Has anyone been successful in implementing remote authentication and iControl Rest? We have a case open with F5 support. Basically the remote authenticated user (in this case is an Active Directory account) can't consume any Rest APIs without receiving a 401. Support tells us that the rest API won't work with remote authentication -- seems counter productive to me. Any thoughts?

There are a few instances we've found with the F5's where if you have remote authentication enabled some things won't accept it. I've just done testing with TACACS auth and we have the same issue. I'd say it has something to do with the fact that the REST api seems to function independently to the configuration utility and in earlier versions of TMOS it was it's own service (haven't looked at it in 11.5). I'd say you may have to log a feature request, or try and find if you can set anything in config files for the REST API. The other option is to do what we did and just create a webpage that gathered all the information and presents it to the user (admittedly its only VS/Pool info and read only access). Cheers

Remotely authenticated users cannot use icontrol Rest currently. There are plans to implement this in upcoming versions (ID 471136). You can raise a support case and ask for your organisation to be attached to the list of people who desire this (bigger list generally means higher priority).

Hey everyone, If someone facing this problems, there is an workaround in version 12. You need to create the User first local on the device, after that you can use that user to make REST call's just with basic auth. So you need no Post to the login or/and an login reference. There is a dokumentation with authentication token, but I don't managed to get this to work on an bigip (https://devcentral.f5.com/wiki/icontrol.authentication_with_the_f5_rest_api.ashx) maybe it's only for bigiq. Regards Stefan

I think you misunderstood the question. The question was whether or not BigIP admin users who are authenticated via an external source (such as Radius, LDAP etc) can also authenticate to the icontrol REST API. This was not possible in the past, but is supported by default in Version 12.0 today.

This should work in Version 12.0 and later. However, I just did a quick test using LDAP auth, and I'm getting "Authentication Required" response consistently, even though I think my username/pass are correct, so perhaps more testing required.

iControl Rest and Remote Authentication

9 Replies

Andrew_Husking
Cirrus
Oct 16, 2014
There are a few instances we've found with the F5's where if you have remote authentication enabled some things won't accept it. I've just done testing with TACACS auth and we have the same issue. I'd say it has something to do with the fact that the REST api seems to function independently to the configuration utility and in earlier versions of TMOS it was it's own service (haven't looked at it in 11.5). I'd say you may have to log a feature request, or try and find if you can set anything in config files for the REST API. The other option is to do what we did and just create a webpage that gathered all the information and presents it to the user (admittedly its only VS/Pool info and read only access). Cheers
BinaryCanary_19
Historic F5 Account
Oct 18, 2014
Remotely authenticated users cannot use icontrol Rest currently. There are plans to implement this in upcoming versions (ID 471136). You can raise a support case and ask for your organisation to be attached to the list of people who desire this (bigger list generally means higher priority).
Stefan_Dorobek_
Nimbostratus
Oct 28, 2015
Hey everyone,

If someone facing this problems, there is an workaround in version 12.

You need to create the User first local on the device, after that you can use that user to make REST call's just with basic auth. So you need no Post to the login or/and an login reference.

There is a dokumentation with authentication token, but I don't managed to get this to work on an bigip (https://devcentral.f5.com/wiki/icontrol.authentication_with_the_f5_rest_api.ashx) maybe it's only for bigiq.

Regards Stefan
- BinaryCanary_19
  Historic F5 Account
  Oct 28, 2015
  I think you misunderstood the question. The question was whether or not BigIP admin users who are authenticated via an external source (such as Radius, LDAP etc) can also authenticate to the icontrol REST API. This was not possible in the past, but is supported by default in Version 12.0 today.
- Stefan_Dorobek_
  Nimbostratus
  Oct 28, 2015
  I thought also that this should work with version 12 "out-of-the-box", but my testing showed something else. The workaround I found was to create the User localy (the password ist still managed by Radius or ldap) and then the Rest API worked. Due the fact that I use an technical User for the Scripts this work fine for me. Regards
BinaryCanary_19
Historic F5 Account
Oct 28, 2015
This should work in Version 12.0 and later.

However, I just did a quick test using LDAP auth, and I'm getting "Authentication Required" response consistently, even though I think my username/pass are correct, so perhaps more testing required.
- markus_hanslin1
  Nimbostratus
  May 19, 2017
  I'm running 12.1.2, local authentication with iControl REST API works fine for me but with remote ldap:389 against the AD it is not. I get a 401. I can properly login with remote authentication via GUI.
- Chris_FP
  Cirrus
  Jun 26, 2017
  I have just had 2 customers with the same issue and they're not happy about it. Do we know when this functionality will be available?
Henry_Camacho_4
Nimbostratus
Sep 15, 2017
I am having this problem also. I am able to use the remote login end point to get a Token as discussed in the documentation, however when I use that token to pull a list of VIPs I get 401.

Local user works fine.

It looks like this issue dates back to 2015, am I missing something?

HFC