Forum Discussion
Jim_43682
Nimbostratus
NimbostratusAD Remote Authentication over Managment interface?
Hello All,
Got a quick one for you. Is it possible to have the remote authentication requests go out the Management interface? Right now, after doing a tcpdump on both management interface and our "traffic" interface. I see LDAP authentication requests going out the "traffic" port and not the management.
Reason i ask is, we have a typical DMZ setup however security only want's authentication requests to go across the management vlan(which is cable plugged into the management interface.).
thanks for your help,
Jim
8 Replies
- nitass
Employee
have you tried to add management route for active directory server?
sol3669: Overview of management interface routing (9.x - 10.x)
http://support.f5.com/kb/en-us/solutions/public/3000/600/sol3669.html 
Jim_43682Thanks nitass. That got me started, now ldaps request are originating from the management interface . However, now the secure logs state that:Jul 2 11:26:43 local/gtmhostname err httpd[20108]: [error] [client 1.1.1.1] Could not obtain user credentials r also happens when ssl handshakes go wrong. Jul 2 11:26:46 local/gtmhostname alert httpd[20301]: pam_unix(httpd:auth): check pass; user unknown user= rhost=1.1.1.1
Which is werid because its the same config from our Internal environment, and I've verified the firewall is set to allow connections over 636. Tested with telnet.- Jim_43682I run this on the F5 and get back results:
ldapsearch -x -D "CN=bindUser,OU=it,OU=internal,DC=domain,DC=company,DC=com" -b "DC=domain,DC=company,DC=com" -H ldaps://ADserver -W CN=F5admingroup
But when I try to log in from the WebGUI. It just hangs for 5min and then says connection rest??.
Logs says nothing. Doesn't even move. I was tailing it the whole time.
Any ideas? - nitasswould it be possible to capture packet between bigip and ldaps? do you have private key to decrypt it?
- Jim_43682No. Is there anything I can try? I don't understand how the ldapsearch command works on the F5 device. but the log in doesn't.
auth ldap system-auth { service ldaps ssl enable search base dn "DC=domain,DC=company,DC=com" bind dn "CN=binduser,DC=domain,DC=company,DC=com" bind pw "binduserpw" login attr "samaccountname" servers { "167.69.x.x" "167.69.x.y" "167.69.x.z" } } - nitassthe configuration looks okay to me. if i were you, i would try normal ldap (plain text) and capture packet to see what wrong is.
this is my configuration.root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list auth source auth source { type active-directory } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list auth remote-user auth remote-user { default-role admin remote-console-access tmsh } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list auth ldap auth ldap system-auth { bind-dn cn=administrator,cn=users,dc=abc,dc=com bind-pw password login-attribute samaccountname port 636 search-base-dn DC=abc,DC=com servers { 172.28.19.78 } ssl enabled } [root@ve11a:Active:In Sync] config tail /var/log/secure Jul 6 19:28:03 ve11a notice httpd[31839]: 01070417:5: AUDIT - user tasmania - RAW: httpd(mod_auth_pam): user=tasmania(tasmania) partition=[All] level=Administrator tty=/usr/bin/tmsh host=192.168.206.55 attempts=1 start="Fri Jul 6 19:28:03 2012". - Jim_43682Really stumped here. The ldapsearch string works flawlessly, however the web GUIlog in hangs for about a minute then drops. I tail'd the logs during the web GUIlog in, and no new statements are generated. I've tried increasing the logging level to debug and still nothing in the logs. Is there anywhere else I can check to figure out what is going on here.
- nitasshave you tried to open a support case? if you can provide them packet capture, they should be able to help you to look into the capture.
