Forum Discussion
CirrusGoogle Authenticator on APM
Dear all,
I'm trying to deploy two factor authentication to protect my application with Active Directory and Google Authenticator. I have now configured LTM and APM as descrbed here https://f5-agility-labs-iam.readthedocs.io/en/latest/class9/module5/lab1.html and it's working fine. I'd like to add the possibility to record the secret (QR Code) in the datagroup when it is created by the user, so he should not redo the entire process next time, is there a way to do that? After that my challenge is to obtain something like the one shown in this video https://www.youtube.com/watch?v=mFmx4TDWyD0 (without Yubikey OTP method) but some informations are missing to me:
- How to check if the user has checked the enroll checkbox so he want to generate a code?
- How to get the QR Code image inside the logon page as shown in the video?
Thank you in advance
Luca
- JRahm
Admin
Hi Luca, some of what you need my be in this article, though it appears we have some work to do to clean this article up. Let me know if anything is helpful, and I'll add this article to the queue to update.
https://devcentral.f5.com/s/articles/two-factor-authentication-with-google-authenticator-and-apm
Luca_ComesHi Jason,
thank you for your answer I've read that article, it was the starting point of my research. At the moment two factor authentication is working fine and I also solved point 1 of my question. Now I'd like to add some features, I need to understand how to insert the generated QR Code image inside the dedicated logon page where the user put the numeric token from the app, is there a way to do that?
After that I want to update my datagroup when the user has enrolled and generated the code so next time they'll connect don't have to pass through the entire procedure again. I've serached on devcentral but it seems that is not possible modify datagroup from iRule is that right? Does it exist an alternative way to accomplish this on APM?
Thank you
Luca
- Luca_Comes
Hi all,
I've worked hard today and now I can get almost all my requirements working properly. At the moment I miss only to write secrets to datagroup, if someone can help me to understand how to do that would be appreciated.
Luca
- JRahm
There is not a path to do this in a "supported" way, as there are dangers in passing data from the data plane to the control plane that should be very carefully considered and any attempt very carefully coded and reviewed before doing so. Disclaimers aside, it IS possible. You can pass limited data via iStats and use an iCall script to pick it up and make updates (better) or you can go way out to left field and do something like this (DANGER!! but if you must...part 1 and part 2).
- Luca_Comes
HI Jason,
thank you, I'd also prefer to avoid this and my idea is to store the secret inside an AD attribute. I think writing on LDAP is simpler than do the same on datagroup. Is it possible from APM iRule or something like this?
Thanks
Luca
- JRahm
I'm not sure that's a safe path to walk down. You could potentially update AD attributes via an iRules sideband call to and AD API, but same cautions would apply. If only needed to be semi-permanent to reduce the frequency, you could store the code in table memory, which can be persistent until reboot, and *could* be queried by an external script to pull the data and update into your AD attributes.
- Luca_Comes
Thank you Jason, I was thinking about doing it via iRule LX but I could also try your suggestion even if I'd prefer not impact on BigIP stability and performances.
Luca
