Forum Discussion

jacket's avatar
jacket
Icon for Nimbostratus rankNimbostratus
Nov 10, 2022

unable insert and run cli script to tmos

Hi all  ,  Can somebody advice what is the correct step to insert the cli script into the F5 system. it is appreciate for any comment or advice given.   i am facing an error as i with enable auto e...
application delivery
MFA cli script
CA_Valli's avatar
CA_Valli
Icon for MVP rankMVP

This is a really complex configuration. I've tried messing with it a little in my lab, running BIG-IP 15.1.5.1.

To answer part 1 of your question, I was able to create a new CLI script using the tmsh edit cli script syntax.
I've noticed that in this version, several procedures are automatically set when creating the script.

I've deleted those and pasted your exact syntax, then saved.
I've seen the same error message for "total-signing-status" being read-only, and just as you did I was able to complete creation by removing that line -- which I also noticed is added automatically by builder afterwards.

 

The error you're getting when running script, is that "tmsh modify ltm data-group internal" command is missing object name before the opening {    --    which means, [lindex $tmsh::argv 3] is returning null value in your script. 

I think you're supposed to pass some parameters to this procedure, or at least this is what happens in iRule code. Moreover, Data Group name is defined statically as a variable in RULE_INIT event.  

Sorry for the very bad and quick paint art, but I hope this helps to clarify it. 

 

Maybe you should try running proc with a set of parameters? 

Regards

CA

jacket's avatar
jacket
Icon for Nimbostratus rankNimbostratus
Nov 11, 2022

Hi Valli 

thanks for quick paint art for pointing the "f5_google_auth" code relation as well.  The solutions are google authenticator automatic enroll the share token key into the datagroup. The datagroup name "token_keys" .  

https://github.com/yamashin55/f5-google-authenticator-datagroup

i am no idea how to pass some parameter to the cli script ,Perhaps will it possible you can assist to insert some related parameter into the script for me to know how possible i can add in for further test ? 

The below are irule that i export from my bigip system , i didnt modify the rule but i just change the credential only . 

"add_user" {
set result [call add_totp_key "VS_F5-MGMT-ETH" "[b64encode "admin:Pacific@work123!!"]" "[ACCESS::session data get session.logon.last.username]" "[ACCESS::session data get session.custom.otp.secret]" "$static::ga_key_dg"]
log local0.info "Result: $result"
if { $result equals "Success" } {
ACCESS::session data set session.custom.add_user.result $result
}
}
"delete_user" {
set result [call delete_totp_key "VS_F5-MGMT-ETH" "[b64encode "admin:Pacific@work123!!"]" "[ACCESS::session data get session.logon.last.username]" "[ACCESS::session data get session.custom.otp.secret]" "$static::ga_key_dg"]
log local0.info "Result: $result"
if { $result equals "Success" } {
ACCESS::session data set session.custom.delete_user.result $result
}
}
}
}