Forum Discussion
Stefan_Klotz
Cumulonimbus
CumulonimbusGoogle Authenticator implementation
Hello,
we want to configure MFA/2FA using Google Authenticator (or at least the underlying time-based one-time password (TOTP) solution).
We found several articles and guides here on DevCentral, but as some of them are quite some years old and also referenced links seems to not working anymore, I have some questions:
- Is it really necessary to have the APM-module activated for this? Because based on one of the initial articles, it seems to be possible just with the LTM authentication profile? But when checking the options, I don't have the mentioned "LDAP"-type available. I see only "SSL client certificate LDAP" (and two others).
- What are pros and cons of an implementation with/without APM-module?
- Based on the preferred solution is there any current/up-to-date configuration guide available, how to configure this?
Thank you!
Ciao Stefan :)
- Stefan_Klotz
Ok, I got at least the APM-solution to work. And I want to share with you the combined iRule based on:
- Google Authenticator Token Verification iRule For APM
- Google Authenticator Verification iRule (TMOS v11.1+ optimized)
Maybe this is helpful for someone out there.
I made some testings and it looks fine so far, but maybe the experts can have a look on it as well. I tested this with version 13.0.0
But besides this, I would still be interested in the options to get this working even without APM at all. Is this still be possible via an Authentication-profile or are these features no more available in latest TMOS versions?
Special thanks here to George Watkins and Kai Wilke for the good work!!!
Ciao Stefan :)
Denis_FigeysNimbostratus
Stefan,
Many thanks for updating and optimizing the code. as I am looking at implementing such solution.
Unfortunately, there is one important missing part in all the documentation I read this far: how to automate user registration. I have over 500 users, it is not possible and not sustainable to manually add them in the local datagroup. Provisioning should be self-service.
Anyone has a solution for implementing auto-provisioning of users and passcode or, did you all use the same passcode for all users?
Thanks!!
Hi Denis,
I've implemented auto-enrollment with Google Authenticator with use of this code from Cody Green. It's lacks good documentation, but it works.
https://github.com/codygreen/F5-MFA
Kind regards,
--Niels
- Denis_Figeys
Thanks Niels... looks a bit like hacking the system. I wish F5 would have provided us a better, standard way of achieving this.
Regards, Denis.
- Stefan_Klotz
Hi Denis,
it's quit some months ago and I currently can't remember exactly, but I think I used the code provided from Niels above as well.
In general our logic now works as follows:
- User gets APM Login-Page displayed, where normal AD-credentials need to be entered
- Credentials will be checked via AAA-profile
- If successful a newly created AD-attribute for the shared secret will be checked
- If available, the OTP will be created via iRule and requested in parallel from the user on a second APM-page -> if both are identical access is granted
- If not available, APM via iRule/iRuleLX will create a new shared secret for that user and displays the result on a second APM-page -> once the user confirms that he's activate this key on his mobile-app, APM will update the AD and saves the shared key for that user -> additionally the OTP will be created and requested from the user as mentioned above
So each user has to initialize his own OTP-app the first time he uses a MFA-protected VS. APM will manage all the users automatically via AD-Attribute.
Hope that helps a little bit more.
Ciao Stefan :)
- Denis_Figeys
Stefan,
Unfortunately, I cannot add or use an attribute in AD for this, hence I need therefore to use the local datagroup.
Regards, Denis.
