Last Modified: Jul 09, 2026
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
17.1.2, 17.1.2.1, 17.1.2.2, 17.1.3, 17.1.3.1, 17.1.3.2
Opened: Jul 15, 2025 Severity: 3-Major
When using ClientCert-LDAP (CAC certificate) authentication, some users intermittently fail to log in to the BIG-IP GUI or SSH. Not all users are affected; only a subset of users whose certificates are issued from certain Certificate Authorities experience the failure. Other users with the same ClientCert-LDAP configuration can log in successfully.
Admin users relying on CAC (certificate-based) authentication are unable to log in to the BIG-IP GUI or SSH on affected appliances.
This issue occurs when ALL of the following are true: - BIG-IP is configured for ClientCert-LDAP (CAC certificate) authentication - OCSP verification is enabled for client certificates - The authenticating user's certificate is issued by a CA whose issuer certificate is not available to the OCSP verification chain - The PAM module is configured with ignore_authinfo_unavail
None
None