Forum Discussion
hc_andy_35682
Nimbostratus
NimbostratusUsing TACACS+ on Big-IP LTM
Hi All,
I'm running BIG-IP LTM 6900 10.1.0.
I can't seem to get tacacs+ running for authentiation on the BIG-IP. I've followed the entry here by citizen_elah
http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=2316
Step 1:
On the BIG-IP shell, I've done this:
b remoterole role info adm '{
attribute "F5-LTM-User-Info-1=adm"
role administrator
user partition all
console enable
deny disable
line order 1
}'
I can see the above entry appearing in bigip.conf.
Step 2:
Then on the tacacs+ server I did this:
group = adm {
service = ppp protocol = ip {
F5-LTM-User-Info-1 = adm
}
}
user = user1 {
member = adm
login = cleartext "abc123"
}
And restarted the tacacs+ daemon.
Step 3:
I ran these commands on the BIG-IP shell.
b auth tacacs system-auth { debug enable secret mysecret service ppp protocol ip servers 210.15.x.x }
b system auth source type tacacs
But I can't login with the user1 and password abc123.
Troubleshooting
* Viewing the tac_plus.log file, I'm not seeing any key exchanges come in from the IP address of the BIG-IP.
* Connectivity seems to be ok. I can telnet to the tacacs+ server on port 49 from the BIG-IP.
[root@f5-2-manage:Standby] config telnet 210.15.x.x 49
Trying 210.15.x.x...
Connected to 210.15.x.x (210.15.x.x).
Escape character is '^]'.
* This is the log I see on the BIG-IP.
[root@f5-2-manage:Standby] config tail -f /var/log/secure
Mar 3 18:24:06 local/f5-2-manage notice httpd[27213]: 01070417:0: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/bin/false host=172.16.53.253 attempts=1 start="Wed Mar 3 18:03:36 2010" end="Wed Mar 3 18:24:06 2010".
Mar 3 18:24:06 local/f5-2-manage notice httpd[27213]: pam_tacplus: user not authenticated by TACACS+
Mar 3 18:27:11 local/f5-2-manage err httpd[6296]: pam_tacplus: auth failed: Login incorrect
Mar 3 18:27:11 local/f5-2-manage alert httpd[6296]: pam_unix(httpd:auth): check pass; user unknown
Mar 3 18:27:11 local/f5-2-manage notice httpd[6296]: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=172.16.51.52
Mar 3 18:27:13 local/f5-2-manage err httpd[6296]: [error] [client 172.16.51.52] AUTHCACHE PAM: user 'user1' - not authenticated: Authentication failure, referer: https://172.16.53.254/tmui/login.jsp?msgcode=1&
Mar 3 18:27:13 local/f5-2-manage info httpd(pam_audit)[6296]: User=user1 tty=(unknown) host=172.16.51.52 failed to login after 1 attempts (start="Wed Mar 3 18:27:11 2010" end="Wed Mar 3 18:27:13 2010").
Mar 3 18:27:13 local/f5-2-manage info httpd(pam_audit)[6296]: 01070417:6: AUDIT - user user1 - RAW: httpd(pam_audit): User=user1 tty=(unknown) host=172.16.51.52 failed to login after 1 attempts (start="Wed Mar 3 18:27:11 2010" end="Wed Mar 3 18:27:13 2010").
Mar 3 18:44:35 local/f5-2-manage notice httpd[6311]: 01070417:0: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/bin/false host=172.16.53.253 attempts=1 start="Wed Mar 3 18:24:06 2010" end="Wed Mar 3 18:44:35 2010".
Mar 3 18:44:35 local/f5-2-manage notice httpd[6311]: pam_tacplus: user not authenticated by TACACS+
* Note the tacacs+ server is working fine for all our Cisco gear. Just can't get it working with the F5.
* Any ideas where I'm going wrong???
Thanks.
Andy
- JRahm
Admin
is this the case in GUI and console, or just console? 
hc_andy_35682I haven't tested console login. I just want people to be able to use tacacs+ to log into the GUI so I don't have to create usernames for local login on the LTM.
Thanks.
Andy- JRahmGood deal. I'll need to get this setup to retest. It'll probably be tomorrow before I can get to it.
HamishCirrocumulus
Hmm... I've seen the same... WHat do the logs on the tacacs server say? Is it ACS?
H- hc_andy_35682There are no entries in the tac_plus.log showing any connections from the ip address of the LTM. It's like the key exchange isn't even taking place.
I'm not using Cisco ACS. I'm using shruberry's TACACS+ implemention.
Cheers.
Andy 
David_Murphy_22Im having a very similar issue. Do you have a solution?
Wintrode_61162Check the routing on the management interface.
Unsolicited traffic (like tacacs+) will be sourced from whatever IP has the lowest cost route to the destination. If you just have a default route configured on the mgmt interface, and a default route on the tmm side, the tacacs+ traffic will source from the TMM side interface (since TMM routes are lower cost than management). An easy way to test would be to create a host route on the management interface to the TACACS server and see if that resolves the problem.- nitass
Employee
you may run tcpdump to verify what interface (tmm or mgmt interface) bigip sends authentication request is.
tmm interface
tcpdump -nni 0.0 host 210.15.x.x and port 49
mgmt interface
tcpdump -nni eth0 host 210.15.x.x and port 49 - Arun_6463The problem with F5 is that this just supports PAP protocol while using TACACS. So in the TAC_PLUS config please change to following.
user = user1 {
member = adm
login = cleartext "abc123"
pap = cleartext "abc123"
} - Sanjit_126167
I have BigIP 1600 and 3400. TACACS authentication is happenging fine with Bigip 1600 but not with Big IP 3400. Is there any different configuration in two different model? I am using Cisco ACS for TACACS configuration.
