Follow

Onboard Discovery displays error "401: F5 Authorization Required"

Applies To

Trust Protection Platform 15.2 and above

F5 iControl Rest 11.5.x

F5 iControl Rest 11.6.x

Symptom:

Getting the following error when running Onboard Discovery:

Onboard Discovery \VED\Discovery\Onboard Discovery Job failed to get response from 'X.X.X.X'. Error: 'The request failed with HTTP status 401: F5 Authorization Required.'.

Resolution:

There are two reasons why you could potentially see this error:

  1.  The credentials used on the device object are incorrect or do not have access to the F5.  Fix the credentials and try again.

  2. The more likely cause is that the user is a Remotely Authenticated user (User Directory: TACACS+).  F5 does not support Remote Authentication for iControl Rest API access in version 11.5.x.  You will be able to login to the F5 Management Interface, but not the iControl Rest APIs.
  3. In BIG-IP 11.5.x to 13.0.x, by default, only users with the Administrator role are granted access to the iControl REST API. There is a workaround documented in the article linked below to allow users without the administrator role to access iControl (not necessary for BIG-IP 13.1.x and later).

    K84925527: Overview of iControl permissions
    https://support.f5.com/csp/article/K84925527 


    Jeremy_-_TACACS.png

    Solution: Upgrade the F5 to version 12.x or use a locally authenticated user. 

More Information:

This can be tested outside of the the Venafi product by doing to following:

  1. Open a  web browser.
  2. Put in URL: "https://server_hostname/mgmt/tm/ltm/virtual/?expandSubcollections=true"
  3. You will be prompted for authentication.  Try the user used for the Onboard Discovery.  If the user works then Onboard Discovery will also work.

You can also test the REST API endpoint with curl:

curl -sk -u username:password GET 'https://server_hostname/mgmt/tm/ltm/virtual/?expandSubcollections=true'

 

Forum URL describing the issue:

https://devcentral.f5.com/questions/icontrol-rest-and-remote-authentication

 

Was this article helpful?
2 out of 2 found this helpful

Comments

  • Avatar
    Igor Guarisma

    Is this only an issue for TACACS+ authentication or also for other authentication providers like LDAP and RADIUS?

  • Avatar
    Igor Guarisma

    A customer was able to implement a workaround by using the built in local administrator account on their F5 LTM for now, until they upgrade to iControl v12.x