Forum Discussion

Mate_132781's avatar
Mate_132781
Icon for Cirrostratus rankCirrostratus
May 25, 2016

TACAS not working - No TACACS packets in TCPDUMP

Hi,

I have problem with user authentication over TACACS on BIG-IP 12.0 HF2 (Virtual edition).

I configured TACACS, add host routes for TACACS server over MGMT interface, all according to config guide, but it is not workin.

There is no packets in TCP dump. I tried TCPDUMP over all interfaces, also with command

tcpdump -nni 0.0 port 49
but there is no any packet in trace.

In log there are messages

May 25 16:30:30 f5-04-1 warning httpd[14928]: pam_unix(httpd:auth): check pass; user unknown
May 25 16:30:30 f5-04-1 notice httpd[14928]: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=10.24.131.4 
May 25 16:30:33 f5-04-1 err httpd[14928]: [error] [client 10.24.131.4] AUTHCACHE PAM: user 'xxx' - not authenticated: Authentication failure, referer: https://localhost:15443/tmui/login.jsp?msgcode=1&
May 25 16:30:33 f5-04-1 info httpd(pam_audit)[14928]: User=xxx tty=(unknown) host=10.24.131.4 failed to login after 1 attempts (start="Wed May 25 16:30:30 2016" end="Wed May 25 16:30:33 2016").
May 25 16:30:33 f5-04-1 info httpd(pam_audit)[14928]: 01070417:6: AUDIT - user xxx - RAW: httpd(pam_audit): User=xxx tty=(unknown) host=10.24.131.4 failed to login after 1 attempts (start="Wed May 25 16:30:30 2016" end="Wed May 25 16:30:33 2016").

TACAS configuration:

auth source {
    type tacacs
}
auth tacacs system-auth {
    encryption disabled
    protocol ip
    secret $M$DF$/p4kusJntSq1Ydp41sLeZCOA/SrorObenISS/2pX08k=
    servers { 192.168.134.206 10.51.10.68 }
    service ppp
}

Management routes configuration:

sys management-route default {
    description configured-statically
    gateway 10.24.131.1
    mtu 1500
    network default
}
sys management-route TACACS-1 {
    gateway 10.24.131.1
    network 192.168.134.206/32
}
sys management-route TACACS-2 {
    gateway 10.24.131.1
    network 10.51.10.68/32
}          

Any suggestions?

  • Marek_228998's avatar
    Marek_228998
    Historic F5 Account

    Hello Mate,

     

    You are not seeing packets in your capture, as "any" argument in "-i" option cause tcpdump not to operate in promiscuous mode. You could try: tcpdump -i eth0 port 49 and you should see your traffic being captured.

     

    As for the TACACS tutorials, you could also see these links:

     

    https://support.f5.com/kb/en-us/solutions/public/8000/800/sol8811.html

     

    https://devcentral.f5.com/articles/v10-remote-authorization-via-tacacs-43

     

    --M.

     

  • I'm not sure how far you got with this but it appears that TACACS traffic will not go out the mgmt interface (it is using the client side (vip) interface on my test units). I haven't found any way to force it to use mgmt, assuming it is possible.

     

    • Adriano_Bezerra's avatar
      Adriano_Bezerra
      Icon for Altostratus rankAltostratus

      For the traffic is the interface for the interface for rotations to manage servers to TACACS.

      For Example:

      sys management-route TACACS-1 {
          gateway 10.24.131.1
          network 192.168.134.206/32 
      } 
      sys management-route TACACS-2 {
          gateway 10.24.131.1
          network 10.51.10.68/32
      }
      
    • Christopher_Noy's avatar
      Christopher_Noy
      Icon for Nimbostratus rankNimbostratus

      I had static route entries added for the tacacs server under sys management-route, but it appears that BigIP won't even attempt to use the management interface (I suspect that the management interface is not a part of the logical BigIP network, since it doesn't show up in the list of vlans and interfaces under "network".

       

    • Adriano_Bezerra's avatar
      Adriano_Bezerra
      Icon for Altostratus rankAltostratus

      The management interface is Out-of-band, you can not see it in the graphical interface.

      To identify the correct interface, access via SSH and enter the command "ifconfig" in bash, the management is usually ETH0, check and see if the displayed IP is the same as the one used to access the BIG-IP.

      The ideal is to leave a capture running while trying to access the BIG-IP via TACACs, to see what are the IPs of the TACACs, with the command "tmsh list auth tacacs"

      Example:

      root@(bigip-lb01) (cfg-sync Standalone) (Active) (/ Common) (tmos)  list auth tacacs
      auth tacacs system-auth {
          authentication use-all-servers
          debug enabled
          ip protocol
          secret $M$Ju$LSrECPSSDDDDTfb0HDmgJ2Dj50Q ==
          servers *{10.1.1.230}*
          service ppp
      }
      

      Do both captures at the same time.

      tcpdump -nni eth0 10.1.1.230 << This for capturing in the management interface
      
      tcpdump -nni 0.0 10.1.1.230 -e << This for capturing at data traffic interfaces
      

      Forward the result after the test.