ASM Login Page protection for Basic Authentication without failed string

Question

Hello,
Its possible to create and configure an ASM Login Page for Brute Force protection to a system that uses APM Basic Auth (401) and does not send any String for failed/wrong username? According the F5 Documentation on how to create a Login page, its needs to configure a failed string:
A string that should NOT appear in the responseA string that indicates a failed login attempt and prohibits user access to the authenticated URL; for example, Authentication failed.
Ref: https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-implementations-14-1-0/creating-login-pages-for-secure-application-access.html
So my question is, its possible to configure APM to send 401 with an failed string, so it can be detected by ASM on Brute Force Login Mitigation?
**For the ASM protection on APM VS, im using the layered Virtual Server configuration.

nathe · Answer

Hugo Frauches,&nbsp;
What about adding a positive string for when the user successfully logs in? Does APM send back a specific string, http response code etc. when a successful logon happens? You can add this. If the ASM doesn't see this then it will conclude it's a failed login.&nbsp;
HTH,&nbsp;
N&nbsp;

Forum Discussion

ASM Login Page protection for Basic Authentication without failed string

1 Reply

Recent Discussions

Geo Fence in ASM through irule for URI

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Related Content

ForgeRock with F5 Distributed Cloud (XC) Account Protection and Authentication Intelligence

Beyond REST: Protecting GraphQL

L7 DoS Protection with NGINX App Protect DoS

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Managing NGINX App Protect WAF for Beginners