Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Getting basic auth prompt before apm logon page event

Go to solution
kimhenriksen
Cirrostratus
Cirrostratus

‎03-Feb-2021 07:52

Hi

 

I´ve setup a basic login policy.

Check if client subnet is RFC1918, if yes do ntlm auth, if not go to logon page and do MFA login.

 

But.. when i access the VIP external i get a basic auth login prompt before the logon page, any tips on where to look?

 

/Kim

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
kimhenriksen
Cirrostratus
Cirrostratus

‎16-Feb-2021 23:35

A quick update.

Latest rule is not correct, pasted the wrong one from the clipboard.

 

Here the latest.

when HTTP_REQUEST { 

 if { [IP::addr [IP::client_addr] equals "10.0.0.0/8"] or [IP::addr [IP::client_addr] equals "192.168.0.0/16"] or [IP::addr [IP::client_addr] equals "172.16.0.0/12"] } { 

  if { [ACCESS::session data get session.ntlm.last.result] eq 1 } {

    ECA::disable

  } else {

  ECA::enable

  ECA::select select_ntlm:/Common/ntlm_profile

  #log local0. "eca enabled"

 }

 } else {

  ECA::disable

  #log local0. "RFC1918 ECA disable"

 }

}

 

 

 

View solution in original post

0 Kudos
7 REPLIES 7

Go to solution
Daniel_Wolf
MVP
MVP

‎03-Feb-2021 14:20

Hi Kim

 

First guess - is there an upstream device that might do a NAT and the BIG-IP doesn't see the real client IP address?

 

There is a old question here, that offers a solution with iRule and XFF headers:

F5 APM - How to do IP Subnet match for IPs in header

 

KR

0 Kudos

Go to solution
kimhenriksen
Cirrostratus
Cirrostratus

‎03-Feb-2021 23:21

Did a tcpdump and i see the public ip. And i have a http xff profile added.

But I am guessing that the ECA profile applied to the VIP, which i guess will be run first.. I´ll try and add a public ip check in the irule before eca enable.

0 Kudos

Go to solution
Daniel_Wolf
MVP
MVP

‎04-Feb-2021 02:22

Did you actually check the APM Access Reports for this? This should, given the right log settings are applied, already give you a clue why you get a basic auth prompt instead of the MFA login.

0 Kudos

Go to solution
kimhenriksen
Cirrostratus
Cirrostratus
In response to Daniel_Wolf

‎04-Feb-2021 02:25

I´ve just checked the default log. But I am applying a new ECA irule, which disables ECA for RFC1918.

As I havent seen anything in the standard reports. So i guess this happens before APM kicks in.

0 Kudos

Go to solution
Daniel_Wolf
MVP
MVP

‎04-Feb-2021 02:46

Can you share the config / iRule(s) you are using?

 

Usually, when something seems off with iRules, I try to add logging and take a look at this reference:

iRule Event Order Flowchart

It shows iRules HTTP and ACCESS event order.

0 Kudos

Go to solution
kimhenriksen
Cirrostratus
Cirrostratus
In response to Daniel_Wolf

‎04-Feb-2021 04:01

when HTTP_REQUEST {

if { [ACCESS::session data get session.ntlm.last.result] eq 1 } {

ECA::disable

} else {

ECA::enable

ECA::select select_ntlm:/Common/ntlm_config

}

}

 

This the one used now, but want to try and change it to this instead.

 

when HTTP_REQUEST { 

 if { [IP::addr [IP::client_addr] equals 10.0.0.0/8] or [IP::addr [IP::client_addr] equals 192.168.0.0/16] or [IP::addr [IP::client_addr] equals 172.16.0.0/12] } { 

  ECA::disable

 }

 elseif { [ACCESS::session data get session.ntlm.last.result] eq 1 } {

  ECA::disable

 } 

 else {

  ECA::enable

  ECA::select select_ntlm:/Common/ntlm_config

 }

}

0 Kudos

Go to solution
kimhenriksen
Cirrostratus
Cirrostratus

‎16-Feb-2021 23:35

A quick update.

Latest rule is not correct, pasted the wrong one from the clipboard.

 

Here the latest.

when HTTP_REQUEST { 

 if { [IP::addr [IP::client_addr] equals "10.0.0.0/8"] or [IP::addr [IP::client_addr] equals "192.168.0.0/16"] or [IP::addr [IP::client_addr] equals "172.16.0.0/12"] } { 

  if { [ACCESS::session data get session.ntlm.last.result] eq 1 } {

    ECA::disable

  } else {

  ECA::enable

  ECA::select select_ntlm:/Common/ntlm_profile

  #log local0. "eca enabled"

 }

 } else {

  ECA::disable

  #log local0. "RFC1918 ECA disable"

 }

}

 

 

 

0 Kudos
Copyright © 2023 Khoros, LLC