Forum Discussion

muzammil_88686's avatar
muzammil_88686
Icon for Nimbostratus rankNimbostratus
Jan 21, 2012

TACACS+ Configuration

Dear Team,

 

 

I have configured TACACS+ remote authentication for a BIG IP LTM appliance(version 9.4.5) using the below URL

 

 

http://support.f5.com/kb/en-us/solutions/public/8000/800/sol8811.html

 

 

I have also added this BIG IP as a AAA client in ACS. However TACACS+ authentication is not working. When I looked at the failed login attempts in ACS I see the below error.

 

 

"Unknown NAS".

 

 

BIG IP LTM IP: 10.x.x.x

 

ACS Server IP: 10.y.y.y

 

 

Could you pls let me know the CLI commands for TACACS+ configuration on BIG IP LTM?

 

 

Also could you pls let me know how do I explicitly configure the source interface for TACACS+ on BIG IP LTM?

 

 

Best Regards,

 

management
monitoring
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jan 24, 2012
    Can you enable debug on LTM per SOL8811? After, do you see anything on LTM under /var/log/secure when the authentication fails?

     

     

    You can configure a management route "b mgmt route ..." to have LTM use the management port to communicate with the TACACS server(s):

     

     

    sol3669: Overview of management interface routing (9.x - 10.x)

     

    http://support.f5.com/kb/en-us/solutions/public/3000/600/sol3669.html

     

     

    Aaron
  • muzammil_88686's avatar
    muzammil_88686
    Icon for Nimbostratus rankNimbostratus
    Jan 25, 2012
    Thank you for your response!

     

     

    I didn't configure any management route. I just configured TACACS+ as per the below solution only.

     

     

    http://support.f5.com/kb/en-us/solutions/public/8000/800/sol8811.html

     

     

    Now I m able to authenticate to TACACS+ Server and able to login via GUI and SSH. But SSH is directly going into bigpipe shell. Also I m not able to login to WinSCP to see the file systems on LTM.

     

     

    Best Regards,
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jan 25, 2012
    With remote auth you can type !bash to get a bash prompt.

     

     

    Aaron
  • muzammil_88686's avatar
    muzammil_88686
    Icon for Nimbostratus rankNimbostratus
    Jan 25, 2012
    Thank you Aaron!

     

     

    Is there way we can go directly to bash mode instead of b shell?

     

     

    I have added management route for the ACS Server also. But still I m not able to login to WinSCP.

     

     

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Feb 08, 2012
    There isn't a way to get directly into the bash shell when you are using remote authorization. When you define an account locally on the device, you can specify the user to have advanced shell access, but the same option doesn't exist with remoterole. In v11, the bigpipe shell is gone and users will be placed directly into the tmos shell. To access the system shell from tmos, simply type 'run util bash'
  • Brad_Otlin's avatar
    Brad_Otlin
    Ret. Employee
    Sep 13, 2013

    Aaron or Cory, similar isssue...My security team has a Nessus scanner that tries to SSH to my v11.x BIGIPs to perform security scans. It uses TACACS+ and connects, but since ssh via remote auth dumps you right into tmsh instead of bash, the Nessus scanner freaks and drops connection since it doesn't understand the tmsh shell. Nessus can't issue "run util bash" to get into bash since it gets disconnected immediately.

     

    So any way to get this tool to log into BIGIP via ssh directly into bash?