Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Configuring remote authentication fallback on BIG-IP systems does still not work!

thrillseeker
Nimbostratus
Nimbostratus

‎12-Jun-2023 13:04 - edited ‎12-Jun-2023 13:04

Hi all,

According to https://my.f5.com/manage/s/article/K67025432 local user authentication should work even when remote server (in my example Windows AD) is still reachable (fallback option enabled). See 2nd bullet point from the article below:

You should consider using this procedure when your BIG-IP system is configured for remote authentication for BIG-IP system users.

  • You want a local users to be able to access the BIG-IP system when the remote authentication server is unavailable.
  • You want a local users to be able to access to the BIG-IP system when the users are locally configured on the BIG-IP and are not configured on the remote authentication server.
  • You want local or remote users to access to the BIG-IP system through SSH using SSH public key authentication.

After enabling the fallback option in remote authentication settings (yes I'm using BIG-IP version 16.1.3.x already) I'm still not able to login with local user (in my case a readonly user)!
In our situation we need to give some local users readonly access to the BIGIP system. Unfortunately having those users in the same external userdirectory is currently not an viable option. For me it seems that this 2nd bullet point isn't realy correct!

Is anyboday aware of an other solution or workaround at least?
Thanks & Regards

Thrillseeker

 

Labels:
0 Kudos
8 REPLIES 8

whisperer
Cumulonimbus
Cumulonimbus

‎12-Jun-2023 13:40

Have you submitted an F5 support case for this? This is the first avenue before you are able to escalate any such perceived issue to either bug fix or request for enhancement (RFE) status.

0 Kudos

whisperer
Cumulonimbus
Cumulonimbus

‎12-Jun-2023 16:08

Silly question, after re-reading this a second time, but are you loggin in via HTTPS GUI or SSH console? If SSH console, make sure you have a shell configured for the user --- Advanced Shell or TMSH. Also, can you confirm the use exists and the current settings?

tmsh list auth user <username>

Also try tailing the login log at /var/log/secure. May give you an idea into the login failure.

 

 

0 Kudos

thrillseeker
Nimbostratus
Nimbostratus
In response to whisperer

‎12-Jun-2023 22:23 - edited ‎12-Jun-2023 22:26

Hi whisperer,

Thanks a lot for your answers. I our scenario the local user will just get HTTPS webui access.
Will check the security logs in more detail.

thx
Thrillseeker

0 Kudos

Paulius
MVP
MVP

‎12-Jun-2023 21:49

@thrillseeker Are you attempting to log in using the GUI or CLI for this user? Are you positive the user has appropriate permissions and does not exist in your remote authentication server?

0 Kudos

thrillseeker
Nimbostratus
Nimbostratus
In response to Paulius

‎12-Jun-2023 22:26

Hi Paulius,

I just need GUI access for this local user. And yes, I created a fancy username which is definitely NOT in our windows AD user direcotry. 🙂
Will check the security logs as suggested today and let you know.

thx
Thrillseeker

0 Kudos

CA_Valli
MVP
MVP

‎12-Jun-2023 23:46 - edited ‎12-Jun-2023 23:51

@thrillseeker wrote:

In our situation we need to give some local users readonly access to the BIGIP system. Unfortunately having those users in the same external userdirectory is currently not an viable option. For me it seems that this 2nd bullet point isn't realy correct!

You should understand that authentication fallback triggers when the AAA server is unavailable.

As far as I know, local users can't access the system if you configure -for example- TACACS authentication, unless the TACACS server is unreachable by F5 - that's why they named it "failback". Unless, an user with the same name is configured in the TACACS server. 

From same article: 

 

User type Fallback option de-selected (default) Fallback option selected
Local, without remote counterpart
  • Unable to access the device.
  • Access the device using SSH public-key authentication.
  • Access the device using local device authentication when remote authentication server is unavailable.
0 Kudos

thrillseeker
Nimbostratus
Nimbostratus
In response to CA_Valli

‎13-Jun-2023 08:37

You are right, BUT according to the article (see 2nd bullet point in red) below it should still be possible to use local accounts.

https://my.f5.com/manage/s/article/K67025432

You should consider using this procedure when your BIG-IP system is configured for remote authentication for BIG-IP system users.

  • You want a local users to be able to access the BIG-IP system when the remote authentication server is unavailable.
  • You want a local users to be able to access to the BIG-IP system when the users are locally configured on the BIG-IP and are not configured on the remote authentication server.

So it could be that this fallback feautre works as expectetd but than this article is a bit missleading...

Regards

Lukas

 

 

0 Kudos

CA_Valli
MVP
MVP
In response to thrillseeker

‎13-Jun-2023 10:44 - edited ‎13-Jun-2023 10:55

You're right, it's a little misleading.

What the bullet point refers to (I believe), is that this configuration supports users that CAN access the unit, and AREN'T configured on the remote server. BUT, those will ONLY work when TACACS is not reacheable, which will be the failback scenario.

Without failback enabled, local users WILL NOT work, even if TACACS is down, and this is the difference that the BP wants to highlight.

For local users to work when TACACS is up, I'm pretty sure you need to map them in the auth server.

( @thrillseeker I have edited the comment a couple times, I'm tagging you so it triggers a notification and I'm sure you don't miss latest update )

0 Kudos
Copyright © 2023 Khoros, LLC