Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IQ Platform
Fixed In:
5.4.0 HF2
Opened: Jan 24, 2018 Severity: 3-Major Related Article:
K57814480
In BIG-IP 13.1.0, a change was made to how the BIG-IP handles the calls to authenticate, when an external authentication provider is configured. With this change, the caller is forced to use the authentication provider the BIG-IP system is configured to use, and it does not fall back to local authentication. This change results in a failure of the BIG-IQ authentication call to the BIG-IP system when an external authentication provider is configured. This is used at the beginning of device discovery, therefore discovery fails.
When an external authentication provider is configured on the BIG-IP system, device discovery from the BIG-IQ fails.
This occurs when the following conditions are met: -- Running BIG-IQ versions up to and including 5.4 HF1. -- External authentication provider is configured on the BIG-IP system. -- Trying to discover BIG-IP systems running version 13.1.0 and newer.
1. On the BIG-IP system, set the authentication provider to local. 2. On the BIG-IQ device, discover/import the device using local user admin. 3. On the BIG-IP system, set the authentication provider to the external/remote one. 4. As the BIG-IQ device already has the authentication token for the device, communication with the device still works. The BIG-IQ device can re-discover/re-import the device. Important: However, DO NOT remove the device from the BIG-IQ device, as that causes authentication to fail.
Device discovery for all the supported BIG-IP versions succeeds.