APM Pre-Authentication in front of Google Authenticator Generation iRule
Hi everyone, i'm trying to configure pre-authentication in front of the google authenticator-generation rule. I've used following articel, and everything is working fine from the google auth. side of view. devcentral.f5.com/articles/two-factor-authentication-with-google-authenticator-and-apm The Part where i want to put pre-authentication (Logon Page with AD Auth) in front is following: https://devcentral.f5.com/codeshare?sid=532 I've tried several things already: iRule event and "when ACCESS_POLICY_AGENT_EVENT" in hte Rule VS with irule attached and member of a pool - new VS for APM pre auth and as a resource the google generation pool (-> not working because of limitation, there is an SOL articel about that) What i get in the log is this everytime APM is in front: May 19 11:44:20 Snorre err tmm3[3992]: 011f0007:3: http_process_state_prepend - Invalid action:0x1090b1 (Client side: vip=/Testpartition/google_auth_preauth profile=http addr=10.10.10.1 port=443 rtdom_id=0 client_ip=10.1.1.25) Any suggestions? Many thanks, Mike
Help with creating script
Currently we are using the google authenticator with our F5 implementation. We provide our users with a shared secret key and store the same key in our Active Directory for later reference. So basically we add a sample key like this to one of our AD fields: GVUEYVDJMNSFIMD2 So basically i have a ton of users with this setup in their AD fields. One of the issues i have with our setup is the fact the key we store in Active Directory is too visible to others in my organization. So a friend point this link to me and I think it will fix my concerns: https://devcentral.f5.com/questions/apm-active-directory-authention-with-google-auth So we add the following code to the google authenticator generator page: append ga_secret_http_resp "key (secret): $secret_b32\n \n " set key "3658F2C8C5C2017839B2B1761F713F8B" set iv "DC4F6A9A1C6D12C15FEC43179660C78B" set enc_ga_secret [b64encode [CRYPTO::encrypt -alg aes-128-cbc -keyhex $key -ivhex $iv $secret_b32]] append ga_secret_http_resp "encrypted secret: $enc_ga_secret\n" append ga_secret_http_resp "\n" Users are provide the key GVUEYVDJMNSFIMD2 and we now add this encrypted key 3qqb/Yr1gSblF99F8/XkgJVFG5vs9KG5OwflwLHkU9I= to AD. The F5 can then decrypt the key and it works great. However, I now need to create a script that will take the remain shared key we have in everybody account and encrypt it. I was hoping someone knew a little power shell or some other scripting language that could help me out of this jam!
Google Authenticator iRule Verification
Hi, I've been following this article: https://devcentral.f5.com/articles/two-factor-authentication-with-google-authenticator-and-apm To implement two-factor authentication with APM. After creating an access policy, data group and all the likes, I find that the APM is expecting a different code than the authenticator shows. I found out by printing the variables that I enter as a code, and the variables that the APM expects as a code, into the logs. The whole process itself works. The iRule is triggered, the username is found in the datagroup, and the calculations are made. It's just expecting a different code. For example, my code will say "781023", and the BIGIP will be expecting code "826015". I tested this with multiple different accounts and the same results all around. I'm wondering if Google just changed its algorithm a few years ago and the article became outdated, or if something in recent F5 versions has changed that changes the calculation algorithm. Has anyone done a recent implementation with this iRule without any issues? I quadruple-checked everything and added log entries to every part of the iRule. I know it's being triggered correctly, but it's just coming up with a different expected code than Google is. In that article, there are 2 comments by people with the same issue on 11.5, so at least I'm not alone :-)[APM] Ad Query + Google Auth
Hi, I'm triyng to implement an authentification between AD and google Auth. I follow this but it's not exactly what I want to do. Here is what I want : AdAuth (without AD password) + Google Auth. --> I just want to replace AD Password by Google Auth I think "AD Auth" macro is not appropriate. Ad Query is surely better Here is my Policy : And here is my AD Query If i see log, i observe that if I test with AD Password, AD Query Passed but Google Auth Failed. But If test with Google Auth as Password, AD Query Failed. Do you have any idea ? Am I in good direction ? Thanks for reply
