RADIUS Auth with SecurID

Question

Im a bit of a newbie to writing iRules, however have a lot of experience with RSA SecurID.  We are just finalising an LTM install using the ACA module.  I am using the default auth_radius irule, and want to be able to insert different password prompts into the 401 popup box. &nbsp;
&nbsp;Can I use the AUTH::wantcredential_prompt  to change the password prompt in the auth window on a per request basis? and if it is possible, where does one typically insert the wantcredential_prompt into the irule?&nbsp;
&nbsp;In a SecurID auth, a user is prompted for their username and passcode, if something is not correct, they may be challenged a second time for one of the following: New PIN, Next Tokencode, or Passcode.  There may also be custom error messages come back from the SecurID RADIUS.  Can I change the default prompt from password to passcode or New PIN dynamically in the second 401 auth that may be required?&nbsp;
&nbsp;Also, I want to be able to gather the HTTP::username and insert this into the header that is sent to the server.  Is this performed using a simple rule as follows before the HTTP::release is performed in the auth?&nbsp;
&nbsp;HTTP::header insert "X-EAU-Client-id" [HTTP::username]&nbsp;
&nbsp;Thanks in advance for any assistance.  Below is the slightly modified default irule I am using...&nbsp;
&nbsp;when CLIENT_ACCEPTED {
&nbsp;        set tmm_auth_http_collect_count 0
&nbsp;        array set tmm_auth_http_sids {radius -1}
&nbsp;    }
&nbsp;    when HTTP_REQUEST {
&nbsp;        set tmm_auth_sid $tmm_auth_http_sids(radius)
&nbsp;        if {$tmm_auth_sid == -1} {
&nbsp;            set tmm_auth_sid [AUTH::start pam default_radius]
&nbsp;            array set tmm_auth_http_sids [list radius $tmm_auth_sid]
&nbsp;        }
&nbsp;        AUTH::username_credential $tmm_auth_sid [HTTP::username]
&nbsp;        AUTH::password_credential $tmm_auth_sid [HTTP::password]
&nbsp;        AUTH::authenticate $tmm_auth_sid
&nbsp;        if {$tmm_auth_http_collect_count == 0} {
&nbsp;            HTTP::collect
&nbsp;            set tmm_auth_http_successes 0
&nbsp;        }
&nbsp;        incr tmm_auth_http_collect_count
&nbsp;    }
&nbsp;    when AUTH_SUCCESS {
&nbsp;        if {$tmm_auth_http_sids(radius) eq [AUTH::last_event_session_id]} {
&nbsp;            incr tmm_auth_http_successes
&nbsp;            if {[info exists tmm_auth_http_sufficient_successes]} {
&nbsp;                if {$tmm_auth_http_successes &gt;=
&nbsp;                        $tmm_auth_http_sufficient_successes} {
&nbsp;                    foreach {type sid} [array get tmm_auth_http_sids] {
&nbsp;                        if {$type ne "radius" &amp;&amp; $sid ne -1} {
&nbsp;                            AUTH::abort $sid
&nbsp;                            array set tmm_auth_http_sids [list $type -1]
&nbsp;                        }
&nbsp;                    }
&nbsp;                    set tmm_auth_http_collect_count 0
&nbsp;    HTTP::header insert "X-EAU-Client-id" [CLIENT::subject $client_name];
&nbsp;                    HTTP::release
&nbsp;                } else {
&nbsp;                    incr tmm_auth_http_collect_count -1
&nbsp;                    if {$tmm_auth_http_collect_count == 0} {
&nbsp;                     HTTP::respond 401
&nbsp;                    }
&nbsp;                }
&nbsp;            } else {
&nbsp;                incr tmm_auth_http_collect_count -1
&nbsp;                if {$tmm_auth_http_collect_count == 0} {
&nbsp;    HTTP::header insert "X-EAU-Client-id" [CLIENT::subject $client_name];
&nbsp;                    HTTP::release
&nbsp;                }
&nbsp;            }
&nbsp;        }
&nbsp;    }
&nbsp;    when AUTH_FAILURE {
&nbsp;        if {$tmm_auth_http_sids(radius) eq [AUTH::last_event_session_id]} {
&nbsp;            if {[llength [array names tmm_auth_http_sids]] &gt; 1} {
&nbsp;                if {[info exists tmm_auth_http_sufficient_successes]} {
&nbsp;                    incr tmm_auth_http_collect_count -1
&nbsp;                    if {$tmm_auth_http_collect_count == 0} {
&nbsp;                        HTTP::respond 401
&nbsp;                    }
&nbsp;                } else {
&nbsp;                    foreach {type sid} [array get tmm_auth_http_sids] {
&nbsp;                        if {$type ne "radius" &amp;&amp; $sid ne -1} {
&nbsp;                            AUTH::abort $sid
&nbsp;                            array set tmm_auth_http_sids [list $type -1]
&nbsp;                        }
&nbsp;                    }
&nbsp;                    set tmm_auth_http_collect_count 0
&nbsp;                    HTTP::respond 401
&nbsp;                }
&nbsp;            } else {
&nbsp;                set tmm_auth_http_collect_count 0
&nbsp;                HTTP::respond 401
&nbsp;            }
&nbsp;        }
&nbsp;    }
&nbsp;    when AUTH_WANTCREDENTIAL {
&nbsp;        if {$tmm_auth_http_sids(radius) eq [AUTH::last_event_session_id]} {
&nbsp;            if {[llength [array names tmm_auth_http_sids]] &gt; 1} {
&nbsp;                if {[info exists tmm_auth_http_sufficient_successes]} {
&nbsp;                    incr tmm_auth_http_collect_count -1
&nbsp;                    if {$tmm_auth_http_collect_count == 0} {
&nbsp;                        HTTP::respond 401
&nbsp;                    }
&nbsp;                } else {
&nbsp;                    foreach {type sid} [array get tmm_auth_http_sids] {
&nbsp;                        if {$type ne "radius" &amp;&amp; $sid ne -1} {
&nbsp;                            AUTH::abort $sid
&nbsp;                            array set tmm_auth_http_sids [list $type -1]
&nbsp;                        }
&nbsp;                    }
&nbsp;                    set tmm_auth_http_collect_count 0
&nbsp;                    HTTP::respond 401
&nbsp;                }
&nbsp;            } else {
&nbsp;                set tmm_auth_http_collect_count 0
&nbsp;                HTTP::respond 401
&nbsp;            }
&nbsp;        }
&nbsp;    }
&nbsp;    when AUTH_ERROR {
&nbsp;        if {$tmm_auth_http_sids(radius) eq [AUTH::last_event_session_id]} {
&nbsp;            if {[llength [array names tmm_auth_http_sids]] &gt; 1} {
&nbsp;                if {[info exists tmm_auth_http_sufficient_successes]} {
&nbsp;                    incr tmm_auth_http_collect_count -1
&nbsp;                    if {$tmm_auth_http_collect_count == 0} {
&nbsp;                        HTTP::respond 401
&nbsp;                    }
&nbsp;                } else {
&nbsp;                    foreach {type sid} [array get tmm_auth_http_sids] {
&nbsp;                        if {$type ne "radius" &amp;&amp; $sid ne -1} {
&nbsp;                            AUTH::abort $sid
&nbsp;                            array set tmm_auth_http_sids [list $type -1]
&nbsp;                        }
&nbsp;                    }
&nbsp;                    set tmm_auth_http_collect_count 0
&nbsp;                    HTTP::respond 401
&nbsp;                }
&nbsp;            } else {
&nbsp;                set tmm_auth_http_collect_count 0
&nbsp;                HTTP::respond 401
&nbsp;            }
&nbsp;        }
&nbsp;    }&nbsp;

jim_22175 · Answer

This expanded irule is very useful. Has there been any improvements or tweaks to it since this thread was created?

Forum Discussion

RADIUS Auth with SecurID

Recent Discussions

How to Renew F5 Device Certificate

How to export a list of paired external service providers from APM?

BIG-IP Edge Endpoint Inspection Failure pre-VPN

BIG IP LTM - Multiple application on single VIP with multiple ports allowed.

Service discovery is not happening in AS3

Related Content

iRule based RADIUS Client Stack

iRule based RADIUS Health Monitor Builder

iRule based RADIUS Server Stack

Bolt-on Auth with NGINX Plus and F5 Distributed Cloud

RADIUS update NAS-IP-Address

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS