Forum Discussion

prole92_221949's avatar
prole92_221949
Icon for Cirrus rankCirrus
Sep 23, 2015

iControl REST Remote Authentication BIG-IP v12

I realize that there is already a question about this.

 

Supposedly the issue where the user is not able to use iControl REST API using remote authentication was fixed in BIG-IP v12. I have tried to configure remote authentication using the following article Configuring Remote User Authentication and Authorization and have tried to make REST API calls using this article.

 

The following sentence was confusing for me: "If you are using an external authentication provider, get the login reference from your system administrator.".

 

I'm not sure where can I get the login reference. When I try to create an authentication token without login reference it works but when I try to use the token from the response I get a 401 response.

 

Can anyone confirm that the issue was fixed in v12 and has anyone tried using remote authentication with iControl REST API? If so, do you have any tips regarding the configuration and how to use it?

 

Thank you

 

devops
iControl
iControlREST
  • dlux_204209's avatar
    dlux_204209
    Icon for Nimbostratus rankNimbostratus
    Oct 23, 2015
    I'm running in to the same problem. Both the BIG IQ REST API Reference and iControl REST User Guide say to get the login reference from your system administrator. As a system administrator, I have no idea where to find this for our AD auth provider.
  • Stefan_Dorobek_'s avatar
    Stefan_Dorobek_
    Icon for Nimbostratus rankNimbostratus
    Oct 28, 2015

    Hey everyone,

     

    If someone facing this problems, there is an workaround in version 12.

     

    You need to create the User first local on the device, after that you can use that user to make REST call's just with basic auth. So you need no Post to the login or/and an login reference.

     

    There is a dokumentation with authentication token, but I don't managed to get this to work on an bigip (https://devcentral.f5.com/wiki/icontrol.authentication_with_the_f5_rest_api.ashx) maybe it's only for bigiq.

     

    Regards Stefan

     

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Nov 06, 2015
    I'm running this down internally. I set up a tacacs+ server on a VM with BIG-IP running in another and I can properly log in with authentication and roles assigned properly by tacacs+, but only by logging in directly to the GUI/CLI. No dice from iControl REST. I'll keep you posted.
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Nov 06, 2015

    Ok, confirmed working on my test setup with tacacs+, no local accounts other than root/admin defined:

    URL: https://172.16.44.15/mgmt/shared/authn/login 
Method: POST
Headers: Content-Type: application/json
Payload: {
    "username": "remote_user_name", 
    "password": "remote_user_password", 
    "loginProviderName": "tmos"
    }

    This will result in this response:

    {
username: "user_mgr"
loginReference: {
link: "https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/login"
}-
loginProviderName: "tmos"
token: {
uuid: "28caadf8-1e03-4d6c-b978-243bbd32bf7b"
name: "29D5E8D5BAB32571805899BE18ED3E09DD1C59C55AC6479180EE3D6048F046B259DADA171F05ACD6BF035BBA3EC71A668692302277BB1035F127126965ADF3EB"
token: "29D5E8D5BAB32571805899BE18ED3E09DD1C59C55AC6479180EE3D6048F046B259DADA171F05ACD6BF035BBA3EC71A668692302277BB1035F127126965ADF3EB"
userName: "user_mgr"
user: {
link: "https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/users/ec48bc68-323a-4fb9-80f3-e615611e091c"
}-
groupReferences: [1]
0:  {
link: "https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/user-groups/1d0258c2-440a-3d19-a716-292b231e3190"
}-
-
timeout: 1200
startTime: "2015-11-06T12:17:24.168-0800"
address: "172.16.44.1"
partition: "[All]"
generation: 1
lastUpdateMicros: 1446841044168382
expirationMicros: 1446842244168000
kind: "shared:authz:tokens:authtokenitemstate"
selfLink: "https://localhost/mgmt/shared/authz/tokens/28caadf8-1e03-4d6c-b978-243bbd32bf7b"
}-
generation: 0
lastUpdateMicros: 0
}

    Then, use the token as the value in X-F5-Auth-Token to make a request:

    URL: https://172.16.44.15/mgmt/tm/ltm/pool?$select=name
Method: GET
Headers: X-F5-Auth-Token: 29D5E8D5BAB32571805899BE18ED3E09DD1C59C55AC6479180EE3D6048F046B259DADA171F05ACD6BF035BBA3EC71A668692302277BB1035F127126965ADF3EB
Payload:

    This results in a successful query with token instead of b64 encoded basic auth header:

    {
kind: "tm:ltm:pool:poolcollectionstate"
selfLink: "https://localhost/mgmt/tm/ltm/pool?$select=name&ver=12.0.0"
items: [4]
0:  {
name: "REST_for_the_weary_pool"
}-
1:  {
name: "mypool"
}-
2:  {
name: "newpool"
}-
3:  {
name: "newpool2"
}-
-
}