For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Vinne73's avatar
Vinne73
Icon for Cirrus rankCirrus
Jan 24, 2018

LTM 13.x iControlREST with non admin accounts: 401 Authorization failed

Hi,

 

I found info about this problem on previous software releases, and being or not being able to use non admin accounts with iControl. However, I'm running LTM 13.0.0.3.

 

I've created a user account and it has the role "Manager" on a certain partition. This user can log in on the GUI, en do what he needs to do.

 

When I try to access iControl via REST the user/pass is accepted. (if not, you get a different error) Then I get a "code": 401, "message": "Authorization failed: ..." error.

 

The user is in Common, but if I make it in the partition he has rights to, it makes no difference.

 

If I create the user with full admin rights, i can use iControl REST.

 

I'm 100% sure this works on my other Big-IP, release 11.6.2.1. It also worked on 11.6.1.1.

 

Config is identical.

 

So.. is there any way somebody else has gotten this to work? A non admin user that can access iControlREST on 13.x?

 

Thanks in advance Vincent

 

iControlREST
security

1 Reply

  • Satoshi_Toyosa1's avatar
    Satoshi_Toyosa1
    Ret. Employee
    Jan 24, 2018

    Instead of using Basic Auth (sending an Based-64 encoded username/password in the HTTP Authorization header), please try Token-Based authentication.

    1. Get an authentication token by sending (

      POST
      ) the username/password to 
      /mgmt/shared/authn/login
      .

    2. Use that token in the 

      X-F5-Auth-Token
      header for any requests afterword.

    The token times out after 1200s (20 min).

    Please refer to "About iControl and authentication for user accounts" section (p. 20) of the iControl® REST API User Guide Version 13.0.