Forum Discussion
mraful_64014
Nimbostratus
NimbostratusAUTH::resposne_data
I have an SSL Cert and am using CRLDP on an LDAP server to accept/reject the cert based on revocation. However, I cannot grab the AUTH::response_data. Below is the irule:
when CLIENT_ACCEPTED {
set tmm_auth_ssl_crldp_sid 0
set tmm_auth_ssl_crldp_done 0
}
when CLIENTSSL_CLIENTCERT {
set tmm_auth_ssl_crldp_done 0
if {$tmm_auth_ssl_crldp_sid == 0} {
set tmm_auth_ssl_crldp_sid [AUTH::start pam default_ssl_crldp]
if {[info exists tmm_auth_subscription]} {
AUTH::subscribe $tmm_auth_ssl_crldp_sid
log local0. "Subscribing $tmm_auth_subscription"
}
}
AUTH::cert_credential $tmm_auth_ssl_crldp_sid [SSL::cert 0] AUTH::cert_issuer_credential $tmm_auth_ssl_crldp_sid [SSL::cert issuer 0] AUTH::authenticate $tmm_auth_ssl_crldp_sid
set tmm_auth_subscription [AUTH::subscribe $tmm_auth_ssl_crldp_sid]
log local0. "$Authenticating cert with crldp ID: $tmm_auth_ssl_crldp_sid"
log local0. "$tmm_auth_subscription"
SSL::handshake hold
}
when CLIENTSSL_HANDSHAKE {
set tmm_auth_ssl_crldp_done 1
}
when AUTH_RESULT {
if {[info exists tmm_auth_ssl_crldp_sid] and \
($tmm_auth_ssl_crldp_sid == [AUTH::last_event_session_id])} {
log local0. "$tmm_auth_ssl_crldp_sid"
array set auth_response_data [AUTH::response_data]
log local0. "Array auth_data has [array size auth_response_data] elements."
foreach value [array names auth_response_data] {
log local0. "$value"
}
set tmm_auth_status [AUTH::status]
if {$tmm_auth_status == 0} {
log local0. "Authorization success!"
set tmm_auth_ssl_crldp_done 1
SSL::handshake resume
} elseif {
$tmm_auth_status != -1 || $tmm_auth_ssl_crldp_done == 0} {
log local0. "Authorization failure." reject
}
}
}
Thnaks,
Mitch
hooleylistCirrostratus
Hi Mitch,
What do you see in the logs for the AUTH::response_data logging?
Which LTM version are you testing on?
Is auth against the CRLDP service working?
Aaron
mraful_64014Thanks for the response hoolio. Nothing gets returned from AUTH::response. However, I can get an AUT::status returned. I am testing against BIG-IP 10.1.0 Build 3341.0 Final. I saw some other posts that cliamed AUTH::response_data has been broke since 10.0. I don't know if that is true.- hooleylistI don't think AUTH::response_data is expected to return anything if the authentication attempt fails. Are you seeing it return nothing when auth succeeds?
Aaron - mraful_64014Yes. AUTH::success returns 0 when it is successful and returns 1 when unsuccessful.
- mraful_64014BTW, does anyone know wht the Cache Timeout entry in the Authentication configuration object is for? It's not in the manual or help.
- mraful_64014BTW, does anyone know wht the Cache Timeout entry in the Authentication configuration object is for? It's not in the manual or help.
- mraful_64014BTW, does anyone know wht the Cache Timeout entry in the Authentication configuration object is for when using CRLDP? It's not in the manual or help.
- mraful_64014It appears that default_ssl_crldp does not return anything via the AUTH::response as does cc_ssl_ldap. However, since AUTH::success is resturned, where does this show up in the pam audit log?