K14768: Client Authentication License Required for RADIUS, Kerberos, TACACS, LDAP, OCSP, and CRLDP Profiles

K14768: Client Authentication license required for RADIUS, Kerberos, TACACS, LDAP, OCSP, and CRLDP profiles

Non-Diagnostic

Original Publication Date: Oct 21, 2013

Update Date: Apr 24, 2019

Topic

You need a BIG-IP license with the Client Authentication module enabled to use the following authentication profiles:

Remote Authentication Dial-in User Service (RADIUS) Terminal Access Controller Access-Control System (TACACS) Kerberos Lightweight Directory Access Protocol (LDAP) Online Certificate Status Protocol (OCSP) Certificate Revocation List Distribution Point (CRLDP)

Description

If the Client Authentication module is not licensed, the RADIUS, TACACS, Kerberos, and LDAP authentication profiles are not present in the Configuration utility but are present in the Traffic Management Shell (tmsh). If you attempt to use one of these unlicensed profiles from tmsh, the BIG-IP system logs an error message similar to the following examples in the /var/log/ltm file: err mcpd[]: 01070356:3: RADIUS Authentication feature not licensed. err mcpd[]: 01070356:3: KRB Delegate authentication feature not licensed. err mcpd[]: 01070356:3: LDAP Authentication feature not licensed. err mcpd[]: 01070356:3: TACACS Authentication feature not licensed.

The OCSP and CRLDP profiles are present in the Configuration utility and tmsh but do not function if unlicensed and do not log any error messages.

Recommendations

If the RADIUS, TACACS, Kerberos, LDAP, OCSP, or CRLDP profiles are required, you should confirm that the Client Authentication module is included with your BIG-IP license. If the Client Authentication module is not licensed, contact your F5 sales representative.

Checking active modules using the Configuration utility

1. Log in to the Configuration utility with administrative privileges. 2. Navigate to System > License.

3. 3. Confirm that the Active Modules list includes the Client Authentication module.

Checking active modules using tmsh

1. Log in to the BIG-IP command line as the root user. 2. Log in to tmsh by typing the following command:

tmsh

3. To show the list of active modules, type the following command:

>show sys license

4. Confirm that the Active Modules list includes the Client Authentication module.

Supplemental Information

K2595: Activating and installing a license file from the command line K7752: Overview of licensing the BIG-IP system K14263: End of Life policy for the Advanced Client Authentication

Applies to:

Product: BIG-IP, BIG-IP LTM 11.3.X, 11.2.X, 11.1.X, 11.0.X, 10.2.4