Using OpenID Connect to authenticate users
Hello all, I want to use OpenID Connect to authenticate my users before gaining access to one of my application. I want to use my bigip as OpenID Provider (ie: the entity that authenticate the users) . My issue is the following: The OpendID provider (my bigip) never provides me with a ID Token. All I have is an “Access Token” and a “Refresh Token” but no “ID Token”. Below is a description of my lab: resource owner: ip address 10.10.255.1 bigip OpenID Provider: virtual server ip 10.10.255.221 (see below for the access policy) *The agents are left with their default values. Client: I user openid debugger (https://oidcdebugger.com/) in order to request the authorization code. Then I request the Tokens using an html code. I do the following for testing : I request the authorization code from the authorization server (ie my virtual server) . For this I use openID Connect debugger to construct the request for me. Here is the request that I send : ? client_id=e1111098ccff5f81859f9fc83eaa000c29267803efc0bb5b & redirect_uri=https://oidcdebugger.com/debug & scope=openid myscope & response_type=code & response_mode=form_post & state=toto & nonce=7r8saarltr After sending this request I enter my credentials (in the logon agent), I click on authorize then the virtual server correctly redirects me to: https://oidcdebugger.com/debug code=cae85f6fd33c6b27f56f536b6fd9af2ca0fc78e69ac3d13799533c143b38b4ac&state=toto” I now have a correct authorization code that I can exchange for an “access token” AND a “ID Token” . I then send a POST to get the access and ID Tokens using the following HTML code : *note the presence of the “openid” in the scope parameter. However, this is what I get from the authorization server (see in the comment) : -> I have No “ID TOKEN” ☹ Could you please help me configure my access policy so that it supports OpenID Connect and sends me an “ID Token” ??
Radius Authentication role not working
Hi Guys, We setup authentication setup using this article: https://support.f5.com/csp/article/K14324#3 But when we logged in using the accounts on the radius, f5 sets the user as admin account even the account should be read only. Are we missing some configurat
BIG-IP v14: Expired Password Prompt for Remote Auth Users
We recently upgraded to BIG-IP v13 to v14. We used remote authentication while on the previous version and users had no issue logging in with their AD credentials. After the upgrade, some of these users are being prompted to by the BIG-IP to update their password because it is expired, but this is only on the BIG-IP. When a password is actually expired, users will be prompted to change it when they try to log in to the employee portal. The same users prompted by the BIG-IP have no problem logging in to the employee portal. We've never seen this happen to users before and I have no idea what setting on the BIG-IP would enable/disable this check. Does anyone know what controls this? Can it be disabled? Thanks!
Help troubleshooting AD Auth on F5 LB
Hi All. We're trying to configure AD auth and running into major issues. The strange thing is that telnet succeeds, I've reset and confirmed the bind user's password, and have reset and confirmed the test AD user password. Any help will be much appreciated! successful connection on 389 and 3269 - [admin@lb1:Standby:Changes Pending] log # telnet <AD IP> 3269 Trying <AD IP>... Connected to <AD IP>. Escape character is '^]'. [admin@lb1:Standby:Changes Pending] log # telnet <AD IP> 389 Trying <AD IP>... Connected to <AD IP>. Escape character is '^]'. In /var/log/secure, I see - Apr 21 19:43:37 lb1 warning httpd[8867]: [warn] [client <IP>] AUTHCACHE Error processing cookie DE71A3EB7E09C285EE804A880D473DA378684CCB - Cookie user mismatch, referer: https://<F5 IP>/tmui/login.jsp?msgcode=1& Apr 21 19:43:37 lb1 warning httpd[8867]: [warn] [client <IP>] AUTHCACHE Error processing cookie F69E5702BC54A5517DD6CF34EFB66C09E2939501 - Cookie user mismatch, referer: https://<F5 IP>/tmui/login.jsp?msgcode=1& Apr 21 19:43:37 lb1 warning httpd[8867]: [warn] [client <IP>] AUTHCACHE Error processing cookie ED2B8DAF7E221E2572F7094214AAB91947FE048D - Cookie user mismatch, referer: https://<F5 IP>/tmui/login.jsp?msgcode=1& Apr 21 19:43:37 lb1 err httpd[8867]: pam_ldap: ldap_simple_bind Can't contact LDAP server Apr 21 19:43:37 lb1 err httpd[8867]: pam_ldap: reconnecting to LDAP server... Apr 21 19:43:37 lb1 err httpd[8867]: pam_ldap: ldap_simple_bind Can't contact LDAP server Apr 21 19:43:37 lb1 warning httpd[8867]: pam_unix(httpd:auth): check pass; user unknown Apr 21 19:43:37 lb1 notice httpd[8867]: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=<IP> Apr 21 19:43:38 lb1 err httpd[8867]: [error] [client <IP>] AUTHCACHE PAM: user 'devf5test' (fallback: false) - not authenticated: Authentication failure, referer: https://<F5 IP>/tmui/login.jsp?msgcode=1& Apr 21 19:43:38 lb1 info httpd(pam_audit)[8867]: User=devf5test tty=(unknown) host=<IP> failed to login after 1 attempts (start="Wed Apr 21 19:43:37 2021" end="Wed Apr 21 19:43:38 2021"). Apr 21 19:43:38 lb1 info httpd(pam_audit)[8867]: 01070417:6: AUDIT - user devf5test - RAW: httpd(pam_audit): User=devf5test tty=(unknown) host=<IP> failed to login after 1 attempts (start="Wed Apr 21 19:43:37 2021" end="Wed Apr 21 19:43:38 2021").Remote authentication with user specific role
Hello everyone, I was wondering how could I assign specific roles to each user I'm expecting on our systems. I know that if I create a local user with the same username as in the remote authentication server I can achive the exact thing. But we are using TACACS+ with ISE and multiple domains. If I try to create a user without the domain name it won't match and I cannot create local user with '\' like "domain\username". It would be the most convenient solution to let the support partner login as auditor on normal days but make exceptions when the **bleep** hits the fan. Of course I have multiple workarounds like making exceptions on ISE or AD but these systems are under another unit's control. Also even temorarily changing the whole remote role group's role would be a security risk. Any idea? How could I match the remote username with the local ones? What is your best practise handling the external contractors access to your systems? All the best, Bazsi
Office 365 SAML token rejection
I have configured the Office 365 SAML iApp for authentication, and to all intents and purposes it looks as though APM is successfully authenticating a user and issuing a token. However when the token is submitted to Office 365 I receive the response: Sorry but we're having trouble signing you in. We've received a bad response. AADSTS50000 there was an error issuing a token. I'm using a URI as an identified as opposed to a URN. I've investigated as much as I can (but by no means and expert) confirming certificate thumbprints are uploaded to O365, time is in sync. I have dug into the http requests with Fiddler. I can see the SAML request and response. I see it submitted in the header to O365. Verified users are synchronised to Azure AD. Furthermore I've checked for additional proceeding slashes in the configuration between APM & O365. Really struggling to understand the problem. Any suggestions/ help would be greatly appreciated.
What kind of account do I need to access the REST API?
I'm having issues in accessing the API, I think. I got Error 401 whenever I use my credentials that I believe has admin privileges already. Is there a way to access the API without using the "admin" account? Edit: How do I check if my account has admin privileges? Below is my code: import requests requests.packages.urllib3.disable_warnings() uname = 'myaccount' pw = 'mypassword' req = requests.session() req.auth = (uname, pw) req.verify = False req.headers.update({'Content-Type': 'application/json'}) uri = 'https://[host]/mgmt/tm/ltm' response = req.get(uri) print(response.text) Result: {"code":401,"message":"Authorization failed: user= resource=/mgmt/tm/ltm verb=GET......."}root password recovery on VE with remote authentication
I'm trying to reset the root password on a VE LTM. When I try to go to the GUI, I get a 500 gateway error. When I try to log in via SSH, my password doesn't work. I can reboot into single user mode following K4178 and mount the filesystems and "chroot /sysroot" per K35811337. However, when I run "passwd root", I get an error saying "the user root is currently authenticated from a remote source" Root shouldn't be remotely authenticated. Any suggestions of how to proceed from here? There's nothing important in the configuration currently, so I'm not concerned with keeping the existing config intact.
