For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

William_Them_99's avatar
William_Them_99
Icon for Nimbostratus rankNimbostratus
Jun 15, 2005

Redirect after when AUTH_FAILURE

  We have iRules to handle authentication of client cert attributes against an LDAP tree. Right now, when the user fails to authenticate with LDAP, the code does this:     when AUTH_F...
application delivery
dev
devops
iRules
Carla_Molenda_1's avatar
Carla_Molenda_1
Icon for Nimbostratus rankNimbostratus
Jul 21, 2005
I have picked up where Bill left off and still cannot get this to work.

 

The AUTH_FAILURE does fire (I'm not sure if it is because I turned on mod SSL) but when I tried adding the http respond to the AUTH_FAILURE event I get an "operation not supported" in the log. HTTP::redirect and HTTP::uri will not even get saved after updating the iRules. I have also tried setting flags as seen in numerous other appends, but the setting does not get carried outside the AUTH event. I can see the variable get set in the AUTH, but by the time the next even hits, the value is not what it was set to inside the AUTH event (for both successes or failures). I have queried the value in numerous events but it never is the one set in the AUTH event. I was going to try AUTH::status but did not know how to get the authid. When I tried adding AUTH::last_event_session_id inside the HTTP_REQUEST I received an error in the log.) This is the current irule on the server (we have CLIENTSSL_CLIENTCERT events in the AUTH profiles).

 

 

when AUTH_SUCCESS

 

{

 

log local0. "auth_success"

 

set auth_code 0

 

if {$tmm_auth_ssl_cc_ldap_sid eq [AUTH::last_event_session_id]}

 

{

 

SSL::handshake resume

 

}

 

}

 

 

when AUTH_FAILURE

 

{

 

log local0. "auth_failure"

 

set auth_code 1

 

if {$tmm_auth_ssl_cc_ldap_sid eq [AUTH::last_event_session_id]}

 

{

 

log local0. "auth_failure - reject, auth_code is $auth_code"

 

reject

 

HTTP::respond 303 content http://myhost /Errors/AuthenticationFailed.html

 

}

 

}

 

 

when AUTH_WANTCREDENTIAL

 

{

 

log local0. "auth_wantcredential"

 

if {$tmm_auth_ssl_cc_ldap_sid eq [AUTH::last_event_session_id]}

 

{

 

reject

 

}

 

}

 

 

when AUTH_ERROR

 

{

 

log local0. "auth_error"

 

if {$tmm_auth_ssl_cc_ldap_sid eq [AUTH::last_event_session_id]}

 

{

 

reject

 

}

 

}

 

when HTTP_REQUEST {

 

log local0. "in http request, auth_code is $auth_code"

 

if {$auth_code eq 1} {

 

log local0. "Found Error in http request"

 

HTTP::redirect http://myhost/Errors/AuthenticationFailed.html

 

}

 

}