Forum Discussion
APM DUO 2FA fails after logon page customization
What programs are you using to capture all that? I could use it for some stuff.
On your new custom design fiddler output I don't see the call to the js script that duo needs to work. Are you overwriting the whole logon.inc when you update it? It's tough to see, but in the original page it has a PHP include for the header.inc and footer.inc. If you've replaced that, you're not going to have the script still.
Try adding the
part to your new custom page right before the ending body tag at the bottom of your html.
Also, on a sidenote, I'm not sure if there's a security risk with that api URL being posted, but it's xxx'd out in their guide. I didn't look through it if there's any keys or anything else in there.
Let us know if you get it working! Dave
- Allwyn_MascarenFeb 25, 2019Cirrus
Thanks for the comment.
The screen capturing is with ShareX, its open source and truly the last screencapturing tool you will need, it has gif recording features, autosave and a ton more. The code paste is from pastebin.
I already have the script in header.inc and it works with the default page, with the new custom page yes I changed the full code so I think something is knocked off which supports 2FA from the original default logon code.
The api cant do anything unless I create users for it and this is a lab setup so I think it should be fine, but even I am not sure, the files will delete in 6 days anyway..so i'll just keep it.
- Allwyn_MascarenFeb 25, 2019Cirrus
Is there a way to add one more branch after the primary auth to load the iframe for the duo 2FA auth push prompt?
- Dave_McCauley_3Feb 25, 2019Cirrostratus
Add the duo js script to the of your new custom logon.inc page. I think you overwrote the php include statement for the header.inc which has the script in it so it's not even loading the header.inc or footer.inc anymore. They're not hardcoded into APM to load them, they're all loaded from the different "inc" pages.
Let me know if that makes sense.
Regarding another branch, that won't change anything because the HTML that is sent is static. You could add another logon page with duo on it using the original logon.inc and it might render it and work, but that defeats the purpose of your customizations. I recall trying to get duo working with the standard radius VPE entry in the BIG-IP years ago and I don't think push works in that case.
- Allwyn_MascarenFeb 25, 2019Cirrus
I forgot to mention in my previous comment but I tried adding the script to the logon page itself but it did not work ..!
When I do a find for frame in the new logon page I don’t see the same code which the default logon page has, that’s related I feel.
- Allwyn_MascarenFeb 26, 2019Cirrus
This is the code for calling header.inc and I see it in both the default and the customized logon.inc pages.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com