Forum Discussion

thrillseeker's avatar
thrillseeker
Icon for Nimbostratus rankNimbostratus
Jun 12, 2023

Configuring remote authentication fallback on BIG-IP systems does still not work!

Hi all,

According to https://my.f5.com/manage/s/article/K67025432 local user authentication should work even when remote server (in my example Windows AD) is still reachable (fallback option enabled). See 2nd bullet point from the article below:

You should consider using this procedure when your BIG-IP system is configured for remote authentication for BIG-IP system users.

  • You want a local users to be able to access the BIG-IP system when the remote authentication server is unavailable.
  • You want a local users to be able to access to the BIG-IP system when the users are locally configured on the BIG-IP and are not configured on the remote authentication server.
  • You want local or remote users to access to the BIG-IP system through SSH using SSH public key authentication.

After enabling the fallback option in remote authentication settings (yes I'm using BIG-IP version 16.1.3.x already) I'm still not able to login with local user (in my case a readonly user)!
In our situation we need to give some local users readonly access to the BIGIP system. Unfortunately having those users in the same external userdirectory is currently not an viable option. For me it seems that this 2nd bullet point isn't realy correct!

Is anyboday aware of an other solution or workaround at least?
Thanks & Regards

Thrillseeker

 

application delivery
security

8 Replies

Sort By
  • whisperer's avatar
    whisperer
    Icon for MVP rankMVP
    Jun 12, 2023

    Have you submitted an F5 support case for this? This is the first avenue before you are able to escalate any such perceived issue to either bug fix or request for enhancement (RFE) status.

  • whisperer's avatar
    whisperer
    Icon for MVP rankMVP
    Jun 12, 2023

    Silly question, after re-reading this a second time, but are you loggin in via HTTPS GUI or SSH console? If SSH console, make sure you have a shell configured for the user --- Advanced Shell or TMSH. Also, can you confirm the use exists and the current settings?

    tmsh list auth user <username>

    Also try tailing the login log at /var/log/secure. May give you an idea into the login failure.

     

     

    • thrillseeker's avatar
      thrillseeker
      Icon for Nimbostratus rankNimbostratus
      Jun 13, 2023

      Hi whisperer,

      Thanks a lot for your answers. I our scenario the local user will just get HTTPS webui access.
      Will check the security logs in more detail.

      thx
      Thrillseeker

  • Paulius's avatar
    Paulius
    Icon for MVP rankMVP
    Jun 13, 2023

    thrillseeker Are you attempting to log in using the GUI or CLI for this user? Are you positive the user has appropriate permissions and does not exist in your remote authentication server?

    • thrillseeker's avatar
      thrillseeker
      Icon for Nimbostratus rankNimbostratus
      Jun 13, 2023

      Hi Paulius,

      I just need GUI access for this local user. And yes, I created a fancy username which is definitely NOT in our windows AD user direcotry. 🙂
      Will check the security logs as suggested today and let you know.

      thx
      Thrillseeker

  • CA_Valli's avatar
    CA_Valli
    Icon for MVP rankMVP
    Jun 13, 2023
    thrillseeker wrote:

    In our situation we need to give some local users readonly access to the BIGIP system. Unfortunately having those users in the same external userdirectory is currently not an viable option. For me it seems that this 2nd bullet point isn't realy correct!

    You should understand that authentication fallback triggers when the AAA server is unavailable.

    As far as I know, local users can't access the system if you configure -for example- TACACS authentication, unless the TACACS server is unreachable by F5 - that's why they named it "failback". Unless, an user with the same name is configured in the TACACS server. 

    From same article: 

     

    User type Fallback option de-selected (default) Fallback option selected
    Local, without remote counterpart
    • Unable to access the device.
    • Access the device using SSH public-key authentication.
    • Access the device using local device authentication when remote authentication server is unavailable.
    • thrillseeker's avatar
      thrillseeker
      Icon for Nimbostratus rankNimbostratus
      Jun 13, 2023

      You are right, BUT according to the article (see 2nd bullet point in red) below it should still be possible to use local accounts.

      https://my.f5.com/manage/s/article/K67025432

      You should consider using this procedure when your BIG-IP system is configured for remote authentication for BIG-IP system users.

      • You want a local users to be able to access the BIG-IP system when the remote authentication server is unavailable.
      • You want a local users to be able to access to the BIG-IP system when the users are locally configured on the BIG-IP and are not configured on the remote authentication server.

      So it could be that this fallback feautre works as expectetd but than this article is a bit missleading...

      Regards

      Lukas

       

       

      • CA_Valli's avatar
        CA_Valli
        Icon for MVP rankMVP
        Jun 13, 2023

        You're right, it's a little misleading.

        What the bullet point refers to (I believe), is that this configuration supports users that CAN access the unit, and AREN'T configured on the remote server. BUT, those will ONLY work when TACACS is not reacheable, which will be the failback scenario.

        Without failback enabled, local users WILL NOT work, even if TACACS is down, and this is the difference that the BP wants to highlight.

        For local users to work when TACACS is up, I'm pretty sure you need to map them in the auth server.

        ( thrillseeker I have edited the comment a couple times, I'm tagging you so it triggers a notification and I'm sure you don't miss latest update )