For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kyle_S's avatar
Kyle_S
Icon for Nimbostratus rankNimbostratus
Dec 11, 2014

Using clientless mode but still getting redirect

I am attempting to pull the username and password from the Authentication Basic http header. I have an iRule in place feeding the APM policy of just a basic AD Auth box.

when HTTP_REQUEST {

    HTTP::header insert "clientless-mode" 1
    set uservar [HTTP::username]
    set passvar [HTTP::password]

}

when ACCESS_SESSION_STARTED {

    ACCESS::session data set "session.logon.last.username" $uservar                    
    ACCESS::session data set "session.logon.last.password" $passvar
    log local0. "AuthBasic- uservar was $uservar"

}

Using Fiddler, I am still seeing in the debugger that I am receiving a 302 redirect to /my.policy.

I also attempted to add at the top of the iRule but still redirect to my.policy

when CLIENT_ACCEPTED {

    ACCESS::restrict_irule_events disable

}

Any ideas why when I still receive the /my.policy even though I am telling it to insert "client-less mode"?

application delivery
BIG-IP Access Policy Manager (APM)
devops
iRules
security

6 Replies

  • Walter_Kacynski's avatar
    Walter_Kacynski
    Icon for Cirrostratus rankCirrostratus
    Dec 11, 2014

    Are you using multi-domain auth? I had a similar problem and client-less only seems to work if the Primary Auth URL is the same as the target application.

     

  • Kyle_S's avatar
    Kyle_S
    Icon for Nimbostratus rankNimbostratus
    Dec 11, 2014

    I have multi domains on the F5 but I am only Authenticating to one domain. Because I am only testing it right now, I am using the IP address in the URL instead of the DNS name

     

    • Walter_Kacynski's avatar
      Walter_Kacynski
      Icon for Cirrostratus rankCirrostratus
      Dec 11, 2014
      Hmm, have you tried mapping a DNS via hosts file? I'm not sure if APM behaves differently. I know that it does some DNS based checking.
  • Kyle_S's avatar
    Kyle_S
    Icon for Nimbostratus rankNimbostratus
    Dec 11, 2014

    After you mentioned the URL name, I had them add it to DNS so it is using the name. I get the same redirect to my.policy

     

  • Kyle_S's avatar
    Kyle_S
    Icon for Nimbostratus rankNimbostratus
    Dec 18, 2014

    I discovered that in order for Clientless-mode to work, a APM Logon page object must be in the policy. The is my observation and not a written in stone fact. After I added the Logon page object before the AD Auth object, I no longer saw the redirect to my.policy. Additionally because I was using the iRule to put the user into clientless-mode, you do not see the actual logon page. If you don't authenticate against AD, you just get the denied page. I would be interested to see if anyone else has run into this or if having the Logon page object is necessary.