Last Modified: May 05, 2026
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1, 17.1.2.2, 17.1.3, 17.1.3.1, 17.1.3.2, 17.5.0, 17.5.1, 17.5.1.2, 17.5.1.3, 17.5.1.4, 17.5.1.5, 17.5.1.6, 21.0.0, 21.0.0.1
Opened: Jul 04, 2024 Severity: 3-Major
When remote auth configured with fallback is set to true and if try to login to the BIG-IP with local user credentials by providing empty password first then authentication mechanism fall back to local and then if provided with correct local user password the access is granted which causes security issues.
Unauthorized access is given to the BIG-IP with a local user, even though the authentication mechanism is configured as remote.
-- configure auth source fallback true. -- Configure the remote auth mechanism in this case, TACACS. -- Configure a local user that is not present in the TACACS server. auth source { fallback true type tacacs }
Configure the auth source fallback as false. auth source { fallback false type tacacs }
None