BIG-IP APM Machine Cert Auth poblem
Dear F5 Expert Now i have implementation BIG-IP APM SSL VPN Auth with AD and Machine Cert Auth, For AD auth is work fine. But for Machine Cert Auth i found debug log is found Cert and verify key success. But i don't know why APM didn't forward client to authen page. Here's my configure SSL Self sign with ZERO SSL my SSL profile root domain and chain to ZERO SSL APM VPE i just verifu machine cert and allow 2 option verify key and not verify, i just check SN cert only. here's CA profile, i just use CA Cert from ZERO SSL and the last one here's Log on utility and access report Info 2024-03-03 16:23:18:016 \CertCheckImpl.cpp, CCertCheckImpl::Verify, Store name:"MY", Store location:"LocalMachine", Subject match FQDN:"false", Allow elevation UI:"true", Serial number(HEX):"00898ad22f5f67b4c15e15187d63d0592a", Issuer:"", SubjectAltName:"" Info 2024-03-03 16:23:18:016 \CertCheckImpl.cpp, CCertCheckImpl::Verify, certInfo:STORE_NAME:MY&STORE_LOCATION:LocalMachine&ALLOW_ELEVATION:1&MATCH_FQDN:0&SN:00898ad22f5f67b4c15e15187d63d0592a&ISSUER:&SAN:, RootCertInfo:IS_TRUSTED:0, Nonce: cWQ2NDNQZHpDbzdKNnRvbWN5SW8= Info 2024-03-03 16:23:18:017 \certinfo.cpp, CCertInfo::FindCertificateInStoreExt:, Total certs tested: 1 Info 2024-03-03 16:23:18:017 \certinfo.cpp, CCertInfo::FindCertificateInStoreExt:, Found matched certificate Info 2024-03-03 16:23:18:023 \certinfo.cpp, CCertInfo::IsPrivateKeyPresent, GetPrivateKey succeeded: found private key. Info 2024-03-03 16:23:18:023 \CertCheckImpl.cpp, CCertCheckImpl::CheckPrivateKey, The machine certificate has private key on this machine Info 2024-03-03 16:23:18:033 \CertCheckImpl.cpp, CCertCheckImpl::Verify, Found key successfully using current user Info 2024-03-03 16:23:18:033 \CertCheckImpl.cpp, CCertCheckImpl::CheckPrivateKey, Signing message succeeded Info 2024-03-03 16:23:18:066 CUAgentHost::downloadNextAgent() - sending request to server "https://www.kotchagorn.com:10443/my.policy_host?dummy=45b47b8aeb5c96285f65f295ffa35237" Info 2024-03-03 16:23:18:067 CUAgentHost::downloadNextAgent() - POST data "version=2.0&client_data=c2Vzc2lvbj0xMzJhNWY3YzhlYzgxODg5MmNiNjJhZmQ4M2MzYjFjYyZkZXZpY2VfaW5mbz1QR0ZuWlc1MFgybHVabT Info 2024-03-03 16:23:18:166 <URL>/logon</URL> Info 2024-03-03 16:23:18:170 EPCHECK \f5/EPCheck/MultiInstancePolicy.h, f5::EPCheck::MultiInstancePolicy<class EventSink>::stop, waiting for worker thread to exit Info 2024-03-03 16:23:19:534 EPCHECK \f5/EPCheck/MultiInstancePolicy.h, f5::EPCheck::MultiInstancePolicy<class EventSink>::run, worker thread exit Info 2024-03-03 16:23:19:536 EPCHECK \f5/EPCheck/MultiInstancePolicy.h, f5::EPCheck::MultiInstancePolicy<class EventSink>::stop, worker thread exit Info 2024-03-03 16:23:19:545 CUAgentHost::~CUAgentHost() - enter Info 2024-03-03 16:23:19:545 CAtlBrCon()::~CAtlBrCon() Info 2024-03-03 16:23:19:545 CUAgentHost::~CUAgentHost() - exit Info 2024-03-03 16:23:19:547 EPCHECK wWinMain, Endpoint check server process finished (res), 0 2024-03-03 23:23:18 /Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert./Common/Kotchagorn_vpn_act_machinecert_auth_ag.certificate_revoked' set to '0' 2024-03-03 23:23:18 /Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert./Common/Kotchagorn_vpn_act_machinecert_auth_ag.certificate_verified' set to '0' 2024-03-03 23:23:18 /Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert./Common/Kotchagorn_vpn_act_machinecert_auth_ag.error_message' set to ' X509_verify_cert failed: error #: 20 at depth 0, error message:unable to get local issuer certificate ' 2024-03-03 23:23:18 /Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert./Common/Kotchagorn_vpn_act_machinecert_auth_ag.result' set to '0' 2024-03-03 23:23:18 /Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert./Common/Kotchagorn_vpn_act_machinecert_auth_ag.signature_verified' set to '1' 2024-03-03 23:23:18 /Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert.last.certificate_revoked' set to '0' 2024-03-03 23:23:18 /Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert.last.certificate_verified' set to '0' 2024-03-03 23:23:18 /Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert.last.error_message' set to ' X509_verify_cert failed: error #: 20 at depth 0, error message:unable to get local issuer certificate ' 2024-03-03 23:23:18 /Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert.last.result' set to '0' 2024-03-03 23:23:18 /Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.check_machinecert.last.signature_verified' set to '1' 2024-03-03 23:23:18 /Common/Kotchagorn_vpn:Common:83c3b1cc: Session variable 'session.policy.inspectionhost.status' set to 'done' Anyone please guide me please Best Regards,47Views0likes0CommentsTACACS+ Timeout
Hi all, I have been successfully authentication to my F5 estate using TACACS handing off to AD for many years. I have now added another layer by integrated with my MFA platform but cannot figure out how to alter/set timeouts for the MFA authentication. My configuration for TACACS is: auth tacacs system-auth { protocol ip secret xxxxx servers { x.x.x.x y.y.y.y } service ppp } I have set the timeout with: list auth tacacs system-auth timeout auth tacacs system-auth { timeout 15 } When I connect, I am prompted to MFA for both CLI & GUI. However, if I wait for 30 seconds, 1 minute, etc. the MFA session is still waiting & authenticates me when I accept the MFA challenge. Can anyone out there suggest what I'm missing in making the timeout time me out?1KViews0likes3CommentsiControlREST: X-F5-Auth-Token does not exist
Hello, trying to commit a transaction programatically in Java. PATCH call to https://bigip.company.com/mgmt/tm/transaction/14990898300000?ver=12.1.2 with headers Content-Type: application/json , X-F5-Auth-Token: MMY23WRDKEBWIHXVJXMEFJEGF , and payload {"state":"VALIDATING"} returned code 401 with response {"code":401,"message":"X-F5-Auth-Token does not exist."...} Any ideas? I can start a transaction and add actions fine.1.3KViews0likes6CommentsAdmin Auth via NPS Radius
Hi Everyone, Am wating to implement radius auth of our BIG-IP administrators (GUI and SSH), radius is a supported auth method so we would like to use the Microsoft NPS services. Has anyone successfully implemented GUI / SSH authentication of BIG-IP Administrators via radius to Microsoft NPS? Would be great to hear of your learnings and any advice you can provide. TIA (currently running v16.1.3.1)831Views0likes3CommentsTesting for iControl auth errors
Hi folks, one of my clients noticed API auth errors after upgrading the systems to TMOS v15.1.5.1. When trying to use a newly created auth token to access LTM objects via API the systems returns a 401. After retrying with the same token the access is successful most times. As a workaround a latency was applied in his management framework. The issue can be observed in all possible combinations under TMOS v151.1.5.1: - using admin or specific user - using local and remote authentication/authorization - using mgmt interface and inband management Even you might run the script on the F5 itself, I would recommend running it not on the device under test. The script can be configured to use specific accounts, out of band or inband management and for a number of test cycles. A latency (delay) can be configured to determine the safe amount of time between token generation and token usage. In each test cycle a new token is created and the token is deleted afterwards as the number of active tokens is limited. The script stops after a failed second attempt with the same token or after reaching the configured number of test cycles. # python script: pyapitest.07.py # version: 0.7 (2022-06-22) # author: Stephan Manthey # purpose: # retrieve auth token # list example pool configruation with token based auth via inband management IP (self IP) # use configurable delay between token generation and token usage # module requests required (installed via Python PIP): # su -c 'yum install python-pip' # su -c 'sudo pip2 install requests' # su -c 'sudo pip3 install requests' # or: # su -c 'yum install python-requests' # su -c 'yum install python3-requests' # usage: # python pyapitest.07.py # notes: # tested with python 2.7 and python 3.6 import sys import time import json import requests from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) # specify username username = '<username>' # specify passphrase password = '<passphrase>' # specify BIG-IP self IP address (inband management IP) or # specify BIG-IP mgmt IP address (out of band management IP) bigipdev = '<management-ip>' # using a sample pool provided automatically by the API # (do not change) poolname = 'example' # specify latency in milliseconds # (delay between auth token generation and delay for retry) sleep_ms = 2 # specify number of loops loop_count = 2000 authpath = 'https://{}/mgmt/shared/authn/login'.format(bigipdev) conthead = {'Content-Type': 'application/json'} authdata = {'username': username, 'password': password} session = requests.Session() for loop in range(1,loop_count + 1): authtime = time.time() tokenrequest = session.post(url=authpath,data=json.dumps(authdata),headers=conthead,verify=False) # print('getting auth token: {:f}'.format(time.time() - authtime)) if tokenrequest.status_code == 200: tokendata = tokenrequest.json() xauthhead = {'X-F5-Auth-Token': tokendata['token']['token'], 'Content-Type': 'application/json'} querypath = 'https://{}/mgmt/tm/ltm/pool/{}'.format(bigipdev,poolname) # print('sleeping: {} millisecond(s)'.format(sleep_ms)) time.sleep(sleep_ms / 1000.0) poolcheck = session.get(url=querypath,headers=xauthhead,verify=False) # print('1st response: {:f}'.format(time.time() - authtime)) if poolcheck.status_code == 200: pooldata = poolcheck.json() # print(pooldata) elif poolcheck.status_code == 401: print('pool list 1st auth error ({}), sleeping {} ms, retrying loop {}:'.format(poolcheck.status_code,sleep_ms,loop)) time.sleep(sleep_ms / 1000.0) poolcheck = session.get(url=querypath,headers=xauthhead,verify=False) if poolcheck.status_code != 200: print('pool list 2nd auth error ({}), stopping in loop {}:'.format(poolcheck.status_code,loop)) break else: print('pool list 2nd attempt succeeded ({}) in loop {}, continuing'.format(poolcheck.status_code,loop)) else: print('pool list error ({}), stopping in loop {}'.format(poolcheck.status_code,loop)) break tokendelpath = 'https://{}/mgmt/shared/authz/tokens/{}'.format(bigipdev,tokendata['token']['token']) tokendelete = session.delete(url=tokendelpath,headers=xauthhead,verify=False) # print('deleting auth token: {:f}'.format(time.time() - authtime)) if tokendelete.status_code != 200: print('token delete error ({}), stopping in loop {}'.format(tokendelete.status_code,loop)) break else: print('getting token auth error ({}), stopping in loop {}'.format(tokenrequest.status_code,loop)) break # print('successful iterations: {}'.format(loop))Solved1.7KViews0likes5CommentsiPad cert based auth not working
Has anyone here recently experienced an issue with cert based auth with iPads? I have configured LTM v13.1.1 with CBA via the client SSL profile, it’s working fine with iPhones, Edge & Chrome browsers with Win10 clients etc, only iPads have an issue. Issue appears to be related to iPads running v12.x onwards. Certs are being deployed via MDM, an iPad with v11.x was working ok until upgraded to v12.4.1 Also tested on beta IOS v13 today with same outcome. Clicking on link with auth using x509 cert results in page cannot be displayed SSL error. No client cert auth prompt is displayed. Anyone else?284Views0likes1CommentBIG-IQ 5.2.0 HA Pair, Login Using RADIUS Auth Provider
Hi, We set up Auth Provider for authentication and authorization using RADIUS server. The BIG IQ version is 5.2.0 and in the primary, we can login using account from RADIUS auth provider. Because the BIG-IQ is HA pair, so the configuration from primary is synced to secondary. When we open secondary BIG-IQ, there is RADIUS auth provider selection in login page. But when login using RADIUS server account in secondary BIG-IQ, there is error: What does the error mean? Does anyone can explain to me? Thank you369Views0likes0CommentsVMWare VDI APM Design
I used the VMView iApp and an access policy (for client access) was created for me. I wanted to additionally use 2FA so I modified the policy to include RADIUS. At the moment though I have two independent logon pages where credentials are input on each screen e.g. Start Client Type (VMware View) View Logon Page (1-user, 2-PIN and One Time Password) Radius Auth View Logon Page (1-user, 2-AD Password) AD Auth NAT Variable Assign View Client Resource Assign What I'd like is a single logon page for the user to input three fields: 1-user, 2-AD Password, 3-PIN & OTP, and then the relevant input be passed to the relevant auth so I end up with: Start Client Type (VMware View) View Logon Page (1-user, 2-AD Password, 3-PIN and One Time Password) Radius Auth AD Auth NAT Variable Assign View Client Resource Assign Could someone help with this?274Views0likes3Comments