Hello All, I'm working on the TACACS configuration on LTM. I do not want to lockout of my access of LTM because of any issue with TACACS authentication issues after enabling TACACS on LTM. Could you please help me to configure the LTM authentication process as following: 1- First LTM will check with TACACS for authentication 2- If TACACS authentication is failing for some reason of server not reachable or invalid user then it should check with the LTM local user account for authentication. Can you please help me how to set up this on LTM? Regards, Thiyagu

Hi Thiyagu, I assume this is for management access to the F5, correct?

Hi AceDawg, yes it is for management access of F5. as a first step I have also added a route to TACACS through sys management. Regards, Thiyagu

To the best of my knowledge, the F5 does not revert to the local user db in the event tacacs or radius servers are offline. The only exception to this rule is the built in admin account.

Hi Ace, on accout of TACACS not responding then the user can use the local authentication ( admin account to login) Could you please help me to know how I can set it up in this method? in addition I also want to rest the root user password. Could you also help me to reset root user password? Regards, Thiyagu

TACACS configuration on F5 LTM

AceDawg1
Nimbostratus
Jun 15, 2018
Hi Thiyagu,

I assume this is for management access to the F5, correct?
Thiyagu_343098
Nimbostratus
Jun 15, 2018
Hi AceDawg, yes it is for management access of F5. as a first step I have also added a route to TACACS through sys management.

Regards, Thiyagu
AceDawg_204810
Cirrus
Jun 15, 2018
To the best of my knowledge, the F5 does not revert to the local user db in the event tacacs or radius servers are offline. The only exception to this rule is the built in admin account.
- Thiyagu_343098
  Nimbostratus
  Jun 15, 2018
  Hi Ace, on accout of TACACS not responding then the user can use the local authentication ( admin account to login)
  
  Could you please help me to know how I can set it up in this method?
  
  in addition I also want to rest the root user password.
  
  Could you also help me to reset root user password?
  
  Regards, Thiyagu
- AceDawg_204810
  Cirrus
  Jun 15, 2018
  That is the default behavior of the F5. If tacacs or radius have been configured for management authentication, the F5 will use those methods first. Whether the tacacs or radius servers are online or offline, the local admin (GUI) and root (cli) accounts can always be used to access the system.
  
  To reset your root password, use the following article. You must have console access to the appliance.
  
  https://support.f5.com/csp/article/K13121
AceDawg1
Nimbostratus
Jun 15, 2018
To the best of my knowledge, the F5 does not revert to the local user db in the event tacacs or radius servers are offline. The only exception to this rule is the built in admin account.
- Thiyagu_343098
  Nimbostratus
  Jun 15, 2018
  Hi Ace, on accout of TACACS not responding then the user can use the local authentication ( admin account to login)
  
  Could you please help me to know how I can set it up in this method?
  
  in addition I also want to rest the root user password.
  
  Could you also help me to reset root user password?
  
  Regards, Thiyagu
- AceDawg1
  Nimbostratus
  Jun 15, 2018
  That is the default behavior of the F5. If tacacs or radius have been configured for management authentication, the F5 will use those methods first. Whether the tacacs or radius servers are online or offline, the local admin (GUI) and root (cli) accounts can always be used to access the system.
  
  To reset your root password, use the following article. You must have console access to the appliance.
  
  https://support.f5.com/csp/article/K13121
Surgeon
Ret. Employee
Jun 15, 2018
if tacacs is enabled you will not be able to use local accounts but root and admin.

If tacacs server is unavailable you will not be able to login using local account but root and admin

Manual Chapter: Remote User Account Management
Edward_Gastón_S
Nimbostratus
Jun 16, 2018
Hello the configuration is the following:

https://www.youtube.com/watch?v=BaiYuEBA248
- Thiyagu_343098
  Nimbostratus
  Jun 16, 2018
  As per the document it is been mentioned as "In the Secret field, type the password for access to the primary RADIUS server"
  
  Could you please help me to know the mentioned password is the password of the TACACS server or the TACACS server key?
  
  Regards, Thiyagu
- AceDawg1
  Nimbostratus
  Jun 16, 2018
  You would enter the key associated with the F5 client configured on the tacacs server. In other words, the tacacs server should have an entry for the F5 device — enter the key for this entry.
- Thiyagu_343098
  Nimbostratus
  Jun 18, 2018
  Hello All, One more quick query, Does TACACS configuration auto sync with the other device in the group?
  
  If so If I disable auto sync will it help to test the TACACS in the standby LTM and upon successfull tesitng synchronize with the active LTM in the traffic-gorup?
  
  Regards, Thiyagu
Edward_Sinche_C
Nimbostratus
Jun 16, 2018
Hello the configuration is the following:

https://www.youtube.com/watch?v=BaiYuEBA248
- Thiyagu_343098
  Nimbostratus
  Jun 16, 2018
  As per the document it is been mentioned as "In the Secret field, type the password for access to the primary RADIUS server"
  
  Could you please help me to know the mentioned password is the password of the TACACS server or the TACACS server key?
  
  Regards, Thiyagu
- AceDawg1
  Nimbostratus
  Jun 16, 2018
  You would enter the key associated with the F5 client configured on the tacacs server. In other words, the tacacs server should have an entry for the F5 device — enter the key for this entry.
- Thiyagu_343098
  Nimbostratus
  Jun 18, 2018
  Hello All, One more quick query, Does TACACS configuration auto sync with the other device in the group?
  
  If so If I disable auto sync will it help to test the TACACS in the standby LTM and upon successfull tesitng synchronize with the active LTM in the traffic-gorup?
  
  Regards, Thiyagu