Forum Discussion
Getting basic auth prompt before apm logon page event
Hi
I´ve setup a basic login policy.
Check if client subnet is RFC1918, if yes do ntlm auth, if not go to logon page and do MFA login.
But.. when i access the VIP external i get a basic auth login prompt before the logon page, any tips on where to look?
/Kim
A quick update.
Latest rule is not correct, pasted the wrong one from the clipboard.
Here the latest.
when HTTP_REQUEST {
if { [IP::addr [IP::client_addr] equals "10.0.0.0/8"] or [IP::addr [IP::client_addr] equals "192.168.0.0/16"] or [IP::addr [IP::client_addr] equals "172.16.0.0/12"] } {
if { [ACCESS::session data get session.ntlm.last.result] eq 1 } {
ECA::disable
} else {
ECA::enable
ECA::select select_ntlm:/Common/ntlm_profile
#log local0. "eca enabled"
}
} else {
ECA::disable
#log local0. "RFC1918 ECA disable"
}
}
Hi Kim
First guess - is there an upstream device that might do a NAT and the BIG-IP doesn't see the real client IP address?
There is a old question here, that offers a solution with iRule and XFF headers:
F5 APM - How to do IP Subnet match for IPs in header
KR
- kimhenriksenCirrostratus
Did a tcpdump and i see the public ip. And i have a http xff profile added.
But I am guessing that the ECA profile applied to the VIP, which i guess will be run first.. I´ll try and add a public ip check in the irule before eca enable.
Did you actually check the APM Access Reports for this? This should, given the right log settings are applied, already give you a clue why you get a basic auth prompt instead of the MFA login.
- kimhenriksenCirrostratus
I´ve just checked the default log. But I am applying a new ECA irule, which disables ECA for RFC1918.
As I havent seen anything in the standard reports. So i guess this happens before APM kicks in.
Can you share the config / iRule(s) you are using?
Usually, when something seems off with iRules, I try to add logging and take a look at this reference:
It shows iRules HTTP and ACCESS event order.
- kimhenriksenCirrostratus
when HTTP_REQUEST {
if { [ACCESS::session data get session.ntlm.last.result] eq 1 } {
ECA::disable
} else {
ECA::enable
ECA::select select_ntlm:/Common/ntlm_config
}
}
This the one used now, but want to try and change it to this instead.
when HTTP_REQUEST {
if { [IP::addr [IP::client_addr] equals 10.0.0.0/8] or [IP::addr [IP::client_addr] equals 192.168.0.0/16] or [IP::addr [IP::client_addr] equals 172.16.0.0/12] } {
ECA::disable
}
elseif { [ACCESS::session data get session.ntlm.last.result] eq 1 } {
ECA::disable
}
else {
ECA::enable
ECA::select select_ntlm:/Common/ntlm_config
}
}
- kimhenriksenCirrostratus
A quick update.
Latest rule is not correct, pasted the wrong one from the clipboard.
Here the latest.
when HTTP_REQUEST {
if { [IP::addr [IP::client_addr] equals "10.0.0.0/8"] or [IP::addr [IP::client_addr] equals "192.168.0.0/16"] or [IP::addr [IP::client_addr] equals "172.16.0.0/12"] } {
if { [ACCESS::session data get session.ntlm.last.result] eq 1 } {
ECA::disable
} else {
ECA::enable
ECA::select select_ntlm:/Common/ntlm_profile
#log local0. "eca enabled"
}
} else {
ECA::disable
#log local0. "RFC1918 ECA disable"
}
}
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com