Firepass logon prompt customization

External logon pages can be used in conjunction with pre-logon sequences.

 

Replacing the index.htm file however is not compatible with pre-logon sequences.

Posted By Jared Townsley on 10/30/2009 11:03 AM

 

 

External logon pages can be used in conjunction with pre-logon sequences.

 

Replacing the index.htm file however is not compatible with pre-logon sequences.

 

 

 

How does one do this? The F5 tier 2 guys must not know how lol

A pre-logon sequence can contain an "External Logon Page" ending (instead of "Logon Page") that redirects users to an external server with two HTTP POST variables. The two variables are "client_data" and "post_url." The client_data contains encoded results of the pre-logon inspection. The post_url contains the URL that the external logon page must use to POST back to FirePass.

In order to use this feature the external page must do a HTTP POST to FirePass containing client_data, username, password, tzoffsetmin=1, and mrhlogonform=1. As a security precaution, the value of client_data can only be submitted to FirePass once. It is also recommended to check the contents of post_url to make sure you are posting back to a legitimate FirePass.

Here is an example of an External Logon Page written in PHP and HTML:

 
    // verify post_url is valid 
   if(!preg_match("/^(http[s]?:\/\/)([^\/\<\>]+)\/([^\<\>]*)$/i", $HTTP_POST_VARS["post_url"], $host)) { 
     echo(htmlentities($HTTP_POST_VARS["post_url"])." is not a valid URL"); 
     exit; 
   } 
   // only POST to our firepass 
   if ($host[2] != "10.10.190.10") { 
     echo(htmlentities($host[2]). " is not an authorized FirePass host."); 
     exit; 
   } 
 php?> 
  
  
  
  action="" method="post">  
   "> 
    
    
   Username: 
 
   Password: