Complete MFA solution with GA stored in Active Directory
Problem this snippet solves: All modern business applications require Multi-Factor Authentication (MFA) to be used for remote access by employees. There are many vendors on market selling enterprise MFA solutions that may be utilised with F5 BIG-IP Access Policy Manager (APM). Those solutions are complex and allow customers to create flexible policies which allow them to decide when and whom will be authorised to access protected applications. But what about those customers which have no needs for using complex enterprise solutions or does not have adequate budget for such spendings? How to use this snippet: For those customers I would like to present my One-Time Password (OTP) application which requires BIG-IP LTM/APM/iRulesLX. Shared secret value is stored in Active Directory and QR code is generated in user's browser. All you need after implementing this application on your BIG-IP is. to ask your users to get any OTP-compatible mobile application, like Google Authenticator or Microsoft Authenticator Please see https://github.com/akhmarov/f5_otp/ for instructions UPDATE 1: New version now support APM 15.1+ Modern Customization UPDATE 2: Added trusted device support UPDATE 3: Added multi-tenancy support Tested this on version: 15.1
APM Google Authenticator HTTP API
Problem this snippet solves: George Watkins already shared various codes allowing to authenticate users with Google authenticator on APM by executing VPE irule event. This code create a HTTP API that respond if authenticator code is valid and can be used as an HTTP Auth server by APM. 3 URLs are included on this API : /authenticator : Authenticate user with cleartext userkey /secured-authenticator : Authenticate user with AES encrypted user key /encrypt : encode cleartext user key to encrypted user key. this feature is not secured and can be removed if VS is allowed from large network when requesting URL: http://{google api virtual ip}/authenticator?pass={passcode}&key={user key} if passcode is valid, the API respond 200 if passcode is not valid, the API respond 403 when requesting URL: http://{google api virtual ip}/secured-authenticator?pass={passcode}&key={encrypted user key} if passcode is valid, the API respond 200 if passcode is not valid, the API respond 403 This API can be configured to allow devices with 30 seconds offset. it calculate the previous, the current, and the next code. version 1.1 : This version includes new features : the Kai Wilke great optimization code using 11.1+ crypto commands ability to store in database (AD, LDAP ...) AES encrypted user key and decrypt it before OTP code validation version 1.2 : This version includes new features : the Kai Wilke security improvements with the authenticator keys AES encryption Powershell to add encrypted authenticator keys in AD user attribute How to use this snippet: Create a HTTP virtual server and assign the following irule. Change b64key value if user keys are encrypted with the provided powershell script. both keys in PS and irule must be the same. In APM, create a new HTTP AAA server with following parameters: Authentication Type : Form based Method : GET Form Action : http://{google api virtual ip}/authenticator (http://{google api virtual ip}/secured-authenticator if user key is encrypted) Form Parameter For User Name : {no value} Form Parameter For Password : {no value} Hidden Form Parameters/Values : pass %{session.logon.last.otp} userkey %{session.custom.key} -- Replace the variable containing the user key (from AD, LDAP, ... ) offset offset supported for token code (x means x*30 seconds offset) key_size 80 -- for algorithm evolution hmac_mode hmac-sha1 -- for algorithm evolution Successful Logon Detection Match Type = By specific string in response Successful Logon Detection Match Value : 200 OK this configuration use a unencrypted variable to store the OTP code. if the top code is in password variable, the parameter pass must be removed from hidden parameters and the Form Parameter For Password must be set to pass In VPE: provision the user key variable (from AD, LDAP, ... ) create a Logon page requesting the authenticator code (variable name otp) create a HTTP Auth box with the previously created HTTP server the following powershell script insert in AD user attribute "pager" the user encrypted key: function Encrypt-Data($AesKey, $Data) { $Data = [System.Text.Encoding]::UTF8.GetBytes($Data) $AesManaged = New-Object "System.Security.Cryptography.AesManaged" $AesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC $AesManaged.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7 $AesManaged.BlockSize = 128 $AesManaged.KeySize = 256 $AesManaged.Key = [System.Convert]::FromBase64String($AesKey) $Encryptor = $AesManaged.CreateEncryptor() $EncryptedData = $Encryptor.TransformFinalBlock($Data, 0, $Data.Length); [byte[]] $EncryptedData = $AesManaged.IV + $EncryptedData $AesManaged.Dispose() [System.Convert]::ToBase64String($EncryptedData) } $encryptKey = "iTEEieok7//RyzrPe5mWwz1yroPPsm4e5cqghdEHIlU=" $userkey = $Args[1] $username = $Args[0] $encrypted = Encrypt-Data $encryptKey $userkey Set-AdUser -Identity $username -replace @{"pager"="$encrypted"} Thanks to Kai Wilke for this. it make the code less insecure. here is an example of how work the API with curl stanislas$ curl -k 'https://192.168.1.243/secured-authenticator?user=stan&userkey=IyQ+J6l88AW9NQmaRPhLrl0aNkLKw01+vBRpikVfVQk=&key_size=80&hmac_mode=hmac-sha1&offset=1&pass=790054' -i HTTP/1.0 200 OK Server: BigIP Connection: Keep-Alive Content-Length: 0 stanislas$ curl -k 'https://192.168.1.243/secured-authenticator?user=stan&userkey=IyQ+J6l88AW9NQmaRPhLrl0aNkLKw01+vBRpikVfVQk=&key_size=80&hmac_mode=hmac-sha1&offset=0&pass=790054' -i HTTP/1.0 403 Forbidden X-Error-Code: 3-wrong-password Server: BigIP Connection: Keep-Alive Content-Length: 0 Code : proc ga_validate {hmac_mode key_size b32_key token allowed_clock_skew_units} { ############################################################################################## # Initialize the Base32 alphabet to binary conversation (see RFC 4648) # set b32_to_binary [list \ A 00000 B 00001 C 00010 D 00011 E 00100 F 00101 G 00110 H 00111 \ I 01000 J 01001 K 01010 L 01011 M 01100 N 01101 O 01110 P 01111 \ Q 10000 R 10001 S 10010 T 10011 U 10100 V 10101 W 10110 X 10111 \ Y 11000 Z 11001 2 11010 3 11011 4 11100 5 11101 6 11110 7 11111 \ 0 "" 1 "" = "" " " "" \ ] if { [string length [set key [string map -nocase $b32_to_binary $b32_key]]] >= $key_size } then { # Convert the translated ga(key) binary string representation to binary set binary_key [binary format B$key_size $key] # Initialize clock timeframe based on Unix epoch time in seconds / 30 set clock [expr { [clock seconds] / 30 } ] ############################################################################################## # Configure the allowed clock skew units (1 unit = +/-30 seconds in both directions) # set allowed_clock_range {0} for {set i 1} {$i <= $allowed_clock_skew_units} {incr i} {lappend allowed_clock_range -$i $i} ############################################################################################## # Perform verification of the provided token foreach x $allowed_clock_range { ############################################################################################## # Perform verification of the provided token for time frame clock + $x # # Calculate hex encoded HMAC checksum value for wide-int value of time frame clock+ x using key_binary as secret binary scan [CRYPTO::sign -alg $hmac_mode -key $binary_key [binary format W* [expr { $clock + $x }]]] H* hmac_tmp # Parse offset based on the last nibble (= 4 bits / 1 hex) of the hmac_tmp HMAC checksum and multiply with 2 for byte to hex conversation set offset [expr { "0x[string index $hmac_tmp end]" * 2 } ] # Parse (= 4 bytes / 8 hex) from hmac_tmp starting at the offset value, then remove the most significant bit, perform the modulo 1000000 and format the result to a 6 digit number set token_calculated [format %06d [expr { ( "0x[string range $hmac_tmp $offset [expr { $offset + 7 } ]]" & 0x7FFFFFFF ) % 1000000 } ]] # Compare token_calculated with user provided token value if { $token_calculated equals $token } then { # The provided token is valid" return 1 break } } } else { return -1 } return 0 } when RULE_INIT { ############################################################################################## # Initialize the Encryption keyto decrypt encrypted user Key # set b64key "iTEEieok7//RyzrPe5mWwz1yroPPsm4e5cqghdEHIlU=" set static::KEY [b64decode $b64key] # create a passphrase used during IV random creation set static::IV_RANDOM_PWD "MyIVSeed" } when HTTP_REQUEST { switch [HTTP::path] { "/secured-authenticator" { set user [URI::query [HTTP::uri] user] set auth_code [URI::query [HTTP::uri] pass] if {[set allowed_clock_skew_units [URI::decode [URI::query [HTTP::uri] offset]]] equals ""} {set allowed_clock_skew_units "0"} if {[set key_size [URI::decode [URI::query [HTTP::uri] key_size]]] equals ""} {set key_size "80"} if {[set hmac_mode [URI::decode [URI::query [HTTP::uri] hmac_mode]]] equals ""} {set hmac_mode "hmac-sha1"} set aes_cipherstring [b64decode [URI::decode [URI::query [HTTP::uri] userkey]]] log local0. "[HTTP::uri] $user $aes_cipherstring" binary scan $aes_cipherstring a16a* aes_iv aes_ciphertext set userkey [CRYPTO::decrypt -alg aes-256-cbc -key $static::KEY -iv $aes_iv $aes_ciphertext] log local0. "$userkey / $auth_code" } "/authenticator" { set user [URI::query [HTTP::uri] user] set auth_code [URI::query [HTTP::uri] pass] if {[set allowed_clock_skew_units [URI::decode [URI::query [HTTP::uri] offset]]] equals ""} {set allowed_clock_skew_units "0"} if {[set key_size [URI::decode [URI::query [HTTP::uri] key_size]]] equals ""} {set key_size "80"} if {[set hmac_mode [URI::decode [URI::query [HTTP::uri] hmac_mode]]] equals ""} {set hmac_mode "hmac-sha1"} set userkey [URI::query [HTTP::uri] userkey] #log local0. "$userkey / $auth_code" } "/encrypt" { set userkey [URI::query [HTTP::uri] userkey] set aes_iv [CRYPTO::keygen -alg random -len 128] set aes_ciphertext [CRYPTO::encrypt -alg aes-256-cbc -key $static::KEY -iv $aes_iv $userkey] set aes_cipherstring [b64encode [binary format a*a* $aes_iv $aes_ciphertext]] HTTP::respond 200 content $aes_cipherstring return } default { HTTP::respond 403 X-Error-Code 1-wrong-URL log local0. "erreur 1 : Wrong URL" return } } # Call Authenticator procedure # valid arguments are: # - HMAC mode : "hmac-sha1", "hmac-sha256" or "hmac-sha512" # - Authenticator Key size : Google Authenticator uses a hardcoded 80 bit key length # - User key Base32 encoded # - User OTP code # - Allowed time shift (1 unit = 30 seconds) # procedure returns different values # - -1 : the key is not valid (key size too short) # - 0 : the user code is wrong # - 1 : the user code is rigth log local0. "call ga_validate $hmac_mode $key_size $userkey $auth_code $allowed_clock_skew_units" switch -- [call ga_validate $hmac_mode $key_size $userkey $auth_code $allowed_clock_skew_units] { -1 { # code verification failed HTTP::respond 403 X-Error-Code 2-wrong-user-key log local0. "erreur 2 : wrong User Key" } 0 { # code verification failed HTTP::respond 403 X-Error-Code 3-wrong-password log local0. "erreur 3 : wrong Password" } 1 { # code verification successful HTTP::respond 200 } default {set result "error: unknown"} } } Tested this on version: 11.5
