F5OS Radius failures with Clearpass
Hello, First post ever on devcentral so I ask that you take it easy on me haha. Anyways, recently stood up some new R-series F5s and F5OS is a new world for me. Currently running iSeries appliances. Going through some of the basic configurations and I've made my way to authentication. I've added radius as one of my accepted authentication options and created my server group with the clearpass server attached in that group. Selected radius, put in the correct IP, radius secret, etc. Per the documentation it looks good. Going into clearpass for those familiar - Created my new F5 device, put in the shared secret, added new device to my existing F5 device group. Essentially all I've ever had to do when working with other vendors. Attempting logins with my user account I get hit with "Permission Denied" at the login screen. This is where I am lost. I check clearpass, my access tracker says I successfully authenticated. Clearpass shows no obvious issues. I log back into F5OS with my local admin and I check the login activity. Shows my user account and a big ole "Success" for the login attempt. I apologize for the word salad. I was trying to put my process out there including that both F5OS and Clearpass seem happy with my attempt but the F5OS login page says denied. Anyone have any R-series appliances using clearpass for radius and authentication? I'm curious what I'm missing.
R-Series after upgrading to 1.8 - RADIUS Auth stopped working
Radius user authentication was working just fine while running v1.40. After upgrading to 1.80 any attempt is "Failed authentication." Running tcpdump does not show any traffic going to the RADIUS server and the RADIUS server has not entry of the failures in it's log. I have deleted and recreated the radius server group - that did not help. I have deleted and recreated users - that did not help. Any guidance for what to try next is appreciated. Dave
F5 & TACACS communication
Hello Community, I am currently working to find RCA for an issue in which during Datacentre fail-over testing, we unable to to login to F5 and assuming their is communication issue between F5 and TACACS Server, and I have a few questions regarding how the authentication process works and how failover occurs when the primary TACACS server is unavailable. Here are my questions: Packet Exchange: How does TACACS function at the packet level when F5 sends authentication requests? What types of packets are exchanged between F5 and the TACACS server during authentication? Failover to Secondary TACACS Server: When the primary TACACS server is down or unreachable, how does F5 detect this and automatically send authentication requests to the secondary TACACS server? What type of packets and log entries should we see on the F5 side when this occurs? Timeout and Retry Behavior: How many retry attempts does F5 make before switching to the secondary TACACS server? How long does F5 wait before retrying, and is this configurable? I would appreciate any insights, best practices, or references to relevant documentation that can help clarify these points. Even packet capture also helps as this is not feasible for me to reproduce issue. Thanks in advance for your help! Best regards, Pradeep
Problems with F5 Rseries and LDAPs for remote authentication
Good afternoon I'm having some problems getting remote authentication to work on my Rseries computer over LDAPS, when debugging I get the following error: Can't contact LDAP server: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate) I have followed several guides and consulted different articles, but I can't find any of them which fields are mandatory and which aren't. My question is regarding the fields: Cipher String, TLS CA Certificate and TLS Key. Is it mandatory to fill in these fields? What happens if they are left empty? Best RegardsHA Active Directory for F5 authentication
I have two f5 Big-IP wit LTM module in HA. I have configured Admin authentication in BIG-IP through Remote Active Directory and It works properly. The challenge is I have several synchronized AD servers and I would like to achieve HA in Big-IP authentication. I have created a pool with my AD servers with a custom LDAP monitor and It seems that works because all members look up in the pool. I also created a virtual server that listen in port 389 and use the AD server pool as default pool. However, when I set the host value to virtual server IP in system-->users-->authentication, all authentication attempts fail. Is required an special configuration in virtual server to make it work?BigIP APM Oauth - set to 'Failed to perform curl: Failure when receiving data from the peer'
We've been dealing with a issue when an Oath token is sent to Azure for authentication using XXX.session.oauth.client.last.auth_redirect: login.windows.net/XXXXX/XXXX session.oauth.client.last.auth_resule 0 We are constantly seeing the error and causing out Oath Client to be denied. We are able to perform a "discover" in the Provider and able to "dig" to the Azure Enterprise. Our DNS Resolver is able to resolve DNS as per guide. Has anybody come across this and can point us in the right direction? The only way we can make is work is to change the APM policy to "fallback" Allow OAuthClientToAzureAD_act_oauth_client_ag: OAuth Client: failed for server '/DC-TEST/Azure_Oauth_Server' using 'authorization_code' grant type (client_id=XXXXXXXXXXXXXXXX), error: Failed to perform curl: Failure when receiving data from the peer Session variable 'session.oauth.client./DC-TEST/OAuthClientToAzureAD_act_oauth_client_ag.authresult' set to '0' Session variable 'session.oauth.client./DC-TEST/OAuthClientToAzureAD_act_oauth_client_ag.errMsg' set to 'Failed to perform curl: Failure when receiving data from the peer Session variable 'session.oauth.client.last.authresult' set to '0' OAuthClientToAzureAD_act_oauth_client_ag: OAuth: Request parameter 'client_secret=********'OAuthClientToAzureAD_act_oauth_client_ag: OAuth: Request parameter 'grant_type=authorization_code' OAuthClientToAzureAD_act_oauth_client_ag: OAuth: Request parameter 'redirect_uri=https://our.test.website.com/oauth/client/redirect OAuthClientToAzureAD_act_oauth_client_ag: OAuth: Request parameter 'code=********' OAuthClientToAzureAD_act_oauth_client_ag: OAuth Client: failed for server '/DC-TEST/Azure_Oauth_Server' using 'authorization_code' grant type (client_id=XXXXXXXXXXXXXXX), error: Failed to perform curl: Failure when receiving data from the peer If we change the Access Policy "fallback" to "Allow" the user is then allowed to reach the backend application but would have otherwise been denied. It seem during the Oauth Client process the token request is rejected Previously we were seeing the error below which we resolved by making sure the DNS resolver could resolve DNS correctly. OAuthClientToAzureAD_act_oauth_client_ag: OAuth Client: failed for server '/DC-TEST/AzureAD_Server' using 'authorization_code' grant type (client_id=d7b3f856-6053-462b-a8f3-c2820e2a4c6c), error: HTTP error 503, DNS lookup failed
APM HTTP auth - POST
with APM, I need to build the following flow - user logs on APM logon page, credentials are validated with LDAP auth - those credentials are sent to an existing auth webserver, with a POST (HTTP auth) - that auth webserver replies with the same username (as the one sent in the form) if authorized Question: can we use session variable in the "Successful Logon detection match value" field, as we look for "specific string in response"? Anyone successfully implemented that?NTLM Machine Account Issues - APM
Good afternoon - I am hoping someone can point me in the right direction. I'm trying to use the iApp to deploy RDP Gateway using APM (using this template - ). Part of the config is to create a new NTLM Machine account. I had no issues creating the account - and the iApp deployment went swimmingly well. I also verified that the machine account showed up in AD as a computer account. However, I am seeing these errors in the APM logs: May 15 17:40:32 f5lab debug nlad[6379]: 01620000:7: <0x56900b70> nlclnt[2a8e2c794]: is now initializing. May 15 17:40:32 f5lab debug nlad[6379]: 01620000:7: <0x56900b70> NLAD_TRACE: cli_full_connection(output_cli = (nil), my_name = "F5LAB", dest_host = "domaincontroller.domain.local", port = 445, service = "IPC$", service_type = "IPC", user = "F5LAB$", domain = "DOMAIN") May 15 17:40:32 f5lab debug nlad[6379]: 01620000:7: <0x56900b70> NLAD_TRACE: cli_full_connection(output_cli = (nil)) = 0xC000006D May 15 17:40:32 f5lab err nlad[6379]: 01620000:3: <0x56900b70> nlclnt[2a8e2c794] init: Error [0xc000006d,NT_STATUS_LOGON_FAILURE] connecting to DC 10.11.12.13 I also cannot renew the NTLM account password from the GUI as I get this error: Could not connect to domain domain controller of realm 'domain.local' machine account update for 'f5lab' failed: Preauthentication failed, principal name: f5lab@domain.local. Invalid user credentials. (-1765328360) I'm running on 12.1.3.4 and have tried the following: Recreated the NTLM account, multiple times. I know I have permissions as the account does show up in AD, and I do have domain admin level permissions Restarted the eca service (bigstart restart eca) Restarted the nlad service (bigstart restart nlad) Restarted the F5 appliance itself. Verified that the DNS settings are configured properly. The F5 is able to resolve the domain controller IP from the alias. No firewall exists between this F5 and the domain controller. Has anyone seen this and if so - can anyone point me in the right direction? I thought I'd try here before opening a support ticket with F5.Outlook Anywhere and NTLM authentication
Hello, I am trying to achieve Outlook Anywhere with basic-NTLM and Kerberos SSO. I followed the DG and am stucked at NTLM authentication. When I create the NTLM Machine Account the logs say that it joined the domain, then I create the NTLM Auth Configuration with my domain and DCs. After that I see this messages in the logs: nlad[11851]: 01620000:3: <0x2b3374f71700> nlclnt[12a02a8c0] init: Error [0xc000006d,NT_STATUS_LOGON_FAILURE] connecting to DC 192.168. I added some Exchange groups to the machine account and enabled delegation for http with Exchange servers. I then try to renew machine account password but I have this error: adutil[16625]: 01490274:5: (null):Common:00000000: New master key received. adutil[16625]: 01490200:3: ERROR: Could not connect to domain domain controller of realm 'EXAMPLE.AD' adutil[16625]: 01490200:3: WARNING: machine account update for 'f5apm' failed: Preauthentication failed, principal name: f5apm@EXAMPLE.AD. Invalid user credentials. (-1765328360) Then I took a look at Kerberos trafic and could see that the bigip can't get a Kerberos ticket: At this step I am not even talking about Kerberos SSO which I think has nothing to do with NTLM. I have found K33692321 but it doesn't help. I also took a look at K08915521. It says that it may be a domain name or NetBIOS name issue but I know that my domain is EXAMPLE.AD and NetBIOS EXAMPLE. Does someone already managed to make this work ? It is a standard configuration so am I missing something Windows side ? Best regardsECA plugin documentation in the wiki
I'm running 11.4.1 and trying to figure out NTLM auth. I'm following a guide I found on devcentral but it's not working for me. I see there's a plugin ECA that enables NTLM authentication, however the documentation is...well, not present. The Wiki says that 11.3.0 introduced "ECA::metadata" however when I try using that in my iRule I get a syntax error: 01070151:3: Rule [/XXX/ntlm-auth-iRule] error: /XXX/ntlm-auth-iRule:44: error: [undefined procedure: ECA::metadata][ECA::metadata select_ntlm:$static::ntlm_config] So apparently ECA::select works - by which I mean that I get no errors when I save the iRule. However, the iRule is not working. I am having a hard time troubleshooting because ECA is such a black box.
