cancel
Showing results for 
Search instead for 
Did you mean: 

f5fpc linux client does it support client cert and username/secret auth?

Mike_Ho
Cirrus
Cirrus

I can't get the linux CLI client to log on successfully using client certificate and username/secret using a login form. Does the f5fpc linux client support authenticating with a client cert and username/secret?

 

From the server logs I see client cert auth is succeeding. However, it seems that the password (in my case an OTP) is not being received by the server, at least not into the variable "session.logon.last.password" we all know and love, which is resulting in RADIUS auth failure. I tried logging the password (in a test environment of course) per the docs I refer to below, and it's acting as though the variable doesn't exist (I get a TCL error from the "mcget -secure ..." custom variable assign, and when I try printing out the encrypted variable it prints an empty string.

 

Thus I'm doubting the OTP is even making it to the APM. How can I troubleshoot this further? I was going to try passing the traffic through a proxy like burp suite but it seems f5fpc doesn't support local proxy settings. I don't see anything useful in ~/.F5Networks/standalone.log and the APM logs are making it seem like the password isn't arriving.

 

I'm running client v. 7210.2020.0826.1 and BigIP v. 15.1.2.1.

 

I am familiar with these:

Using the Linux client f5fpc to connect to the BIG-IP APM network access for the first time

Creating a two-factor authentication access policy for use with the Linux f5f5pc command-line client

Using mcget -secure to decrypt and display a password for troubleshooting auth issues. (f5.com)

1 ACCEPTED SOLUTION

Mike_Ho
Cirrus
Cirrus

I'll answer my own question. The answer is yes you can use client certs in conjunction with username/password auth with the f5fpc client on Linux (on x86_64 and armhf).

 

The issue I was having (on 15.1.2.1) was as follows. The client cert check was the first step in my per-session policy. It took a lot of troubleshooting to identify that the client cert check results in the contents of session.logon.last.username and session.logon.last.password becoming empty for people using the f5fpc client! Thus my downstream RADIUS auth was failing due to the password having been lost.

 

I fixed this by doing a custom variable assign before the client cert check, moving session.logon.last.password into a custom secure variable, passing this new variable into the RADIUS auth later. It works swell!

 

I have a case open with F5 because this seems like a bug to me. If a KB gets issued as a result I'll do my level best to follow up here with that info. Probably nobody else is doing this, but just in case. Cheers.

View solution in original post

1 REPLY 1

Mike_Ho
Cirrus
Cirrus

I'll answer my own question. The answer is yes you can use client certs in conjunction with username/password auth with the f5fpc client on Linux (on x86_64 and armhf).

 

The issue I was having (on 15.1.2.1) was as follows. The client cert check was the first step in my per-session policy. It took a lot of troubleshooting to identify that the client cert check results in the contents of session.logon.last.username and session.logon.last.password becoming empty for people using the f5fpc client! Thus my downstream RADIUS auth was failing due to the password having been lost.

 

I fixed this by doing a custom variable assign before the client cert check, moving session.logon.last.password into a custom secure variable, passing this new variable into the RADIUS auth later. It works swell!

 

I have a case open with F5 because this seems like a bug to me. If a KB gets issued as a result I'll do my level best to follow up here with that info. Probably nobody else is doing this, but just in case. Cheers.