Complete MFA solution with GA stored in Active Directory

Problem this snippet solves:

All modern business applications require Multi-Factor Authentication (MFA) to be used for remote access by employees. There are many vendors on market selling enterprise MFA solutions that may be utilised with F5 BIG-IP Access Policy Manager (APM). Those solutions are complex and allow customers to create flexible policies which allow them to decide when and whom will be authorised to access protected applications. But what about those customers which have no needs for using complex enterprise solutions or does not have adequate budget for such spendings?

How to use this snippet:

For those customers I would like to present my One-Time Password (OTP) application which requires BIG-IP LTM/APM/iRulesLX. Shared secret value is stored in Active Directory and QR code is generated in user's browser. All you need after implementing this application on your BIG-IP is. to ask your users to get any OTP-compatible mobile application, like Google Authenticator or Microsoft Authenticator


Please see https://github.com/akhmarov/f5_otp/ for instructions


UPDATE 1: New version now support APM 15.1+ Modern Customization

UPDATE 2: Added trusted device support

UPDATE 3: Added multi-tenancy support

Tested this on version:

15.1
Published Apr 07, 2020
Version 1.0
active directory
APM
application delivery
google authenticator
iRulesLX
mfa
otp
security

Was this article helpful?

8 Comments

Sort By
  • Dagfinn_Conradi's avatar
    Dagfinn_Conradi
    Icon for Nimbostratus rankNimbostratus
    Jun 26, 2020

    Hi

    I Tried to implement the OTP Register portal first, but had a problem with resolving LDAP FQDN against the customers internal DNS. We have multiple tenants on the F5 and have DNS configured to public DNS servers.

     

    How do I resolve the ldap fqdn (internal domain) in APM-LDAP-Modify-ilx plugin, when the DNS is configured for public DNS ?

     

    I tried to define HOST names in System->Configuration->Device->Hosts but it didnt work.

  • Vladimir_Akhmarov's avatar
    Vladimir_Akhmarov
    Icon for Cirrus rankCirrus
    Jun 27, 2020

    Hi Dagfinn

     

    The simplest way is to use dns.setServers() as described in NodeJS docs

    Insert code below just before "dns.resolve(ldapBindFqdn, (error, records) => {" in file APM-LDAP-Modify_ilx. Assume that your internal DNS servers has IP addresses 192.168.1.1 and 192.168.2.1

    dns.setServers([
  '192.168.1.1',
  '192.168.2.1'
]);

    I would like to ask you to file issue in GitHub page, so I could try to design and implement proper solution

  • Dagfinn_Conradi's avatar
    Dagfinn_Conradi
    Icon for Nimbostratus rankNimbostratus
    Aug 20, 2020

    Hi Vladimir

     

    I 'm having som problems witing to LDAP, in the OTP Register portal.

     

    Get dthe following error:

    TypeError: Invalid LDAP url

     

    pid[23198] plugin[/Common/LDAP-Modify_plugin.APM-LDAP-Modify_ilx] ldapModifyRec error: TypeError: ldap://192.168.9.15:389 is an invalid LDAP url (scope)

     

    Have tried ldaps, without any luck

     

    Any ideas ?

  • Vladimir_Akhmarov's avatar
    Vladimir_Akhmarov
    Icon for Cirrus rankCirrus
    Aug 24, 2020

    Hi Dagfinn

     

    There is a script test/test_ldap.js in GitHub's repo

     

    Please fill all variables with data that is used on your BIG-IP and run it from any workstation with NodeJS environment

    Note: you have to install ldapjs module in your workstation like you installed it on BIG-IP

     

    According to NodeJS docs error "is an invalid LDAP url (scope)" maybe somehow linked to passed arguments

  • Loïc_PUILLET's avatar
    Loïc_PUILLET
    Icon for Nimbostratus rankNimbostratus
    Jun 08, 2021

    Dear Vladimir,

     

    Im close to make the slution work but im stuck on the AD_Modify part. IT seems my LX_irule isnt working and the debug doesnt help me much :

     

     err tmm3[36419]: Rule /Common/LDAP-Modify_plugin/APM-LDAP-Modify_irule <ACCESS_POLICY_AGENT_EVENT>: ILX call failed (ILX timeout.   invoked from within "ILX::call $ilx_handle -timeout $static::ldap_modify_ilx_time $static::ldap_modify_ilx_method $ldap(bind_scheme) $ldap(bind_fqdn) $ldap(bind_port) $lda...") for session ...

     

    Any tips about where to start ?

     

    Thanks.

  • Vladimir_Akhmarov's avatar
    Vladimir_Akhmarov
    Icon for Cirrus rankCirrus
    Jun 08, 2021

    Hi DSI XEFI

     

    Questions:

    1. Have you tried latest version 1.2 from https://github.com/akhmarov/f5_otp ?
    2. Could you please check when you reload ILX from workspace are there any errors with launching NodeJS env under /var/log/ltm?
    3. Are there any errors under /var/log/ltm in the same time or close to it?
    4. What software version used in your environment?
    5. Have you seen this Bug https://cdn.f5.com/product/bugtracker/ID709381.html ?

     

    Seems that this some kind of issue with ILX start/process run on BIG-IP

     

     

  • Loïc_PUILLET's avatar
    Loïc_PUILLET
    Icon for Nimbostratus rankNimbostratus
    Jun 08, 2021

    Thanks for your quick answer.

     

    • Im already in 1.2 version.
    • Theres no error when i reload ILX from workspace
    • Im running BIG-IP 16.0.1.1 Build 0.0.6 Point Release 1 (dedicate to APM)
    • I tried the workaround with the version switch, nothing change

     

    I also try to check if theres any communication between my APM and the LDAP server (AD 2019), a tcpdump show nothing when the irule is called.

     

    Can we try to investigate together a bit further in private ?

     

    Thanks.

     

     

  • Vladimir_Akhmarov's avatar
    Vladimir_Akhmarov
    Icon for Cirrus rankCirrus
    Jun 08, 2021

    Yes, please write me a PM on DevCentral

     

    have you tried to enable debugs in NodeJS code?

    const flagDebug = 1;