[tac_plus] f5 authentication wants to use PAP
Matt Almgren
matta at surveymonkey.com
Tue Apr 7 23:29:09 UTC 2015
Almost there guys…
So I’ve followed all the online guides of how to setup f5 with TAC+. In fact, I’ve done this probably a dozen times with f5 LTM running 11.4.x. These particular f5s all have 11.6.x on them. Not sure if that makes a difference.
My tac_plus.conf looks like this:
group = admin
service = ppp protocol = ip
F5-LTM-User-Info-1 = adm
}
user = matta-user {
default service = permit
name = "Matt Almgren"
member = admin
#login = PAM
}
I’ve setup the f5 to use tacacs with service=ppp, protocol =ip. I’ve triple-checked the shared key (and as shown below, its fine). I’ve created a remote role with the above attribute string with Administrator and tmsh rights.
I see this on the f5 /var/log/audit logs:
Apr 7 15:10:15 lb-foo err sshd[28512]: pam_tacplus: auth failed: Login incorrect
Apr 7 15:10:15 lb-foo alert sshd[28512]: pam_unix(sshd:auth): check pass; user unknown
Apr 7 15:10:15 lb-foo notice sshd[28512]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1
And I can’t login. Even disabling PAM and using DES keys (which always works) doesn’t seem to work here.
HOWEVER, I have gotten it to work, by adding this to the tac_plus.conf user stanza:
login = cleartext "abc123"
pap = cleartext “abc123"
So something with PAP works… But I want to use PAM and LDAP and not store passwords in the config file, let alone in cleartext! How can I fix this and make it work correctly?
Thanks for all the help…almost done with this deployment. :)
— Matt
--
Matt Almgren, Sr. Networking Engineer
[SurveyMonkeyLogo011310]
101 Lytton Ave., Palo Alto. CA 94301
matta at surveymonkey.com
408.499.9669
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150407/acdc50c8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 58F70DEF-D44E-4751-BA46-EB24CF224D3E.png
Type: image/png
Size: 11359 bytes
Desc: 58F70DEF-D44E-4751-BA46-EB24CF224D3E.png
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150407/acdc50c8/attachment.png>
More information about the tac_plus
mailing list