Forum Discussion
Mate_132781
Cirrostratus
CirrostratusTACAS not working - No TACACS packets in TCPDUMP
Hi,
I have problem with user authentication over TACACS on BIG-IP 12.0 HF2 (Virtual edition).
I configured TACACS, add host routes for TACACS server over MGMT interface, all according to config guide, but it is not workin.
There is no packets in TCP dump. I tried TCPDUMP over all interfaces, also with command
tcpdump -nni 0.0 port 49In log there are messages
May 25 16:30:30 f5-04-1 warning httpd[14928]: pam_unix(httpd:auth): check pass; user unknown
May 25 16:30:30 f5-04-1 notice httpd[14928]: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=10.24.131.4
May 25 16:30:33 f5-04-1 err httpd[14928]: [error] [client 10.24.131.4] AUTHCACHE PAM: user 'xxx' - not authenticated: Authentication failure, referer: https://localhost:15443/tmui/login.jsp?msgcode=1&
May 25 16:30:33 f5-04-1 info httpd(pam_audit)[14928]: User=xxx tty=(unknown) host=10.24.131.4 failed to login after 1 attempts (start="Wed May 25 16:30:30 2016" end="Wed May 25 16:30:33 2016").
May 25 16:30:33 f5-04-1 info httpd(pam_audit)[14928]: 01070417:6: AUDIT - user xxx - RAW: httpd(pam_audit): User=xxx tty=(unknown) host=10.24.131.4 failed to login after 1 attempts (start="Wed May 25 16:30:30 2016" end="Wed May 25 16:30:33 2016").
TACAS configuration:
auth source {
type tacacs
}
auth tacacs system-auth {
encryption disabled
protocol ip
secret $M$DF$/p4kusJntSq1Ydp41sLeZCOA/SrorObenISS/2pX08k=
servers { 192.168.134.206 10.51.10.68 }
service ppp
}
Management routes configuration:
sys management-route default {
description configured-statically
gateway 10.24.131.1
mtu 1500
network default
}
sys management-route TACACS-1 {
gateway 10.24.131.1
network 192.168.134.206/32
}
sys management-route TACACS-2 {
gateway 10.24.131.1
network 10.51.10.68/32
}
Any suggestions?
Hello Mate,
You are not seeing packets in your capture, as "any" argument in "-i" option cause tcpdump not to operate in promiscuous mode. You could try: tcpdump -i eth0 port 49 and you should see your traffic being captured.
As for the TACACS tutorials, you could also see these links:
https://support.f5.com/kb/en-us/solutions/public/8000/800/sol8811.html
https://devcentral.f5.com/articles/v10-remote-authorization-via-tacacs-43
--M.
Christopher_NoyNimbostratus
I'm not sure how far you got with this but it appears that TACACS traffic will not go out the mgmt interface (it is using the client side (vip) interface on my test units). I haven't found any way to force it to use mgmt, assuming it is possible.
Adriano_BezerraAltostratus
For the traffic is the interface for the interface for rotations to manage servers to TACACS.
For Example:
sys management-route TACACS-1 { gateway 10.24.131.1 network 192.168.134.206/32 } sys management-route TACACS-2 { gateway 10.24.131.1 network 10.51.10.68/32 }- Christopher_Noy
I had static route entries added for the tacacs server under sys management-route, but it appears that BigIP won't even attempt to use the management interface (I suspect that the management interface is not a part of the logical BigIP network, since it doesn't show up in the list of vlans and interfaces under "network".
- Adriano_Bezerra
The management interface is Out-of-band, you can not see it in the graphical interface.
To identify the correct interface, access via SSH and enter the command "ifconfig" in bash, the management is usually ETH0, check and see if the displayed IP is the same as the one used to access the BIG-IP.
The ideal is to leave a capture running while trying to access the BIG-IP via TACACs, to see what are the IPs of the TACACs, with the command "tmsh list auth tacacs"
Example:
root@(bigip-lb01) (cfg-sync Standalone) (Active) (/ Common) (tmos) list auth tacacs auth tacacs system-auth { authentication use-all-servers debug enabled ip protocol secret $M$Ju$LSrECPSSDDDDTfb0HDmgJ2Dj50Q == servers *{10.1.1.230}* service ppp }Do both captures at the same time.
tcpdump -nni eth0 10.1.1.230 << This for capturing in the management interface tcpdump -nni 0.0 10.1.1.230 -e << This for capturing at data traffic interfacesForward the result after the test.
