Forum Discussion
TACACS configuration on F5 LTM
Hello All, I'm working on the TACACS configuration on LTM. I do not want to lockout of my access of LTM because of any issue with TACACS authentication issues after enabling TACACS on LTM.
Could you please help me to configure the LTM authentication process as following:
1- First LTM will check with TACACS for authentication
2- If TACACS authentication is failing for some reason of server not reachable or invalid user then it should check with the LTM local user account for authentication.
Can you please help me how to set up this on LTM?
Regards, Thiyagu
- AceDawg1Nimbostratus
Hi Thiyagu,
I assume this is for management access to the F5, correct?
- Thiyagu_343098Nimbostratus
Hi AceDawg, yes it is for management access of F5. as a first step I have also added a route to TACACS through sys management.
Regards, Thiyagu
To the best of my knowledge, the F5 does not revert to the local user db in the event tacacs or radius servers are offline. The only exception to this rule is the built in admin account.
- Thiyagu_343098Nimbostratus
Hi Ace, on accout of TACACS not responding then the user can use the local authentication ( admin account to login)
Could you please help me to know how I can set it up in this method?
in addition I also want to rest the root user password.
Could you also help me to reset root user password?
Regards, Thiyagu
That is the default behavior of the F5. If tacacs or radius have been configured for management authentication, the F5 will use those methods first. Whether the tacacs or radius servers are online or offline, the local admin (GUI) and root (cli) accounts can always be used to access the system.
To reset your root password, use the following article. You must have console access to the appliance.
https://support.f5.com/csp/article/K13121
- AceDawg1Nimbostratus
To the best of my knowledge, the F5 does not revert to the local user db in the event tacacs or radius servers are offline. The only exception to this rule is the built in admin account.
- Thiyagu_343098Nimbostratus
Hi Ace, on accout of TACACS not responding then the user can use the local authentication ( admin account to login)
Could you please help me to know how I can set it up in this method?
in addition I also want to rest the root user password.
Could you also help me to reset root user password?
Regards, Thiyagu
- AceDawg1Nimbostratus
That is the default behavior of the F5. If tacacs or radius have been configured for management authentication, the F5 will use those methods first. Whether the tacacs or radius servers are online or offline, the local admin (GUI) and root (cli) accounts can always be used to access the system.
To reset your root password, use the following article. You must have console access to the appliance.
https://support.f5.com/csp/article/K13121
- SurgeonRet. Employee
if tacacs is enabled you will not be able to use local accounts but root and admin.
If tacacs server is unavailable you will not be able to login using local account but root and admin
Manual Chapter: Remote User Account Management
- Edward_Gastón_SNimbostratus
- Thiyagu_343098Nimbostratus
As per the document it is been mentioned as "In the Secret field, type the password for access to the primary RADIUS server"
Could you please help me to know the mentioned password is the password of the TACACS server or the TACACS server key?
Regards, Thiyagu
- AceDawg1Nimbostratus
You would enter the key associated with the F5 client configured on the tacacs server. In other words, the tacacs server should have an entry for the F5 device — enter the key for this entry.
- Thiyagu_343098Nimbostratus
Hello All, One more quick query, Does TACACS configuration auto sync with the other device in the group?
If so If I disable auto sync will it help to test the TACACS in the standby LTM and upon successfull tesitng synchronize with the active LTM in the traffic-gorup?
Regards, Thiyagu
- Edward_Sinche_CNimbostratus
- Thiyagu_343098Nimbostratus
As per the document it is been mentioned as "In the Secret field, type the password for access to the primary RADIUS server"
Could you please help me to know the mentioned password is the password of the TACACS server or the TACACS server key?
Regards, Thiyagu
- AceDawg1Nimbostratus
You would enter the key associated with the F5 client configured on the tacacs server. In other words, the tacacs server should have an entry for the F5 device — enter the key for this entry.
- Thiyagu_343098Nimbostratus
Hello All, One more quick query, Does TACACS configuration auto sync with the other device in the group?
If so If I disable auto sync will it help to test the TACACS in the standby LTM and upon successfull tesitng synchronize with the active LTM in the traffic-gorup?
Regards, Thiyagu
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com