Using TACACS+ on Big-IP LTM

Hi All,

 

 

I'm running BIG-IP LTM 6900 10.1.0.

 

 

I can't seem to get tacacs+ running for authentiation on the BIG-IP. I've followed the entry here by citizen_elah

 

 

http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=2316

 

 

Step 1:

 

 

On the BIG-IP shell, I've done this:

 

 

b remoterole role info adm '{

 

attribute "F5-LTM-User-Info-1=adm"

 

role administrator

 

user partition all

 

console enable

 

deny disable

 

line order 1

 

}'

 

 

I can see the above entry appearing in bigip.conf.

 

 

Step 2:

 

 

Then on the tacacs+ server I did this:

 

 

group = adm {

 

service = ppp protocol = ip {

 

F5-LTM-User-Info-1 = adm

 

}

 

}

 

 

user = user1 {

 

member = adm

 

login = cleartext "abc123"

 

}

 

 

And restarted the tacacs+ daemon.

 

 

Step 3:

 

 

I ran these commands on the BIG-IP shell.

 

 

b auth tacacs system-auth { debug enable secret mysecret service ppp protocol ip servers 210.15.x.x }

 

b system auth source type tacacs

 

 

But I can't login with the user1 and password abc123.

 

 

Troubleshooting

 

 

* Viewing the tac_plus.log file, I'm not seeing any key exchanges come in from the IP address of the BIG-IP.

 

 

* Connectivity seems to be ok. I can telnet to the tacacs+ server on port 49 from the BIG-IP.

 

 

[root@f5-2-manage:Standby] config telnet 210.15.x.x 49

 

Trying 210.15.x.x...

 

Connected to 210.15.x.x (210.15.x.x).

 

Escape character is '^]'.

 

 

* This is the log I see on the BIG-IP.

 

 

[root@f5-2-manage:Standby] config tail -f /var/log/secure

 

Mar 3 18:24:06 local/f5-2-manage notice httpd[27213]: 01070417:0: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/bin/false host=172.16.53.253 attempts=1 start="Wed Mar 3 18:03:36 2010" end="Wed Mar 3 18:24:06 2010".

 

Mar 3 18:24:06 local/f5-2-manage notice httpd[27213]: pam_tacplus: user not authenticated by TACACS+

 

Mar 3 18:27:11 local/f5-2-manage err httpd[6296]: pam_tacplus: auth failed: Login incorrect

 

Mar 3 18:27:11 local/f5-2-manage alert httpd[6296]: pam_unix(httpd:auth): check pass; user unknown

 

Mar 3 18:27:11 local/f5-2-manage notice httpd[6296]: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=172.16.51.52

 

Mar 3 18:27:13 local/f5-2-manage err httpd[6296]: [error] [client 172.16.51.52] AUTHCACHE PAM: user 'user1' - not authenticated: Authentication failure, referer: https://172.16.53.254/tmui/login.jsp?msgcode=1&

 

Mar 3 18:27:13 local/f5-2-manage info httpd(pam_audit)[6296]: User=user1 tty=(unknown) host=172.16.51.52 failed to login after 1 attempts (start="Wed Mar 3 18:27:11 2010" end="Wed Mar 3 18:27:13 2010").

 

Mar 3 18:27:13 local/f5-2-manage info httpd(pam_audit)[6296]: 01070417:6: AUDIT - user user1 - RAW: httpd(pam_audit): User=user1 tty=(unknown) host=172.16.51.52 failed to login after 1 attempts (start="Wed Mar 3 18:27:11 2010" end="Wed Mar 3 18:27:13 2010").

 

Mar 3 18:44:35 local/f5-2-manage notice httpd[6311]: 01070417:0: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/bin/false host=172.16.53.253 attempts=1 start="Wed Mar 3 18:24:06 2010" end="Wed Mar 3 18:44:35 2010".

 

Mar 3 18:44:35 local/f5-2-manage notice httpd[6311]: pam_tacplus: user not authenticated by TACACS+

 

 

* Note the tacacs+ server is working fine for all our Cisco gear. Just can't get it working with the F5.

 

 

* Any ideas where I'm going wrong???

 

 

Thanks.

 

 

Andy