Authentication web/ssh access with TACACS

Does your TACACS secret contain special characters? If so, change it to something simple (just text) to prove that part works.

Have you already built remote role configurations on your BIG-IP?

i did try a simple secret. remote role configurations on BIG-IP? i was reading about it, understand it regarding to groups that are configure on a remote server as LDAP no? do i have to configure it? if i configure the big-ip to work with RADIUS (IETF) it all works good but i cant use radius.

this should do the work? it already configure while using Radius..

Remote role configurations will be a must if you want to eliminate the need for local accounts on your BIG-IP appliances. Remote roles pertain to the authorization piece of the remote auth solution.

http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_implementations_guide_10_1/sol_mgmt_auth.html

I suspect in your case you still have some issue on the ACS side, as it sounds like your TACACS server configuration on the BIG-IP side is correct.

Thanks Cory, thats one of the Manual Chapter i was reading :) i hope its true but i cant think of any reason why the key mismatch i see in the ACS log..

The discussion here may help you out: https://devcentral.f5.com/questions/acs-support

Thanks, i will try to see how to configure the remote role. "The attribute string that you set within your BIG-IP remote role needs to be defined as a custom attribute under your ACS group" - i didnt understand this part but i guess i will when i see how to configure the remote role..