Forum Discussion
Eric_Kolb_27656
Nimbostratus
NimbostratusAPM: Protecting an HTTP AAA with SSL
We've got an HTTP\Basic AAA server and I'm having some trouble getting it off the ground in an access profile. Since the APM doesn't support setting up that AAA server pointed at an HTTPS source, we need to set up a layered virtual server, but the particulars of it are eluding me.
What we've got set up right now is a standard virtual server on port 80 the same IP as the 443 service. The 80 service is not assigned a pool. We've attached an iRule to redirect connections to the HTTPS version, but that causes a problem with the access profile.
When the user submits any credentials at all, the web page serving as the AAA returns a 302 over port 80. Since it's an HTTP\Basic and the response isn't a 401, the APM interprets this as a successful attempt. I've tried changing it from an HTTP\Basic page to one responding to POST data. When the AAA is pointed directly at it, it works fine. When it's being redirected through an iRule, it does not respond appropriately to 301, 302, or 307 status codes. When the target URI is a POST site, it doesn't seem to repost the form to the location specified in the status code. This is true whether the target URI is HTTP or HTTPS.
Am I missing something here? Is the HTTP AAA support just broken? Otherwise, how do we configure the virtual server on port 80 so we can get the benefit of HTTPS?
Eric_Kolb_27656To keep this fresh and provide further explanation, this is in response to this error message when trying to configure an HTTP AAA server for start URI or form action of https://yourdomain.com:
01071346:3: In AAA HTTP server ([REDACTED]), Using Http auth agent against SSL backend is not allowed, please, create a layered virtual server with serverssl profile
This is in BIG-IP 11.1.0.- Eric_Kolb_27656After plenty of digging, I found this article: http://support.f5.com/kb/en-us/solutions/public/11000/700/sol11761. This has helped out a good deal. We've got things working as expected for the individual web servers where the AAA service resides.
Now having some trouble with the virtual server that we intend to do load balancing, but that may be a separate issue. We have a couple of other engineers in house who have been working with the LTM longer than we've had the APM, so I'll work with them when they're back in the building on this subsequent issue and follow up. - Eric_Kolb_27656Continuing to work with out configuration, we've found that it works when we set up out AAA entry in the APM to point to the layered VS I mentioned before. The access policy works as expected, but when we listened across the wire, we could see the credentials being passed in clear text. How can we protect this data on the wire?