Jump to content

Authentication Issues on F5


rev.dennis

183 views

We upgraded to 15.1.2.1 and now we seem to have a bunch of issues authenticating using either AD or TACACS.  It requires multiple tries and then it eventually works.

Our first attempt is to fix the F5 devices that are using AD only

vi /etc/openldap/ldap.conf

You have to add a new line

Quote

 

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
TLS_REQCERT     never
REFERALLS       no
TLS_CACERTDIR   /etc/openldap/certs

 

Then you need to run

tmsh list auth ldap system-auth referrals
auth ldap system-auth {
    referrals yes
}

If its yes, then change it to no by running

tmsh modify auth ldap system-auth referrals no

And confirm its set by doing another list command like the one above

tmsh list auth ldap system-auth referrals
auth ldap system-auth {
    referrals no
}

And finally before you start testing, save the configuration

tmsh save sys config
Saving running configuration...
  /config/bigip.conf
  /config/bigip_base.conf
  /config/bigip_script.conf
  /config/bigip_user.conf
  /config/partitions/Citrix/bigip.conf
  /config/partitions/DNS/bigip.conf
  /config/partitions/Disaster.Recovery/bigip.conf
  /config/partitions/Integration/bigip.conf
  /config/partitions/Messaging/bigip.conf

Now do some testing of your user account that utilizes AD to see if it works.

 

1 Comment


Recommended Comments

Having an issue with a user trying to authenticate with ssh to F5 LTM and failing but they can log into F5 LTM via GUI with no issues.

Start with running a tcpdump (obviously replace <client ip address> with the IP address of the device attempting to login with SSH)

tcpdump -s0 -ni eth0 host <client ip address> -w /var/tmp/sshdeny.pcap -v

Then evaluate your capture.

Link to comment
Guest
Add a comment...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Announcements



×
×
  • Create New...

Important Information

Privacy Policy