Forum Discussion
NimbostratusMaking Google Auth active
I am working with an APM to build a secure VPN. I have established AD based authentication but want to add Google auth as a second factor. I have written the iRule but have found that it is not being used in the authentication process. If you make an error on your AD username or password authentication fails. But you can enter any six digit number in the auth code or even leave it blank and authorization proceeds with good AD credentials. Any ideas why that part of the process is being ignored?
21 Replies
Ben_Newport_102Have you added the irule event in the work flow with the same name as the irule you applied to your virtual server. We are using this and it works great.
jim_mcmurchie_1I have the file specified in the work flow as a variable name at the log in page and as an event named Check Google AuthN directly after AD auth. I am new to this, can you explain what you mean by applying the iRule to the virtual server?
Thanks for the help.
- Ben_Newport_102
I assume you are following this example:
https://devcentral.f5.com/articles/two-factor-authentication-with-google-authenticator-and-apm
The iRule created needs to be applied to the virtual server you are hitting. Virtual Servers->Name of your Virtual Server->Resources->iRule
So the name you specify in the workflow has to match the name in the iRule for it to trigger: if { [ACCESS::policy agent_id] eq "ga_code_verify" } {
- jim_mcmurchie_1
It was not added as a resource for the virtual server, thank you for that info. It is still not checking for the auth token. My work flow looks like this: Could the issue be that AD Auth ends in a Success and Google Auth ends in a fallback?
- Ben_Newport_102
Your Check Google Auth should be an empty container and you need to add branch rules based upon what the iRule finds.
Successful - expr { [mcget {session.custom.ga_result}] == 0 } No Google Auth key found - expr { [mcget {session.custom.ga_result}] == 2 } Invalid Google Auth key - expr { [mcget {session.custom.ga_result}] == 3 } User Locked Out - expr { [mcget {session.custom.ga_result}] == 4 } Failback
Only the Successful branch should continue on. In your workflow it all continues so yes no matter what is entered it would continue.
- Ben_Newport_102
Another thing you may want to do in your workflow is to have the AD check after the Google Token check. Theses keeps someone from trying to maliciously lock out your AD accounts as they will just lock the Google Token out before you test against AD.
- jim_mcmurchie_1
the contents of the check google authn box are:
with the branch rules you provided in this box
- jim_mcmurchie_1
Still ignoring the auth token
- Ben_Newport_102
Sorry not your Check Google AuthN you need to have another object directly after the iRule call that is a blank and add the branches as mentioned in the previous post.
- Ben_Newport_102
Whats in your branch rules on Check Google AuthN
