301a Study Guide and Lab
Hello, I have an old link for 301a and b exam prep materials on clouddocs.f5.com, but its seems missing now? Any idea where it was moved? This was the link I had https://clouddocs.f5.com/training/community/f5cert/html/class7/modules/module1.html Thanks, JoanneSolved3.8KViews1like8CommentsiRule to decrypt and rewrite RADIUS User-Password AVP
In the RADIUS protocol, the user's cleartext password is transmitted inside Attribute-Value Pair (AVP) 2, padded with null characters as necessary, and then encrypted by the shared secret by XOR'ing it across the authenticator somehow or other. The technical details of how this works is a bit above my level of understanding as I'm not a cryptography expert. We have an infrastructure where our PAN VPN Gateway prompts a user for their username and password. In our environment, after the password, the user appends a fixed-length HOTP token from a Yubikey. The backend FreeRADIUS server has been configured to decrypt the password received, extract the fixed-length token, and perform backend checks to our LDAP and token servers. FYI, the password is encoded as PAP prior to RADIUS encryption in our setup, which is why this works; CHAP would prevent this from working. We've been having trouble with the stability of our FreeRADIUS server and we would like to leverage our much more stable Aruba ClearPass infrastructure which is load balanced globally with our GTMs and LTMs and highly stable. This also moves control of the RADIUS piece away from the systems team and onto the network team (me, specifically). Unfortunately, ClearPass doesn't have a direct mechanism to break the password from the token, and PAN doesn't have a way to transmit the token separately. This is where we would like to leverage an iRule. Basically, the way I envision this working is as such: Decrypt the password+OTP that is received from PAN using the authenticator value and shared secret Rewrite AVP 2 as just the password, encrypted by the shared secret (make sure to adjust the length of the AVP) Insert AVP 17 (which is not defined by the IEFT) with the token (ClearPass can be configured to look for this by modifying its RADIUS dictionary). Rewrite the length value at layer 7 if necessary - not sure if this would happen automatically by the F5; probably not. Ship the modified RADIUS packet to ClearPass I know how to accomplish all of this on the ClearPass side, but my dev skills are weak, I'm not very familiary with Tcl, and I don't have a solid understanding of how to encrypt/decrypt the password correctly. I've search high and low but the only solutions for decrypting the password seem to be written in languages that are even more difficult to understand like C. I obviously understand it is too much to expect someone to write the entire solution for me, but any advice on where to start would be very helpful. I think the trickiest part for me would be the encrypt/decrypt step.Solved2.6KViews0likes21CommentsHow to config BGP peering for F5 in HA-pair?
Hi I've setup F5 BGP peering with router and have problem due to we can't use floating IP as IP BGP neighbor address https://support.f5.com/csp/article/K62454350 . So we need to use self IP as IP BGP neighbor address. Problem is It's make router can't decide which path is correct when they send response traffic to F5. F5 active unit or standby unit. Router can't know status on F5. I try to add prepend on BGP which is standby unit and it's fine. but when standby unit takeover . it's failed again. Is there a way to deploy BGP with F5 HA-pair? Thank you2.4KViews0likes2CommentsTcpdump Capture
Hello, I am trying to do a packet capture on the F5 LTM where F5 is just acting as a gateway however i am not able to capture the complete tcp stream, i just get the tcp 3 way handshake packets and there is no application data.. Below is the syntax i am using, Please help. tcpdump -s0 -venni 0.0:nnnp -w/var/tmp/dot_slowness_5.pcap host x.x.x.x Where x.x.x.x is the source ip address.Solved1.8KViews2likes2CommentsCrontab for backups - Entries not running
Trying to configure a cron-based daily backup for a vCMP guest, running v13.1.1. As root, using crontab -e, I've added the following lines: 27 8 * * * /usr/bin/tmsh save sys ucs config1.ucs 29 8 * * * /usr/bin/scp /var/local/ucs/config1.ucs user@server:/backups/config1.ucs After exiting, I've verified the changes have saved. Logs reflect that a change has been made. These jobs never happen based on the timestamp of the backup not changing, nor is either job recorded in the logs. I can manually run the same command, and they work successfully. Any help is appreciated.Solved1.6KViews0likes22CommentsAS3 declaration
In all the example declarations I've seen so far, it lists the virtual server name as serviceMain and if I deviate from that by giving it my own virtual server name like testme123.example.com-80 it complains about not using serviceMain. How can we supply a different VS name on an AS3 declaration? Here is the error message. I used a Python get request to send the declaration. I'm using a Simple HTTP AS3 declaration. ('Status Code:', 422, '\n', u'{"code":422,"errors":["/Sample_01/A1: should have required property \'serviceMain\'"],"declarationFullId":"","message":"declaration is invalid"}')Solved1.5KViews0likes2CommentsUsing an asynchronous task | Creating UCS File
Hi, I am trying the following REST URL to create a task to generate a UCS File: Method: Post URI: mgmt/tm/task/sys/ucs/ Body: {"command": "save","name": "UCS01" } So, I get back: { "_taskId": 1563464422689504, "_taskState": "STARTED", "_taskTimeInStateMs": 0, "_taskResultLink": "https://localhost/mgmt/tm/task/sys/ucs/1563464422689504/result?ver=12.1.3.4", "selfLink": "https://localhost/mgmt/tm/task/sys/ucs/1563464422689504?ver=12.1.3.4" } Now, when I do check the status: Method: Get URI: /mgmt/tm/task/sys/ucs/1563464422689504 I gel back: { "selfLink": "https://localhost/mgmt/tm/task/sys/ucs/1563464422689504?ver=12.1.3.4", "_taskId": 1563464422689504, "_taskState": "COMPLETED", "_taskTimeInStateMs": 5000, "_taskResultLink": "https://localhost/mgmt/tm/task/sys/ucs/1563464422689504/result?ver=12.1.3.4" } When I go to /var/local/ucs, I don't see the UCS created. ** Maybe I am missing something. Please advise ** ----------- If I don't use the "task" option, then it will worked. But I would like to use the task option to take advantage of asynchronous tasks ---- Thank youSolved1.4KViews0likes6CommentsRedundancy Between two Data Centers
Hello guys, I working on a new solution for the client. Client will be connected with two MPLS circuits to primary data center (A), and another two MPLS circuits to stand by data center (B). I would like to failover to B only if it's necessary (big outage in A or maintenance). There will be layer2 between A and B (for different VLANs, like SQL replication, application, LTM network etc.). All LTM appliances will be virtual. I have two questions please: Could I have a cluster with 4 LTMs (2 in each location), and in case of ESX/VM/storage/etc. failure, the virtual IPs will be moved to B LTMs? (all traffic will go over layer 2 circuit between two location. I had a quick conversation with someone from f5, he mentioned that it's not a good idea to create one environment from two different locations. Do you know what is the downside or potential problems? Is there a better way to design it? The most important factor here is that the environment will be highly available (99.97% or more) Thanks for your input!1.3KViews0likes2CommentsF5 automation using pure iControl REST API and Ansible - Series: Introduction
Introduction : There are many articles covering F5 and ansible integration using F5 ansible modules. But no articles/details on using Ansible with pure iControl REST API. May be it was intended to use bigip ansible modules with Ansible. This series will be helpful where there is no solution available with existing F5 ansible modules to configure a specific object. There are pros and cons of using direct F5 ansible modules. Pros : 1) No need to understand iControl REST API structure 2) Easy to use api with specific parameters to create a specific object Cons : 1) For some modules there is limited functionality based on what is available in any specific Module 2) F5 password has to be put in each and every tasks 3) To create a specific object depends on F5 modules availablity Note: This series is intended for administrator who should have some hands on coding experience or atleast know the coding concepts Purpose : The intended goal of this series is to make the ansible code generic enough that object creation is data driven and not code driven. Change the input data and the ansible scripts should take care of configuring only the required objects. Details : Admininstrator should have basic knowledge of below to start with 1) Ansible a) Installation b) Running playbook c) Ansible Tasks and Roles d) Ansible variables and scope e) Ansible Inventory f) Ansible uri module 2) iControl REST API a) Understandings of iControl REST API b) How to retrieve objects using GET c) How to create/update object using POST/PUT d) How to navigate through REST APIs References: 1) Install Ansible and F5 dependendies https://clouddocs.f5.com/products/orchestration/ansible/devel/usage/getting_started.html 2) Run your first BIG-IP playbook with F5 ansible modules https://clouddocs.f5.com/products/orchestration/ansible/devel/usage/playbook_tutorial.html https://clouddocs.f5.com/products/orchestration/ansible/devel/usage/connection-local-or-delegate-to.html 3) Understanding variables and Inventory in Ansibles https://docs.ansible.com/ansible/latest/user_guide/playbooks_variables.html https://docs.ansible.com/ansible/latest/user_guide/intro_inventory.html 4) Understanding of uri module https://docs.ansible.com/ansible/latest/modules/uri_module.htmluri-module 5) Understanding of iControl REST API iControl REST Home page contains all the required links to understand iControl REST in details. No need to go over the code samples presenented in the series https://devcentral.f5.com/wiki/iControlREST.HomePage.ashx iControl REST API Guide for 12.0.0 https://devcentral.f5.com/d/the-user-guide-for-the-icontrol-rest-interface-in-big-ip-version-120 iControl API Reference properties of each object with which parameter is mandatory and which is optional https://devcentral.f5.com/wiki/iControlREST.APIRef_tm_ltm.ashx 4) Integrations of F5 and ansible This articles covers the link to all articles including how to install ansible and how to start using ansible with existing simple modules https://devcentral.f5.com/articles/automate-big-ip-in-customer-environments-using-ansible-27601 5) On demand F5 related videos in Ansible a) https://www.ansible.com/resources/webinars-training/automating-f5-big-ip-using-ansible b) https://www.ansible.com/resources/webinars-training/fast-application-deployment-custer-use-case-with-ansible-f5-big-ip c) https://www.ansible.com/resources/webinars-training/wwt-building-a-f5-solution-with-ansible-tower d) https://www.ansible.com/resources/webinars-training/tackling-big-ip-blue-green-deployments-in-private-cloud-f51.2KViews0likes0Comments