Forum Discussion
iControl REST Remote Authentication BIG-IP v12
I realize that there is already a question about this.
Supposedly the issue where the user is not able to use iControl REST API using remote authentication was fixed in BIG-IP v12. I have tried to configure remote authentication using the following article Configuring Remote User Authentication and Authorization and have tried to make REST API calls using this article.
The following sentence was confusing for me: "If you are using an external authentication provider, get the login reference from your system administrator.".
I'm not sure where can I get the login reference. When I try to create an authentication token without login reference it works but when I try to use the token from the response I get a 401 response.
Can anyone confirm that the issue was fixed in v12 and has anyone tried using remote authentication with iControl REST API? If so, do you have any tips regarding the configuration and how to use it?
Thank you
- dlux_204209NimbostratusI'm running in to the same problem. Both the BIG IQ REST API Reference and iControl REST User Guide say to get the login reference from your system administrator. As a system administrator, I have no idea where to find this for our AD auth provider.
- Stefan_Dorobek_Nimbostratus
Hey everyone,
If someone facing this problems, there is an workaround in version 12.
You need to create the User first local on the device, after that you can use that user to make REST call's just with basic auth. So you need no Post to the login or/and an login reference.
There is a dokumentation with authentication token, but I don't managed to get this to work on an bigip (https://devcentral.f5.com/wiki/icontrol.authentication_with_the_f5_rest_api.ashx) maybe it's only for bigiq.
Regards Stefan
- JRahmAdminI'm running this down internally. I set up a tacacs+ server on a VM with BIG-IP running in another and I can properly log in with authentication and roles assigned properly by tacacs+, but only by logging in directly to the GUI/CLI. No dice from iControl REST. I'll keep you posted.
- JRahmAdmin
Ok, confirmed working on my test setup with tacacs+, no local accounts other than root/admin defined:
URL: https://172.16.44.15/mgmt/shared/authn/login Method: POST Headers: Content-Type: application/json Payload: { "username": "remote_user_name", "password": "remote_user_password", "loginProviderName": "tmos" }
This will result in this response:
{ username: "user_mgr" loginReference: { link: "https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/login" }- loginProviderName: "tmos" token: { uuid: "28caadf8-1e03-4d6c-b978-243bbd32bf7b" name: "29D5E8D5BAB32571805899BE18ED3E09DD1C59C55AC6479180EE3D6048F046B259DADA171F05ACD6BF035BBA3EC71A668692302277BB1035F127126965ADF3EB" token: "29D5E8D5BAB32571805899BE18ED3E09DD1C59C55AC6479180EE3D6048F046B259DADA171F05ACD6BF035BBA3EC71A668692302277BB1035F127126965ADF3EB" userName: "user_mgr" user: { link: "https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/users/ec48bc68-323a-4fb9-80f3-e615611e091c" }- groupReferences: [1] 0: { link: "https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/user-groups/1d0258c2-440a-3d19-a716-292b231e3190" }- - timeout: 1200 startTime: "2015-11-06T12:17:24.168-0800" address: "172.16.44.1" partition: "[All]" generation: 1 lastUpdateMicros: 1446841044168382 expirationMicros: 1446842244168000 kind: "shared:authz:tokens:authtokenitemstate" selfLink: "https://localhost/mgmt/shared/authz/tokens/28caadf8-1e03-4d6c-b978-243bbd32bf7b" }- generation: 0 lastUpdateMicros: 0 }
Then, use the token as the value in X-F5-Auth-Token to make a request:
URL: https://172.16.44.15/mgmt/tm/ltm/pool?$select=name Method: GET Headers: X-F5-Auth-Token: 29D5E8D5BAB32571805899BE18ED3E09DD1C59C55AC6479180EE3D6048F046B259DADA171F05ACD6BF035BBA3EC71A668692302277BB1035F127126965ADF3EB Payload:
This results in a successful query with token instead of b64 encoded basic auth header:
{ kind: "tm:ltm:pool:poolcollectionstate" selfLink: "https://localhost/mgmt/tm/ltm/pool?$select=name&ver=12.0.0" items: [4] 0: { name: "REST_for_the_weary_pool" }- 1: { name: "mypool" }- 2: { name: "newpool" }- 3: { name: "newpool2" }- - }
- Manjunath_Bhat_Historic F5 Account
Not sure whether anyone has seen this - https://devcentral.f5.com/wiki/iControl.Authentication_with_the_F5_REST_API.ashx?lc=1
This is bit elaborate documentation on how to obtain loginReference.
- JRahmAdmin
I wrote this up in article format in Demystifying iControl REST Part 6: Token-based Authentication with python examples.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com