turned out the wrong Service took precedence and an unintended enforcement policy was applied (with unmatching TACACS secrets).
That service that took precedence, was attached to an enforcement profile with a device group list , that contained two /24 networks.
One of those networks were spanning the management IPs of the new r5600 tenants.The immidiate solution in our case was to reorder the services in Clearpass under Configuration, Services, so that the Service used in the enforcement policy with the narrower scope (two IP addresses) had a higher priority than the offending one.