Topic

The TACACS+ secret key must not contain the number sign (#). If you configure a Terminal Access Controller Access-Control System Plus (TACACS+) profile for application authentication, and the TACACS+ shared key secret contains a number sign (#), authentication fails.

In addition, if you configure TACACS+ authentication to authenticate BIG-IP administrative users, and the TACACS+ shared key secret contains a number sign, authentication fails for all administrative accounts including the local root and admin accounts.

Configuring a TACACS+ shared secret that does not contain a number sign

If you configured a TACACS+ profile for application authentication, you can work around this issue by configuring a TACACS+ shared secret that does not contain a number sign. You must make this change on both the BIG-IP system and the TACACS+ server.

If you configured TACACS+ authentication for BIG-IP administrative users, and you can no longer log in to the BIG-IP system, restore access by performing one of the following two procedures:

• Reverting to local authentication using the SCCP/AOM subsystem (preferred)

  Important: This procedure is preferred since it does not interrupt production traffic. To determine if your platform has an SCCP or AOM subsystem, refer to SOL9476: The F5 hardware/software compatibility matrix.

• Reverting to local authentication by booting into single user mode

Reverting to local authentication using the SCCP/AOM subsystem

1. Connect to the Switch Card Control Processor (SCCP) or Always-On Management (AOM) subsystem using a secure shell (SSH) client or the serial console.

   Note: If connecting using SSH, enter the root user name and password when prompted. If connecting using the serial console, press the L key at the SCCP or AOM command menu, then enter the root user name and password when prompted.

   Note: For detailed instructions about accessing the SCCP subsystem, refer to SOL3454: Overview of the SCCP. For detailed instructions about accessing the AOM subsystem, refer to SOL9403: Overview of the AOM subsystem.

2. To SSH to the BIG-IP system, type the following command:

   ssh host

   Note: You will not be prompted for a password.

3. To revert to local authentication, type one of the following commands:

   BIG-IP 11.x

   tmsh modify auth source type local

   BIG-IP versions prior to 11.x

   bigpipe system auth source type local

4. To save the change, type one of the following commands:

   BIG-IP 11.x

   tmsh save sys config

   BIG-IP versions prior to 11.x

   bigpipe save

5. Verify that you are now able to access the BIG-IP system using the root and admin accounts.
6. Configure a new shared secret on the TACACS+ server.
7. On the BIG-IP system, re-enable TACACS+ authentication and configure the new shared secret.

Reverting to local authentication by booting into single user mode

Important: The BIG-IP system will be unavailable for the duration of the following procedure. F5 recommends performing this procedure during a scheduled maintenance window.

1. Connect a terminal to the BIG-IP serial console port. For a VIPRION system, connect a terminal to the serial port on one of the VIPRION blades.
2. Boot the system or blade in single user mode.

   Note: For instructions about booting in single user mode, refer to SOL4178: Booting the BIG-IP system in single-user mode.

3. After the device boots into single user mode, a command prompt appears similar to the following example:

   sh-3.2#

4. Open the one of the following files using a text editor:

   BIG-IP 11.x

   /config/bigip.conf

   BIG-IP versions prior to 11.x

   /config/bigip_sys.conf

5. Locate the configuration stanza in the file as appropriate for your version:

   BIG-IP 11.x

   auth source {
   type tacacs
   }

   BIG-IP versions prior to 11.x

   system {
   auth source type tacacs
   }

6. To revert to local authentication, change the word tacacs to local:

   For example:

   system {
   auth source type local
   }

7. Save and exit the file.
8. Create a null file with the file name forceload in the /service/mcpd directory by typing the following command:

   touch /service/mcpd/forceload

   On VIPRION systems, you should use the following command to run this command on all blades:

   clsh touch /service/mcpd/forceload

   This command forces the BIG-IP system to read the files in the /config/ directory during startup.
    
9. On a BIG-IP VIPRION system, repeat steps 1 through 8 on each blade before proceeding to the next step.
10. Reboot the BIG-IP system by typing the following command:

    reboot

    On a BIG-IP VIPRION system, repeat this command on each blade.
11. Verify that you are now able to access the BIG-IP system using the root and admin accounts.
12. Configure a new shared secret on the TACACS+ server.
13. On the BIG-IP system, re-enable TACACS+ authentication and configure the new shared secret.