Tuesday, March 12, 2013

TAC_PLUS / FreeIPA and F5

F5 provides the ability to authenticate users via TACACS+, and as such I wanted to extend the authentication capabilities to it to enable granular control of user actions. 

I followed the quick tutorial here, but was running into an issue when attempting to authenticate. Essentially, each user is attempting to authenticate using PAP, so the below error was occurring on my FreeIPA / TACACS+ server. 
pap-login query for 'test.user' unknown from f5.test.domain.com rejectedlogin failure: test.user f5.test.domain.com (192.168.1.5) unknownsession.peerip is 192.168.1.5
In the tac_plus configuration file, I simply needed to define my user (test.user) in the following manner:
user = test.user{
login = PAM
pap = PAM
member = adm
}
Since I am using PAM to proxy authentication requests to LDAP, via Kerberos, it was necessary to redirect the PAP request to PAM. 

This is a simple fix, but it definitely consumed a couple hours to identify the root issue.