Complete MFA solution with GA stored in Active Directory
Problem this snippet solves:
All modern business applications require Multi-Factor Authentication (MFA) to be used for remote access by employees. There are many vendors on market selling enterprise MFA solutions that may be utilised with F5 BIG-IP Access Policy Manager (APM). Those solutions are complex and allow customers to create flexible policies which allow them to decide when and whom will be authorised to access protected applications. But what about those customers which have no needs for using complex enterprise solutions or does not have adequate budget for such spendings?
How to use this snippet:
For those customers I would like to present my One-Time Password (OTP) application which requires BIG-IP LTM/APM/iRulesLX. Shared secret value is stored in Active Directory and QR code is generated in user's browser. All you need after implementing this application on your BIG-IP is. to ask your users to get any OTP-compatible mobile application, like Google Authenticator or Microsoft Authenticator
Please see https://github.com/akhmarov/f5_otp/ for instructions
UPDATE 1: New version now support APM 15.1+ Modern Customization
UPDATE 2: Added trusted device support
UPDATE 3: Added multi-tenancy support
Tested this on version:
15.1- Dagfinn_ConradiNimbostratus
Hi
I Tried to implement the OTP Register portal first, but had a problem with resolving LDAP FQDN against the customers internal DNS. We have multiple tenants on the F5 and have DNS configured to public DNS servers.
How do I resolve the ldap fqdn (internal domain) in APM-LDAP-Modify-ilx plugin, when the DNS is configured for public DNS ?
I tried to define HOST names in System->Configuration->Device->Hosts but it didnt work.
Hi Dagfinn
The simplest way is to use dns.setServers() as described in NodeJS docs
Insert code below just before "dns.resolve(ldapBindFqdn, (error, records) => {" in file APM-LDAP-Modify_ilx. Assume that your internal DNS servers has IP addresses 192.168.1.1 and 192.168.2.1
dns.setServers([ '192.168.1.1', '192.168.2.1' ]);
I would like to ask you to file issue in GitHub page, so I could try to design and implement proper solution
- Dagfinn_ConradiNimbostratus
Hi Vladimir
I 'm having som problems witing to LDAP, in the OTP Register portal.
Get dthe following error:
TypeError: Invalid LDAP url
pid[23198] plugin[/Common/LDAP-Modify_plugin.APM-LDAP-Modify_ilx] ldapModifyRec error: TypeError: ldap://192.168.9.15:389 is an invalid LDAP url (scope)
Have tried ldaps, without any luck
Any ideas ?
Hi Dagfinn
There is a script test/test_ldap.js in GitHub's repo
Please fill all variables with data that is used on your BIG-IP and run it from any workstation with NodeJS environment
Note: you have to install ldapjs module in your workstation like you installed it on BIG-IP
According to NodeJS docs error "is an invalid LDAP url (scope)" maybe somehow linked to passed arguments
- Loïc_PUILLETNimbostratus
Dear Vladimir,
Im close to make the slution work but im stuck on the AD_Modify part. IT seems my LX_irule isnt working and the debug doesnt help me much :
err tmm3[36419]: Rule /Common/LDAP-Modify_plugin/APM-LDAP-Modify_irule <ACCESS_POLICY_AGENT_EVENT>: ILX call failed (ILX timeout. invoked from within "ILX::call $ilx_handle -timeout $static::ldap_modify_ilx_time $static::ldap_modify_ilx_method $ldap(bind_scheme) $ldap(bind_fqdn) $ldap(bind_port) $lda...") for session ...
Any tips about where to start ?
Thanks.
Hi DSI XEFI
Questions:
- Have you tried latest version 1.2 from https://github.com/akhmarov/f5_otp ?
- Could you please check when you reload ILX from workspace are there any errors with launching NodeJS env under /var/log/ltm?
- Are there any errors under /var/log/ltm in the same time or close to it?
- What software version used in your environment?
- Have you seen this Bug https://cdn.f5.com/product/bugtracker/ID709381.html ?
Seems that this some kind of issue with ILX start/process run on BIG-IP
- Loïc_PUILLETNimbostratus
Thanks for your quick answer.
- Im already in 1.2 version.
- Theres no error when i reload ILX from workspace
- Im running BIG-IP 16.0.1.1 Build 0.0.6 Point Release 1 (dedicate to APM)
- I tried the workaround with the version switch, nothing change
I also try to check if theres any communication between my APM and the LDAP server (AD 2019), a tcpdump show nothing when the irule is called.
Can we try to investigate together a bit further in private ?
Thanks.
Yes, please write me a PM on DevCentral
have you tried to enable debugs in NodeJS code?
const flagDebug = 1;