For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

EastCoast_16835's avatar
EastCoast_16835
Icon for Altostratus rankAltostratus
Feb 10, 2017

APM: Issue with RSA Authentication

I have a question on the published APM documentation for RSA. We follow the standard setup described below for integrating RSA and AD authentication. https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-2/6.html

 

 

The APM schema works well except for the situation when the user makes an AD password error.

 

If the AD block allows for more than 1 password attempt and user enters the AD password incorrectly the very first time, the user will not able to log on until the maximum of password attempts is reached even with the good RSA passcode and good AD password.

 

The logon page contains 3 fields: username, AD password and RSA passcode.

 

The very first time the "Variable Assign" block ensures that the AD password field content is correctly assigned to session.logon.last.password.

 

However, once the user entered an incorrect AD password, this assignment block does not work anymore. The user is presented with the same logon page with the same 3 fields.

 

The second time the AD password must be entered in the field of RSA passcode in order to get successful AD authentication. The original AD field which is intended for AD password can be left completely empty.

 

Has anyone encountered the same issue?

 

A temporary workaround applied is to lower AD password count to 1, which effectively ends the authentication flow without looping within the AD block.

 

application delivery
BIG-IP Access Policy Manager (APM)
security

1 Reply

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Feb 11, 2017

    Hi,

    this is the default behavior.

    when authentication fails and user is prompted to authenticate again, all boxes result and branches between logon page and authentication box are cached and not evaluated anymore.

    if you want to support both AD auth and RSA Auth in the same logon page, you must create a macro with "loop count" set to 3 (number of loop before reject connection) and set AD auth max attempts to 1

    • if RSA Auth fails --> ending 
      loop
    • if AD Auth fails --> ending 
      loop
    • if both RSA and AD Auth success --> ending 
      success

    rename ending 

    out
    to 
    success
    when you create the macro

    ending loop is created when you set 

    loop count
    to 3 in macro properties.

    then, when you insert the macro in the VPE tree, the loop branch must lead to 

    deny
    ending.