For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Aaron_Waugh_667's avatar
Aaron_Waugh_667
Icon for Nimbostratus rankNimbostratus
Nov 06, 2006

RADIUS Auth with SecurID

Im a bit of a newbie to writing iRules, however have a lot of experience with RSA SecurID. We are just finalising an LTM install using the ACA module. I am using the default auth_radius irule, and want to be able to insert different password prompts into the 401 popup box.

 

 

Can I use the AUTH::wantcredential_prompt to change the password prompt in the auth window on a per request basis? and if it is possible, where does one typically insert the wantcredential_prompt into the irule?

 

 

In a SecurID auth, a user is prompted for their username and passcode, if something is not correct, they may be challenged a second time for one of the following: New PIN, Next Tokencode, or Passcode. There may also be custom error messages come back from the SecurID RADIUS. Can I change the default prompt from password to passcode or New PIN dynamically in the second 401 auth that may be required?

 

 

Also, I want to be able to gather the HTTP::username and insert this into the header that is sent to the server. Is this performed using a simple rule as follows before the HTTP::release is performed in the auth?

 

 

HTTP::header insert "X-EAU-Client-id" [HTTP::username]

 

 

Thanks in advance for any assistance. Below is the slightly modified default irule I am using...

 

 

when CLIENT_ACCEPTED {

 

set tmm_auth_http_collect_count 0

 

array set tmm_auth_http_sids {radius -1}

 

}

 

when HTTP_REQUEST {

 

set tmm_auth_sid $tmm_auth_http_sids(radius)

 

if {$tmm_auth_sid == -1} {

 

set tmm_auth_sid [AUTH::start pam default_radius]

 

array set tmm_auth_http_sids [list radius $tmm_auth_sid]

 

}

 

AUTH::username_credential $tmm_auth_sid [HTTP::username]

 

AUTH::password_credential $tmm_auth_sid [HTTP::password]

 

AUTH::authenticate $tmm_auth_sid

 

if {$tmm_auth_http_collect_count == 0} {

 

HTTP::collect

 

set tmm_auth_http_successes 0

 

}

 

incr tmm_auth_http_collect_count

 

}

 

when AUTH_SUCCESS {

 

if {$tmm_auth_http_sids(radius) eq [AUTH::last_event_session_id]} {

 

incr tmm_auth_http_successes

 

if {[info exists tmm_auth_http_sufficient_successes]} {

 

if {$tmm_auth_http_successes >=

 

$tmm_auth_http_sufficient_successes} {

 

foreach {type sid} [array get tmm_auth_http_sids] {

 

if {$type ne "radius" && $sid ne -1} {

 

AUTH::abort $sid

 

array set tmm_auth_http_sids [list $type -1]

 

}

 

}

 

set tmm_auth_http_collect_count 0

 

HTTP::header insert "X-EAU-Client-id" [CLIENT::subject $client_name];

 

HTTP::release

 

} else {

 

incr tmm_auth_http_collect_count -1

 

if {$tmm_auth_http_collect_count == 0} {

 

HTTP::respond 401

 

}

 

}

 

} else {

 

incr tmm_auth_http_collect_count -1

 

if {$tmm_auth_http_collect_count == 0} {

 

HTTP::header insert "X-EAU-Client-id" [CLIENT::subject $client_name];

 

HTTP::release

 

}

 

}

 

}

 

}

 

when AUTH_FAILURE {

 

if {$tmm_auth_http_sids(radius) eq [AUTH::last_event_session_id]} {

 

if {[llength [array names tmm_auth_http_sids]] > 1} {

 

if {[info exists tmm_auth_http_sufficient_successes]} {

 

incr tmm_auth_http_collect_count -1

 

if {$tmm_auth_http_collect_count == 0} {

 

HTTP::respond 401

 

}

 

} else {

 

foreach {type sid} [array get tmm_auth_http_sids] {

 

if {$type ne "radius" && $sid ne -1} {

 

AUTH::abort $sid

 

array set tmm_auth_http_sids [list $type -1]

 

}

 

}

 

set tmm_auth_http_collect_count 0

 

HTTP::respond 401

 

}

 

} else {

 

set tmm_auth_http_collect_count 0

 

HTTP::respond 401

 

}

 

}

 

}

 

when AUTH_WANTCREDENTIAL {

 

if {$tmm_auth_http_sids(radius) eq [AUTH::last_event_session_id]} {

 

if {[llength [array names tmm_auth_http_sids]] > 1} {

 

if {[info exists tmm_auth_http_sufficient_successes]} {

 

incr tmm_auth_http_collect_count -1

 

if {$tmm_auth_http_collect_count == 0} {

 

HTTP::respond 401

 

}

 

} else {

 

foreach {type sid} [array get tmm_auth_http_sids] {

 

if {$type ne "radius" && $sid ne -1} {

 

AUTH::abort $sid

 

array set tmm_auth_http_sids [list $type -1]

 

}

 

}

 

set tmm_auth_http_collect_count 0

 

HTTP::respond 401

 

}

 

} else {

 

set tmm_auth_http_collect_count 0

 

HTTP::respond 401

 

}

 

}

 

}

 

when AUTH_ERROR {

 

if {$tmm_auth_http_sids(radius) eq [AUTH::last_event_session_id]} {

 

if {[llength [array names tmm_auth_http_sids]] > 1} {

 

if {[info exists tmm_auth_http_sufficient_successes]} {

 

incr tmm_auth_http_collect_count -1

 

if {$tmm_auth_http_collect_count == 0} {

 

HTTP::respond 401

 

}

 

} else {

 

foreach {type sid} [array get tmm_auth_http_sids] {

 

if {$type ne "radius" && $sid ne -1} {

 

AUTH::abort $sid

 

array set tmm_auth_http_sids [list $type -1]

 

}

 

}

 

set tmm_auth_http_collect_count 0

 

HTTP::respond 401

 

}

 

} else {

 

set tmm_auth_http_collect_count 0

 

HTTP::respond 401

 

}

 

}

 

}

 

application delivery
dev
devops
iRules

1 Reply

  • Jim_22175's avatar
    Jim_22175
    Icon for Nimbostratus rankNimbostratus
    Feb 24, 2008
    This expanded irule is very useful. Has there been any improvements or tweaks to it since this thread was created?