Forum Discussion

Thiyagu_343098's avatar
Thiyagu_343098
Icon for Nimbostratus rankNimbostratus
Jun 15, 2018

TACACS configuration on F5 LTM

Hello All, I'm working on the TACACS configuration on LTM. I do not want to lockout of my access of LTM because of any issue with TACACS authentication issues after enabling TACACS on LTM.

 

Could you please help me to configure the LTM authentication process as following:

 

1- First LTM will check with TACACS for authentication

 

2- If TACACS authentication is failing for some reason of server not reachable or invalid user then it should check with the LTM local user account for authentication.

 

Can you please help me how to set up this on LTM?

 

Regards, Thiyagu

 

  • Hi Thiyagu,

     

    I assume this is for management access to the F5, correct?

     

  • Hi AceDawg, yes it is for management access of F5. as a first step I have also added a route to TACACS through sys management.

     

    Regards, Thiyagu

     

  • To the best of my knowledge, the F5 does not revert to the local user db in the event tacacs or radius servers are offline. The only exception to this rule is the built in admin account.

     

    • Thiyagu_343098's avatar
      Thiyagu_343098
      Icon for Nimbostratus rankNimbostratus

      Hi Ace, on accout of TACACS not responding then the user can use the local authentication ( admin account to login)

       

      Could you please help me to know how I can set it up in this method?

       

      in addition I also want to rest the root user password.

       

      Could you also help me to reset root user password?

       

      Regards, Thiyagu

       

    • AceDawg_204810's avatar
      AceDawg_204810
      Icon for Cirrus rankCirrus

      That is the default behavior of the F5. If tacacs or radius have been configured for management authentication, the F5 will use those methods first. Whether the tacacs or radius servers are online or offline, the local admin (GUI) and root (cli) accounts can always be used to access the system.

       

      To reset your root password, use the following article. You must have console access to the appliance.

       

      https://support.f5.com/csp/article/K13121

       

  • To the best of my knowledge, the F5 does not revert to the local user db in the event tacacs or radius servers are offline. The only exception to this rule is the built in admin account.

     

    • Thiyagu_343098's avatar
      Thiyagu_343098
      Icon for Nimbostratus rankNimbostratus

      Hi Ace, on accout of TACACS not responding then the user can use the local authentication ( admin account to login)

       

      Could you please help me to know how I can set it up in this method?

       

      in addition I also want to rest the root user password.

       

      Could you also help me to reset root user password?

       

      Regards, Thiyagu

       

    • AceDawg1's avatar
      AceDawg1
      Icon for Nimbostratus rankNimbostratus

      That is the default behavior of the F5. If tacacs or radius have been configured for management authentication, the F5 will use those methods first. Whether the tacacs or radius servers are online or offline, the local admin (GUI) and root (cli) accounts can always be used to access the system.

       

      To reset your root password, use the following article. You must have console access to the appliance.

       

      https://support.f5.com/csp/article/K13121

       

    • Thiyagu_343098's avatar
      Thiyagu_343098
      Icon for Nimbostratus rankNimbostratus

      As per the document it is been mentioned as "In the Secret field, type the password for access to the primary RADIUS server"

       

      Could you please help me to know the mentioned password is the password of the TACACS server or the TACACS server key?

       

      Regards, Thiyagu

       

    • AceDawg1's avatar
      AceDawg1
      Icon for Nimbostratus rankNimbostratus

      You would enter the key associated with the F5 client configured on the tacacs server. In other words, the tacacs server should have an entry for the F5 device — enter the key for this entry.

       

    • Thiyagu_343098's avatar
      Thiyagu_343098
      Icon for Nimbostratus rankNimbostratus

      Hello All, One more quick query, Does TACACS configuration auto sync with the other device in the group?

       

      If so If I disable auto sync will it help to test the TACACS in the standby LTM and upon successfull tesitng synchronize with the active LTM in the traffic-gorup?

       

      Regards, Thiyagu

       

    • Thiyagu_343098's avatar
      Thiyagu_343098
      Icon for Nimbostratus rankNimbostratus

      As per the document it is been mentioned as "In the Secret field, type the password for access to the primary RADIUS server"

       

      Could you please help me to know the mentioned password is the password of the TACACS server or the TACACS server key?

       

      Regards, Thiyagu

       

    • AceDawg1's avatar
      AceDawg1
      Icon for Nimbostratus rankNimbostratus

      You would enter the key associated with the F5 client configured on the tacacs server. In other words, the tacacs server should have an entry for the F5 device — enter the key for this entry.

       

    • Thiyagu_343098's avatar
      Thiyagu_343098
      Icon for Nimbostratus rankNimbostratus

      Hello All, One more quick query, Does TACACS configuration auto sync with the other device in the group?

       

      If so If I disable auto sync will it help to test the TACACS in the standby LTM and upon successfull tesitng synchronize with the active LTM in the traffic-gorup?

       

      Regards, Thiyagu