cancel
Showing results for 
Search instead for 
Did you mean: 
akhmarov
Altostratus
Altostratus

Problem this snippet solves:

All modern business applications require Multi-Factor Authentication (MFA) to be used for remote access by employees. There are many vendors on market selling enterprise MFA solutions that may be utilised with F5 BIG-IP Access Policy Manager (APM). Those solutions are complex and allow customers to create flexible policies which allow them to decide when and whom will be authorised to access protected applications. But what about those customers which have no needs for using complex enterprise solutions or does not have adequate budget for such spendings?

How to use this snippet:

For those customers I would like to present my One-Time Password (OTP) application which requires BIG-IP LTM/APM/iRulesLX. Shared secret value is stored in Active Directory and QR code is generated in user's browser. All you need after implementing this application on your BIG-IP is. to ask your users to get any OTP-compatible mobile application, like Google Authenticator or Microsoft Authenticator


Please see https://github.com/akhmarov/f5_otp/ for instructions


UPDATE 1: New version now support APM 15.1+ Modern Customization

UPDATE 2: Added trusted device support

UPDATE 3: Added multi-tenancy support

Tested this on version:

15.1
Comments
Dagfinn_Conradi
Nimbostratus
Nimbostratus

Hi

I Tried to implement the OTP Register portal first, but had a problem with resolving LDAP FQDN against the customers internal DNS. We have multiple tenants on the F5 and have DNS configured to public DNS servers.

 

How do I resolve the ldap fqdn (internal domain) in APM-LDAP-Modify-ilx plugin, when the DNS is configured for public DNS ?

 

I tried to define HOST names in System->Configuration->Device->Hosts but it didnt work.

akhmarov
Altostratus
Altostratus

Hi Dagfinn

 

The simplest way is to use dns.setServers() as described in NodeJS docs

Insert code below just before "dns.resolve(ldapBindFqdn, (error, records) => {" in file APM-LDAP-Modify_ilx. Assume that your internal DNS servers has IP addresses 192.168.1.1 and 192.168.2.1

dns.setServers([ '192.168.1.1', '192.168.2.1' ]);

I would like to ask you to file issue in GitHub page, so I could try to design and implement proper solution

Dagfinn_Conradi
Nimbostratus
Nimbostratus

Hi Vladimir

 

I 'm having som problems witing to LDAP, in the OTP Register portal.

 

Get dthe following error:

TypeError: Invalid LDAP url

 

pid[23198] plugin[/Common/LDAP-Modify_plugin.APM-LDAP-Modify_ilx] ldapModifyRec error: TypeError: ldap://192.168.9.15:389 is an invalid LDAP url (scope)

 

Have tried ldaps, without any luck

 

Any ideas ?

akhmarov
Altostratus
Altostratus

Hi Dagfinn

 

There is a script test/test_ldap.js in GitHub's repo

 

Please fill all variables with data that is used on your BIG-IP and run it from any workstation with NodeJS environment

Note: you have to install ldapjs module in your workstation like you installed it on BIG-IP

 

According to NodeJS docs error "is an invalid LDAP url (scope)" maybe somehow linked to passed arguments

Loïc_PUILLET
Nimbostratus
Nimbostratus

Dear Vladimir,

 

Im close to make the slution work but im stuck on the AD_Modify part. IT seems my LX_irule isnt working and the debug doesnt help me much :

 

 err tmm3[36419]: Rule /Common/LDAP-Modify_plugin/APM-LDAP-Modify_irule <ACCESS_POLICY_AGENT_EVENT>: ILX call failed (ILX timeout.   invoked from within "ILX::call $ilx_handle -timeout $static::ldap_modify_ilx_time $static::ldap_modify_ilx_method $ldap(bind_scheme) $ldap(bind_fqdn) $ldap(bind_port) $lda...") for session ...

 

Any tips about where to start ?

 

Thanks.

akhmarov
Altostratus
Altostratus

Hi DSI XEFI

 

Questions:

  1. Have you tried latest version 1.2 from https://github.com/akhmarov/f5_otp ?
  2. Could you please check when you reload ILX from workspace are there any errors with launching NodeJS env under /var/log/ltm?
  3. Are there any errors under /var/log/ltm in the same time or close to it?
  4. What software version used in your environment?
  5. Have you seen this Bug https://cdn.f5.com/product/bugtracker/ID709381.html ?

 

Seems that this some kind of issue with ILX start/process run on BIG-IP

 

 

Loïc_PUILLET
Nimbostratus
Nimbostratus

Thanks for your quick answer.

 

  • Im already in 1.2 version.
  • Theres no error when i reload ILX from workspace
  • Im running BIG-IP 16.0.1.1 Build 0.0.6 Point Release 1 (dedicate to APM)
  • I tried the workaround with the version switch, nothing change

 

I also try to check if theres any communication between my APM and the LDAP server (AD 2019), a tcpdump show nothing when the irule is called.

 

Can we try to investigate together a bit further in private ?

 

Thanks.

 

 

akhmarov
Altostratus
Altostratus

Yes, please write me a PM on DevCentral

 

have you tried to enable debugs in NodeJS code?

const flagDebug = 1;

Version history
Last update:
‎07-Apr-2020 14:21
Updated by:
Contributors