Forum Discussion

muzammil_88686's avatar
Icon for Nimbostratus rankNimbostratus
Jan 21, 2012

TACACS+ Configuration

Dear Team,



I have configured TACACS+ remote authentication for a BIG IP LTM appliance(version 9.4.5) using the below URL



I have also added this BIG IP as a AAA client in ACS. However TACACS+ authentication is not working. When I looked at the failed login attempts in ACS I see the below error.



"Unknown NAS".



BIG IP LTM IP: 10.x.x.x


ACS Server IP: 10.y.y.y



Could you pls let me know the CLI commands for TACACS+ configuration on BIG IP LTM?



Also could you pls let me know how do I explicitly configure the source interface for TACACS+ on BIG IP LTM?



Best Regards,


6 Replies

  • Can you enable debug on LTM per SOL8811? After, do you see anything on LTM under /var/log/secure when the authentication fails?



    You can configure a management route "b mgmt route ..." to have LTM use the management port to communicate with the TACACS server(s):



    sol3669: Overview of management interface routing (9.x - 10.x)




  • Thank you for your response!



    I didn't configure any management route. I just configured TACACS+ as per the below solution only.





    Now I m able to authenticate to TACACS+ Server and able to login via GUI and SSH. But SSH is directly going into bigpipe shell. Also I m not able to login to WinSCP to see the file systems on LTM.



    Best Regards,
  • With remote auth you can type !bash to get a bash prompt.



  • Thank you Aaron!



    Is there way we can go directly to bash mode instead of b shell?



    I have added management route for the ACS Server also. But still I m not able to login to WinSCP.



  • There isn't a way to get directly into the bash shell when you are using remote authorization. When you define an account locally on the device, you can specify the user to have advanced shell access, but the same option doesn't exist with remoterole. In v11, the bigpipe shell is gone and users will be placed directly into the tmos shell. To access the system shell from tmos, simply type 'run util bash'
  • Aaron or Cory, similar isssue...My security team has a Nessus scanner that tries to SSH to my v11.x BIGIPs to perform security scans. It uses TACACS+ and connects, but since ssh via remote auth dumps you right into tmsh instead of bash, the Nessus scanner freaks and drops connection since it doesn't understand the tmsh shell. Nessus can't issue "run util bash" to get into bash since it gets disconnected immediately.


    So any way to get this tool to log into BIGIP via ssh directly into bash?