Bug ID 676107: With admin account disabled, user cannot use token-based authentication

Last Modified: Jun 30, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Opened: Jul 28, 2017
Severity: 3-Major

Symptoms

To allow special characters in usernames when using remote authentication providers (LDAP, Radius, etc.) there are additional iControl REST calls during the login process to detect the authentication source type. Since there is no system account on the BIG-IP system, the operation uses the hardcoded admin account to perform that function. If the admin account is disabled, this fails, so the user cannot use token-based authentication.

Impact

Cannot use token-based authentication.

Conditions

-- admin account is disabled. -- Remote authentication configured. -- Logging on using iControl. (Disabling the admin account might occur as a result of following the instructions in K15632: Disabling the admin and root accounts using the Configuration utility or tmsh :: https://support.f5.com/csp/article/K15632).

Workaround

There is no workaround other than not disabling the admin user account.

Fix Information

None

Behavior Change