Technical Forum
Ask questions. Discover Answers.
cancel
Showing results forΒ 
Search instead forΒ 
Did you mean:Β 

Google Authenticator implementation

Stefan_Klotz
Cumulonimbus
Cumulonimbus

Hello,

we want to configure MFA/2FA using Google Authenticator (or at least the underlying time-based one-time password (TOTP) solution).

We found several articles and guides here on DevCentral, but as some of them are quite some years old and also referenced links seems to not working anymore, I have some questions:

  • Is it really necessary to have the APM-module activated for this? Because based on one of the initial articles, it seems to be possible just with the LTM authentication profile? But when checking the options, I don't have the mentioned "LDAP"-type available. I see only "SSL client certificate LDAP" (and two others).
  • What are pros and cons of an implementation with/without APM-module?
  • Based on the preferred solution is there any current/up-to-date configuration guide available, how to configure this?

Thank you!

 

Ciao Stefan πŸ™‚

6 REPLIES 6

Stefan_Klotz
Cumulonimbus
Cumulonimbus

Ok, I got at least the APM-solution to work. And I want to share with you the combined iRule based on:

  • Google Authenticator Token Verification iRule For APM
  • Google Authenticator Verification iRule (TMOS v11.1+ optimized)

Maybe this is helpful for someone out there.

I made some testings and it looks fine so far, but maybe the experts can have a look on it as well. I tested this with version 13.0.0

 

But besides this, I would still be interested in the options to get this working even without APM at all. Is this still be possible via an Authentication-profile or are these features no more available in latest TMOS versions?

 

Special thanks here to George Watkins and Kai Wilke for the good work!!!

 

Ciao Stefan πŸ™‚

Denis_Figeys
Nimbostratus
Nimbostratus

Stefan,

 

Many thanks for updating and optimizing the code. as I am looking at implementing such solution.

 

Unfortunately, there is one important missing part in all the documentation I read this far: how to automate user registration. I have over 500 users, it is not possible and not sustainable to manually add them in the local datagroup. Provisioning should be self-service.

 

Anyone has a solution for implementing auto-provisioning of users and passcode or, did you all use the same passcode for all users?

 

Thanks!!

Hi Denis,

 

I've implemented auto-enrollment with Google Authenticator with use of this code from Cody Green. It's lacks good documentation, but it works.

 

https://github.com/codygreen/F5-MFA

 

Kind regards,

 

--Niels

Thanks Niels... looks a bit like hacking the system. I wish F5 would have provided us a better, standard way of achieving this.

 

Regards, Denis.

Stefan_Klotz
Cumulonimbus
Cumulonimbus

​Hi Denis,

it's quit some months ago and I currently can't remember exactly, but I think I used the code provided from Niels above as well.

In general our logic now works as follows:

  • User gets APM Login-Page displayed, where normal AD-credentials need to be entered
  • Credentials will be checked via AAA-profile
  • If successful a newly created AD-attribute for the shared secret will be checked
  • If available, the OTP will be created via iRule and requested in parallel from the user on a second APM-page -> if both are identical access is granted
  • If not available, APM via iRule/iRuleLX will create a new shared secret for that user and displays the result on a second APM-page -> once the user confirms that he's activate this key on his mobile-app, APM will update the AD and saves the shared key for that user -> additionally the OTP will be created and requested from the user as mentioned above

So each user has to initialize his own OTP-app the first time he uses a MFA-protected VS. APM will manage all the users automatically via AD-Attribute.

Hope that helps a little bit more.

 

Ciao Stefan πŸ™‚

Stefan,

 

Unfortunately, I cannot add or use an attribute in AD for this, hence I need therefore to use the local datagroup.

 

Regards, Denis.