Forum Discussion

Tamer_Ezzat_235's avatar
Icon for Nimbostratus rankNimbostratus
Nov 14, 2016

tacacs authentication from active/standby nodes

Hi Team,


I have a cluster env. and I have configured F5 to use ACS for authentication However it is working on one node only and not working on the other node


What I miss in this ?




6 Replies

  • I am getting the following error msg


    err httpd[16421]: tac_authen_pap_read: error reading PAP authen header, read -1 of 12: Connection reset by peer


  • _KT_'s avatar
    Icon for Nimbostratus rankNimbostratus

    Sorry to revive this old thread. I am having a very similar issue and was wondering if you found the answer?


  • very similar as the same error or just not working on either of the BIG-IPs?


    are both BIG-IPs in your TACACS server client list?


  • i doubt someone i going to solve this without some more information shared.


    so quattroginger do you have exactly the same issue? configured both tacacs+ servers in big-ip for admin authentication? which IP adresses did you use on the tacacs+ server side?

    • Samuel_Rydén's avatar
      Icon for Altocumulus rankAltocumulus

      I just experienced this trying to implement this on an r5600 platform tenant with Clearpass as the TACACS+ service.

      We got that same error message, "tac_authen_pap_read: error reading PAP authen header, read -1 of 12: Connection reset by peer".

      After a bit of digging in Clearpass (Access Tracker), it turned out the wrong Service took precedence and an unintended enforcement policy was applied (with unmatching TACACS secrets).
      hat service that took precedence, was attached to an enforcement profile with a device group list , that contained two /24 networks.
      One of those networks were spanning the management IPs of the new r5600 tenants.

      The immidiate solution in our case was to reorder the services in Clearpass under Configuration, Services, so that the Service used in the enforcement policy with the narrower scope (two IP addresses) had a higher priority than the offending one.