How to catch expired password APM ?
I have trouble catching if user gets "Password has expired" on access policy login. AD-module handles the change password procedure ok, BUT, after such a change, it then forwards the OLD password used in the login page to the radius server (used in 2FA). So, what is needed is that after password change occurs, user is redirected to the login page (or if the renewed password can be caught, sending of that password to the next phase). The apm-logs show propriate values, BUT they dont survive the built-in ad-module and are resetted after pw-change? So far I've tried these (in a branch rule): expr { [mcget {session.ad.last.errmsg}] contains "Password has expired" || [mcget {session.logon.last.change_password}] == 1 } expr { [mcget {session.logon.last.change_password}] == 1 || [mcget {session.logon.page.errorcode}] == 1403 } samples from apm-logs: 30dff639: Session variable 'session.ad.last.errmsg' set to 'Password has expired, principal name: userl@domain' 30dff639: Session variable 'session.logon.page.errorcode' set to '1403' change_password -part works OK, it's set on the login page checkbox and survives until end of the session.
Automate local admin password change on LTM's
I wish to automate the process of changing the local admin account on all my LTM's and GTM's. These are guest on a Viprion chassis. I have BigIQ deployed but cannot seem to find the correct config template. Would a REST API be used? Any suggestions helpful.AD Authentication / password changes for user accounts with custom UPN suffixes
Hi Folks, I’m currently in major trouble while implementing a APM Active Directory integration at a customer site. The customer has two (very legitimate and also somewhat common) requirements that are in combination somehow not well suited in the APM world… The customer AD environment hosts user accounts with multiple custom UPN suffixes (UPN = E-Mail address as recommended by Microsoft). The customer requires that the users can update/reset their user accounts through APM (lots of remote-only workers) My problem with those two requirements is, that... APM does not support AD authentication for user accounts with UPN suffixes different to the AD Domain FQDN. The official workaround is to use LDAP authentication. (SOL12252) APM does not support password updates/resets for LDAP accounts. The official solution is to use AD authentication. (SOL15676) My questions are... Do someone knows a workaround so that APM can be somehow tricked out to authenticate users where the UPN suffix =/= Domain FQDN or if APM developments are in the pipeline to implement a configurable UPN-Suffix-List for the Active-Directory AAA objects? Do someone knows a workaround to implement a password change/reset functionality for LDAP authentication? Thanks in advance! Cheers, Kai
