Applies To:
Show VersionsBIG-IP APM
- 12.1.6
TACACS+ Authentication and Accounting
About TACACS+ authentication and accounting
Access Policy Manager® (APM®) supports authenticating and authorizing the client against Terminal Access Controller Access Control System (TACACS+) servers. TACACS+ is a mechanism used to encrypt the entire body of the authentication packet. If you use TACACS+ authentication, user credentials are authenticated on a remote TACACS+ server. If you use the TACACS+ Accounting feature, the accounting service sends start and stop accounting records to the remote server.
APM supports TACACS+ authentication with the TACACS+ Auth access policy item and supports TACACS+ accounting with the TACACS+ Acct access policy item.
About AAA high availability
Using AAA high availability with Access Policy Manager® (APM®), you can configure multiple authentication servers to process requests, so that if one authentication server goes down or loses connectivity, the others can resume authentication requests, and new sessions can be established, as usual.
APM supports the following AAA servers for high availability: RADIUS, Active Directory, LDAP, CRLDP, and TACACS+. APM supports high availability by providing the option to create a pool of server connections when you configure the supported type of AAA server.
Task summary for TACACS+ authentication and accounting
This task list includes all steps required to set up this configuration. If you are adding TACACS+ authentication or accounting to an existing access policy, you do not need to create another access profile and the access policy might already include a logon page.
Task list
Configuring a TACACS+ AAA server for authentication and authorization
Using TACACS+ authentication in an access policy
Verifying log settings for the access profile
Testing AAA high availability for supported authentication servers
- Begin a tcpdump on the Access Policy Manager®, using a protocol analyzer, and scanning for packets destined for the specific port for your authentication server.
- Log in to the virtual server with both servers active.
- Using the tcpdump records, verify that the requests are being sent to the higher priority server.
- Log out of the virtual server.
- Disable the higher-priority server.
- Log in to the virtual server again.
- Verify that the request is being sent to the other server.
- Log out again, re-enabling the server, and try one more time to verify that the new requests are being sent to the high priority server.
Example access policy for TACACS+ authentication and accounting
This is an example of an access policy with all the associated elements needed to authenticate and authorize users with TACACS+ authentication. Note that the server used for authentication can be different from the server used for TACACS+ accounting service.
How TACACS Plus works
TACACS+ session variables for access policy rules
When the TACACS+ Auth (or TACACS+ Acct) access policy item runs, it populates session variables which are then available for use in access policy rules. The tables list the session variables for the TACACS+ access policy items and for a logon access policy item.
Session variables for TACACS+
Session Variable | Description |
---|---|
session.tacasplus.last.acct.start_date; session.tacasplus.last.acct.start_time | Provides TACACS+ accounting start time and date set by the accounting agent. |
session.tacacsplus.last.acctresult | Allows the accounting agent to set the available values to either of the following
values:
|
session.tacacsplus.last.errmsgs | Contains the error message string when the TACACS+ authentication or accounting fails. |
session.tacacsplus.last.result | Sets to 1 when authentication succeeds, or 0 when it fails. |
Common session variables
Session Variable | Description |
---|---|
session.logon.last.username | Provides user credentials. The username string is stored after encrypting, using the system's client key. |
session.logon.last.password | Provides user credentials. The password string is stored after encrypting, using the system's client key. |
TACACS+ authentication troubleshooting tips
You might run into problems with TACACS+ authentication in some instances. Follow these tips to try to resolve any issues you might encounter.
TACACS+ auth and query troubleshooting
Possible error messages | Possible explanations and corrective actions |
---|---|
No AAA server associated with the agent | Make sure that a valid TACACS+ server configuration is assigned to the agent (TACACS+ Auth or TACACS+ Acct) used in the access policy. |
Failure to connect to TACACS+ server | Make sure that the TACACS+ server is up and running and reachable from the BIG-IP® system. |
Login incorrect | Supplied user credentials are not valid. |
Invalid reply content, incorrect key | Make sure that the shared encryption key configured on the TACACS+ server configuration matches with the key on the remote TACACS+ server. |
Invalid AUTHEN/START packet from server | Indicates either the wrong keys or that the authentication action (LOGIN) is not supported on the server. |
Unacceptable authen method | Indicates that the TACACS+ server does not support the authentication. Check the settings on the server. |
Unexpected failure return/legal status value from authentication function/Permission error | Caused by internal errors on the remote TACACS+ server. Check the logs on the remote TACACS+ server and also the configuration. |