Forum Discussion

Tamer_Ezzat_235's avatar
Tamer_Ezzat_235
Icon for Nimbostratus rankNimbostratus
Nov 14, 2016

tacacs authentication from active/standby nodes

Hi Team,   I have a cluster env. and I have configured F5 to use ACS for authentication However it is working on one node only and not working on the other node   What I miss in this ?   Tha...
LTM
security
boneyard's avatar
boneyard
Icon for MVP rankMVP
Oct 04, 2020

i doubt someone i going to solve this without some more information shared.

 

so quattroginger do you have exactly the same issue? configured both tacacs+ servers in big-ip for admin authentication? which IP adresses did you use on the tacacs+ server side?

  • Samuel_Rydén's avatar
    Samuel_Rydén
    Icon for Altocumulus rankAltocumulus
    Dec 08, 2023

    I just experienced this trying to implement this on an r5600 platform tenant with Clearpass as the TACACS+ service.

    We got that same error message, "tac_authen_pap_read: error reading PAP authen header, read -1 of 12: Connection reset by peer".

    After a bit of digging in Clearpass (Access Tracker), it turned out the wrong Service took precedence and an unintended enforcement policy was applied (with unmatching TACACS secrets).
    T    hat service that took precedence, was attached to an enforcement profile with a device group list , that contained two /24 networks.
    One of those networks were spanning the management IPs of the new r5600 tenants.

    The immidiate solution in our case was to reorder the services in Clearpass under Configuration, Services, so that the Service used in the enforcement policy with the narrower scope (two IP addresses) had a higher priority than the offending one.