Forum Discussion

Hamish_35071's avatar
Hamish_35071
Icon for Nimbostratus rankNimbostratus
Dec 02, 2009

TACACS password authentication - Handling Password Expiry

I'm implementing client authentication on an F5 using forms. Mostly based upon the auth-by-forms iRule found on codeshare. But I need to add in a new feature. Password Expiry.     The TACAC...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Feb 11, 2010
By the way, part of the info I received from Support from C606593 was:

 

 

The error codes for AUTH::status correspond to the PAM API. There isn't a separate status code for [OCSP] revoked, so we didn't alter the AUTH::status command.

 

 

The error codes returned by AUTH::response_data for the error cases you're inquiring about largely come from OpenSSL directly. We don't have any information over why they decided to choose certain classes of error strings over others.

 

 

For RADIUS, on a successful response, AUTH::response data will contain the attributes returned by the server with a form of radius:attr: .

 

 

Similarly, for TACACS, the attributes will be with a form of tacplus:attr: .

 

 

For Kerberos, they will be with a form of krbdelegate:attr: .

 

 

For CRLDP, no attributes are returned.

 

 

In all of these cases, no results are returned if there is an error. Note that in the future, the general plan is for the APM functionality to supercede this iRule authentication, authorization, and error handling functionality.

 

 

Aaron