I'm trying to configure the APM functionality on a BigIP running 13.1.02 to support the "Change PIN" request of the Swivel Secure PINsafe authentication; but I seem to be hitting a more fundamental issue with the BigIP's RADIUS Access-Challenge support.
Normal RADIUS authentication against the Swivel authentication server is working fine.
The user logs in; with their credentials submitted over HTTP to the F5 and from there via a RADIUS Access-Request to the Swivel server:
If the user requires that their PIN be changed; the Swivel authentication server responds with a RADIUS Access-Challenge:
Code: Access-Challenge (11)
Packet identifier: 0xf2 (242)
[This is a response to a request in frame 2]
[Time from request: 0.021004000 seconds]
Attribute Value Pairs
AVP: t=Reply-Message(18) l=11 val=changepin
The F5 successfully detects this Access-Challenge request and presents the user with a further login page containing the Reply-Message as the header (so "changepin" in this case); followed by a single input element (id of "input_1" and name of "_F5_challenge") into which the user can respond.
With the user's response typed into the single input element and the new form submitted; I can see in the HTTP request from the web browser to the F5 the form variable of "_F5_challenge" correctly set to the value typed into the input element.
Looks good so far...
From the RADIUS RFC 2865:
"If the client receives an Access-Challenge and supports challenge/response it MAY display the text message, if any, to the user, and then prompt the user for a response. The client then re-submits its original Access-Request with a new request ID, with the User-Password Attribute replaced by the response (encrypted), and including the State Attribute from the Access-Challenge, if any."
I would therefore expect that the F5 would use value it received in _F5_challenge HTTP form parameter as the new User-Password value within the RADIUS Access-Request that responds to the Access-Challenge.
This is not what I see – if I capture and decode this RADIUS Access-Request I can see that User-Password is the same value as from the original RADIUS Access-Request from the initial logon page: