Bug ID 703559: BIG-IQ unable to retrieve authentication token from BIG-IP 13.1.0+ using remote authentication

Last Modified: Nov 22, 2021

Bug Tracker

Affected Product:  See more info
BIG-IQ Platform(all modules)

Known Affected Versions:
5.4.0, 5.4.0 HF1

Fixed In:
5.4.0 HF2

Opened: Jan 24, 2018
Severity: 3-Major
Related Article:
K57814480

Symptoms

In BIG-IP 13.1.0, a change was made to how the BIG-IP handles the calls to authenticate, when an external authentication provider is configured. With this change, the caller is forced to use the authentication provider the BIG-IP system is configured to use, and it does not fall back to local authentication. This change results in a failure of the BIG-IQ authentication call to the BIG-IP system when an external authentication provider is configured. This is used at the beginning of device discovery, therefore discovery fails.

Impact

When an external authentication provider is configured on the BIG-IP system, device discovery from the BIG-IQ fails.

Conditions

This occurs when the following conditions are met: -- Running BIG-IQ versions up to and including 5.4 HF1. -- External authentication provider is configured on the BIG-IP system. -- Trying to discover BIG-IP systems running version 13.1.0 and newer.

Workaround

1. On the BIG-IP system, set the authentication provider to local. 2. On the BIG-IQ device, discover/import the device using local user admin. 3. On the BIG-IP system, set the authentication provider to the external/remote one. 4. As the BIG-IQ device already has the authentication token for the device, communication with the device still works. The BIG-IQ device can re-discover/re-import the device. Important: However, DO NOT remove the device from the BIG-IQ device, as that causes authentication to fail.

Fix Information

Device discovery for all the supported BIG-IP versions succeeds.

Behavior Change