Bug ID 1135865: Remotely authenticated user who is a member of multiple roles that include invalid roles is not allowed to log in

Last Modified: May 29, 2024

Affected Product(s):
F5OS Velos(all modules)

Fixed In:
F5OS-C 1.6.0, F5OS-A 1.4.0, F5OS-A 1.3.0

Opened: Aug 11, 2022

Severity: 3-Major


Users on systems have a role assigned to them. This role is one of a predefined set which includes the admin role. A remote user with multiple roles, some of which are not in this predefined set, is configured on a remote authentication server (LDAP, tacplus or RADIUS). Such a user was treated different based on mode of access (GUI or ssh) and the remote authentication method. Sometimes the user can log in, sometimes not.


When a remote user has multiple roles which include invalid roles, the behavior of the system was inconsistent.


A user has to configured on a remote authentication server (LDAP, tacplus or RADIUS) with multiple group IDs, some of which are not assigned to any role in our system. That remote authentication method has to be configured as an authentication method on our system. User supplies the correct password and tries to log in. The user may or may not be allowed into the system, depending on method of access and remote authentication method.


Removing the invalid group ID from the remote server will fix the issue.

Fix Information

When a remote user belongs to multiple roles, some of which are invalid ones, only the valid roles are considered for authorization. Also, this is consistently done across methods of access (GUI, ssh, etc.) and across all remote authentication methods (LDAP, tacplus, RADIUS, etc.).

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips