TACACS+.net Integration

Andrei_379458

Historic F5 Account

Mar 11, 2019

What worked for my quick test lab:

Setup:

Windows 2016 Server with AD & tacacs.net configured.
LTM v.14 running with internal vlan connected into the above server.

Tacacs.net config files (found under c:\ProgramData\TACACS.net\config):

tacacsplus.xml => LocalIP changed from 127.0.0.1 to the NIC IP facing LTM (10.1.20.30 in my case)
authentication.xml:

a) LDAPServer stays on 127.0.0.1:389 (check with "dsquery user -samid " from cli on Windows AD Server)

b) LDAPUserDirectorySubtree updated to your AD setup (w/ input taken from above B-a)

c) LDAPGroupName set on Domain Users

d) LDAPAccessUserName set on the user tacacs.net will use to connect to LDAP (say, it's called "ldap_user")

e) LDAPAccessUserPassword ClearText="" DES="???" (find it with "tacdes in cmd on Windows Server)
Verify tacacs.net connection to AD works by executing following command in Window Server's cli: "tacacs -s 10.1.20.30 -k "pass_set_during_tacacs.net_setup" -u user user_a -p user_a_pass"
authorization.xml - equally important. Without this, authentication will pass but authorization will fail and LTM login will fail.

a) Add UserGroup with value Users

b) Set / Uncoment section with service=ppp and protocol=ip

Having done this,the last bit would be to set LTM (System -> Users -> Authentication = Remote - TACACS+ w/ servicename=ppp,protocolname=ip, Role=Administrator, Encryption=enabled, secret=pass_set_during_tacacs.net_setup, TerminalAccess=tmsh {or according to your need})

Once done & saved, a "tail -f" on Windows Server c:\ProgramData\TACACS.net\Logs\Debug*.log will show:

$ tail -f Debug_2019-03-11_9.log IsSingleConnect=False SessionID=1327763209 DataLength=18 Authorization Status=PassAdd User= Port= Args: protocol=ip

<87> 2019-03-11 12:50:38 [10.1.20.251:1386] Removing session 1327763209 <87> 2019-03-11 12:51:17 Removed 2 old connections. Remaining connections=0

<87> 2019-03-11 13:09:43 Device 10.1.20.251:25366 is allowed to connect based on settings for group INTERNAL <94> 2019-03-11 13:09:43 New client connection opened for 10.1.20.251:25366 TID:7 <87> 2019-03-11 13:09:43 TOTAL connections: 1 <87> 2019-03-11 13:09:43 [10.1.20.251:25366] Received 1 packets on connection <87> 2019-03-11 13:09:43 [10.1.20.251:25366] Received: MajorVersion=12 MinorVersion=1 Type=Authentication SeqNum=1 IsEncrypted=True IsSingleConnect=False SessionID=-1286258581 DataLength=33 Authentication Start: Action=Login Priv_Lvl=0 Type=PAP Service=PPP User=user_a Port=unknown RemAddr= Data=************** <87> 2019-03-11 13:09:43 [10.1.20.251:25366] Trying to authenticate user-user_a <87> 2019-03-11 13:09:43 [10.1.20.251:25366] Trying to authenticate user against group Network Engineering <87> 2019-03-11 13:09:43 [10.1.20.251:25366] User user_a does not belong to group Network Engineering <87> 2019-03-11 13:09:43 [10.1.20.251:25366] Local file Authentication result: user-user_a specified in group Network Engineering=InvalidUserOrPassword <87> 2019-03-11 13:09:43 [10.1.20.251:25366] Result of authentication user against group Network Engineering is InvalidUserOrPassword. Trying to authentiate against next group in list <87> 2019-03-11 13:09:43 [10.1.20.251:25366] Trying to authenticate user against group Users <87> 2019-03-11 13:09:43 [10.1.20.251:25366] Performing authentication of user user_a against group Domain Users for LDAPServer=127.0.0.1:389 UseSSL=False DomainName= UserDirectoryDN=cn=Users,DC=f5demo,DC=com UserObjectClass=user UserNameAttribute=sAMAccountName MemberOfAttribute=memberOf AdminUserName=user_a AuthType=Ntlm <87> 2019-03-11 13:09:43 [10.1.20.251:25366] AD:Checking if user user_a belongs to group Domain Users for LDAPServer=127.0.0.1:389 UseSSL=False DomainName= UserDirectoryDN=cn=Users,DC=f5demo,DC=com UserObjectClass=user UserNameAttribute=sAMAccountName MemberOfAttribute=memberOf AdminUserName=user_a AuthType=Ntlm <87> 2019-03-11 13:09:43 [10.1.20.251:25366] AD:User user_a belong to group Domain Users - from cache <87> 2019-03-11 13:09:43 [10.1.20.251:25366] AD: User user_a belongs to group Domain Users <87> 2019-03-11 13:09:43 [10.1.20.251:25366] AD:LDAP auth result = Passed. AD:Authentication passed <87> 2019-03-11 13:09:43 [10.1.20.251:25366] AD Authentication result: user-user_a against group Users=Passed <87> 2019-03-11 13:09:43 [10.1.20.251:25366] Authentication for user user_a passed against group Users - Passed <87> 2019-03-11 13:09:43 [10.1.20.251:25366] Received 2 packets on connection <87> 2019-03-11 13:09:43 [10.1.20.251:25366] Sending: MajorVersion=12 MinorVersion=1 Type=Authentication SeqNum=2 IsEncrypted=True IsSingleConnect=False SessionID=-1286258581 DataLength=6 Authentication AuthReply: Status=Pass Flags=Debug UserMsg= Data= <87> 2019-03-11 13:09:44 [10.1.20.251:25366] Removing session -1286258581 <87> 2019-03-11 13:09:44 [10.1.20.251:25366] Device 10.1.20.251:3478 is allowed to connect based on settings for group INTERNAL <94> 2019-03-11 13:09:44 [10.1.20.251:25366] New client connection opened for 10.1.20.251:3478 TID:7 <87> 2019-03-11 13:09:44 [10.1.20.251:25366] TOTAL connections: 2 <87> 2019-03-11 13:09:44 [10.1.20.251:3478] Received 1 packets on connection <87> 2019-03-11 13:09:44 [10.1.20.251:3478] Received: MajorVersion=12 MinorVersion=0 Type=Authorization SeqNum=1 IsEncrypted=True IsSingleConnect=False SessionID=1732981209 DataLength=45 Authorization Method=TACACSPLUS Priv lvl=0 Auth Type=PAP Service=PPP User=user_a Port=unknown Rem Addr= Args: service=ppp protocol=ip

<87> 2019-03-11 13:09:44 [10.1.20.251:3478] AD:Checking if user user_a belongs to group Domain Users for LDAPServer=127.0.0.1:389 UseSSL=False DomainName= UserDirectoryDN=cn=Users,DC=f5demo,DC=com UserObjectClass=user UserNameAttribute=sAMAccountName MemberOfAttribute=memberOf AdminUserName=user_a AuthType=Ntlm <87> 2019-03-11 13:09:44 [10.1.20.251:3478] AD:User user_a belong to group Domain Users - from cache <87> 2019-03-11 13:09:44 [10.1.20.251:3478] Authorization Entry 1 is being applied based on Client configuration <87> 2019-03-11 13:09:44 [10.1.20.251:3478] Received 2 packets on connection <87> 2019-03-11 13:09:44 [10.1.20.251:3478] Sending: MajorVersion=12 MinorVersion=0 Type=Authorization SeqNum=2 IsEncrypted=True IsSingleConnect=False SessionID=1732981209 DataLength=18 Authorization Status=PassAdd User= Port= Args: protocol=ip

<87> 2019-03-11 13:09:44 [10.1.20.251:3478] Removing session 1732981209

Forum Discussion

TACACS+.net Integration

F5 Academy at AppWorld 2026

Aswin MK - November 2025 Featured Member

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

CVE mitigation on F5 XC vs classic F5 WAF

Could not communicate with the system. Try to reload page.

F5 XC 503 upstream_reset_before_response_started{protocol_error}

UCS Encryption Question

BIG-IP VE: 40G Throughput from 4x10G physical NICs

Related Content

Identity-centric F5 ADSP Integration Walkthrough

F5 BIG-IP SSL Orchestrator and ReversingLabs Integration Guide

Making Mobile SDK Integration Ridiculously Easy with F5 XC Mobile SDK Integrator

F5 Distributed Cloud Kubernetes Integration: Securing Services with Direct Pod Connectivity

Integrating the F5 BIGIP with Azure Sentinel

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS