Forum Discussion

Allwyn_Mascaren's avatar
Feb 24, 2019

APM DUO 2FA fails after logon page customization

Hi Folks,

I am using DUO mobile push for 2FA, I got this working perfectly with the default APM logon page.

F5 BIG-IP APM with RADIUS and Duo Prompt

This is the working page when using the default apm logon page.

But our requirement is to also to change the look of the logon page and I did this by just copying some code as I have no idea about web design and CSS, and now the 2FA has stopped working.

I am looking at fiddler account but unable to figure it out. This is the fiddler output hosted on wetransfer.

The custom logon page code is here:

I am a feeling this is something to do with the iframe options so I tried setting the db APM iframe option to same_origin

 

tmsh modify /sys db apm.xframeoptions value same_origin

 

But still nothing changes, it simply doesn't go past the primary auth which is localdb auth in this case.

I basically need to understand what should I look for to move forward in troubleshooting this.

Thanks.

  • What programs are you using to capture all that? I could use it for some stuff.

    On your new custom design fiddler output I don't see the call to the js script that duo needs to work. Are you overwriting the whole logon.inc when you update it? It's tough to see, but in the original page it has a PHP include for the header.inc and footer.inc. If you've replaced that, you're not going to have the script still.

    Try adding the

     
    

    part to your new custom page right before the ending body tag at the bottom of your html.

    Also, on a sidenote, I'm not sure if there's a security risk with that api URL being posted, but it's xxx'd out in their guide. I didn't look through it if there's any keys or anything else in there.

    Let us know if you get it working! Dave

    • Allwyn_Mascaren's avatar
      Allwyn_Mascaren
      Icon for Cirrus rankCirrus

      Thanks for the comment.

       

      The screen capturing is with ShareX, its open source and truly the last screencapturing tool you will need, it has gif recording features, autosave and a ton more. The code paste is from pastebin.

       

      I already have the script in header.inc and it works with the default page, with the new custom page yes I changed the full code so I think something is knocked off which supports 2FA from the original default logon code.

       

      The api cant do anything unless I create users for it and this is a lab setup so I think it should be fine, but even I am not sure, the files will delete in 6 days anyway..so i'll just keep it.

       

    • Allwyn_Mascaren's avatar
      Allwyn_Mascaren
      Icon for Cirrus rankCirrus

      Is there a way to add one more branch after the primary auth to load the iframe for the duo 2FA auth push prompt?

       

    • Dave_McCauley_3's avatar
      Dave_McCauley_3
      Icon for Cirrostratus rankCirrostratus

      Add the duo js script to the of your new custom logon.inc page. I think you overwrote the php include statement for the header.inc which has the script in it so it's not even loading the header.inc or footer.inc anymore. They're not hardcoded into APM to load them, they're all loaded from the different "inc" pages.

       

      Let me know if that makes sense.

       

      Regarding another branch, that won't change anything because the HTML that is sent is static. You could add another logon page with duo on it using the original logon.inc and it might render it and work, but that defeats the purpose of your customizations. I recall trying to get duo working with the standard radius VPE entry in the BIG-IP years ago and I don't think push works in that case.