Configuring Smart Card Authentication to the BIG-IP Traffic Management User Interface (TMUI) using F5's Privileged User Access Solution

As promised in my last article which discussed configuring the BIG-IP as an SSH Jump Server using smart card authentication, I wanted to continue the discussion of F5's privileged user access with ad...
Published Jul 18, 2018
Version 1.0
application delivery
BIG-IP Access Policy Manager (APM)
iRulesLX
security
Steve_Lyons's avatar
Steve_Lyons
Ret. Employee
Jul 19, 2018

So, I may not fully understand your question but I will try and at least shed some more light.

  1. Upon successful auth; creates user/random password (session.custom.ephemeral.last.password)
  2. sets login.last.user/pass to ephemeral user/pass for SSO
  3. User credentials sent via SSO to application
  4. App sends LDAP bindRequest to authentication user
  5. bindRequest intercepted from LDAP server
  6. User looked up in table, password is compared
  7. Auth result is sent back to application
  8. Any "non-bindRequests" are passed through to real LDAP server (searches, group memberships, etc...)
  9. bindRequests for DNs specified in "LDAP_Bypass" go directly to the LDAP server and are not intercepted.

The password is stored as a session variable which can be seen below.

within the ephemeral_config DG is where you can configure additional requirements for your OTP. password complexity rules variables

pwrulesLen - integer - optional - Password Complexity, minimum password length/characters. Example 8 (default)
pwrulesUpCaseMin - integer - optional - Password Complexity, minimum upper case characters. Example 1 (default)
pwrulesLwrCaseMin - integer - optional - Password Complexity, minimum lower case characters. Example 1 (default)
pwrulesNumbersMin - integer - optional - Password Complexity, minimum numeric characters. Example 1 (default)
pwrulesPunctuationMin - integer - optional - Password Complexity, minimum punctuation/special characters. Example 1 (default)