hc_andy_35682
Mar 03, 2010Nimbostratus
Using TACACS+ on Big-IP LTM
Hi All,
I'm running BIG-IP LTM 6900 10.1.0.
I can't seem to get tacacs+ running for authentiation on the BIG-IP. I've followed the entry here by citizen_elah
http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=2316
Step 1:
On the BIG-IP shell, I've done this:
b remoterole role info adm '{
attribute "F5-LTM-User-Info-1=adm"
role administrator
user partition all
console enable
deny disable
line order 1
}'
I can see the above entry appearing in bigip.conf.
Step 2:
Then on the tacacs+ server I did this:
group = adm {
service = ppp protocol = ip {
F5-LTM-User-Info-1 = adm
}
}
user = user1 {
member = adm
login = cleartext "abc123"
}
And restarted the tacacs+ daemon.
Step 3:
I ran these commands on the BIG-IP shell.
b auth tacacs system-auth { debug enable secret mysecret service ppp protocol ip servers 210.15.x.x }
b system auth source type tacacs
But I can't login with the user1 and password abc123.
Troubleshooting
* Viewing the tac_plus.log file, I'm not seeing any key exchanges come in from the IP address of the BIG-IP.
* Connectivity seems to be ok. I can telnet to the tacacs+ server on port 49 from the BIG-IP.
[root@f5-2-manage:Standby] config telnet 210.15.x.x 49
Trying 210.15.x.x...
Connected to 210.15.x.x (210.15.x.x).
Escape character is '^]'.
* This is the log I see on the BIG-IP.
[root@f5-2-manage:Standby] config tail -f /var/log/secure
Mar 3 18:24:06 local/f5-2-manage notice httpd[27213]: 01070417:0: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/bin/false host=172.16.53.253 attempts=1 start="Wed Mar 3 18:03:36 2010" end="Wed Mar 3 18:24:06 2010".
Mar 3 18:24:06 local/f5-2-manage notice httpd[27213]: pam_tacplus: user not authenticated by TACACS+
Mar 3 18:27:11 local/f5-2-manage err httpd[6296]: pam_tacplus: auth failed: Login incorrect
Mar 3 18:27:11 local/f5-2-manage alert httpd[6296]: pam_unix(httpd:auth): check pass; user unknown
Mar 3 18:27:11 local/f5-2-manage notice httpd[6296]: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=172.16.51.52
Mar 3 18:27:13 local/f5-2-manage err httpd[6296]: [error] [client 172.16.51.52] AUTHCACHE PAM: user 'user1' - not authenticated: Authentication failure, referer: https://172.16.53.254/tmui/login.jsp?msgcode=1&
Mar 3 18:27:13 local/f5-2-manage info httpd(pam_audit)[6296]: User=user1 tty=(unknown) host=172.16.51.52 failed to login after 1 attempts (start="Wed Mar 3 18:27:11 2010" end="Wed Mar 3 18:27:13 2010").
Mar 3 18:27:13 local/f5-2-manage info httpd(pam_audit)[6296]: 01070417:6: AUDIT - user user1 - RAW: httpd(pam_audit): User=user1 tty=(unknown) host=172.16.51.52 failed to login after 1 attempts (start="Wed Mar 3 18:27:11 2010" end="Wed Mar 3 18:27:13 2010").
Mar 3 18:44:35 local/f5-2-manage notice httpd[6311]: 01070417:0: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/bin/false host=172.16.53.253 attempts=1 start="Wed Mar 3 18:24:06 2010" end="Wed Mar 3 18:44:35 2010".
Mar 3 18:44:35 local/f5-2-manage notice httpd[6311]: pam_tacplus: user not authenticated by TACACS+
* Note the tacacs+ server is working fine for all our Cisco gear. Just can't get it working with the F5.
* Any ideas where I'm going wrong???
Thanks.
Andy