iRule to decrypt and rewrite RADIUS User-Password AVP
In the RADIUS protocol, the user's cleartext password is transmitted inside Attribute-Value Pair (AVP) 2, padded with null characters as necessary, and then encrypted by the shared secret by XOR'ing it across the authenticator somehow or other. The technical details of how this works is a bit above my level of understanding as I'm not a cryptography expert. We have an infrastructure where our PAN VPN Gateway prompts a user for their username and password. In our environment, after the password, the user appends a fixed-length HOTP token from a Yubikey. The backend FreeRADIUS server has been configured to decrypt the password received, extract the fixed-length token, and perform backend checks to our LDAP and token servers. FYI, the password is encoded as PAP prior to RADIUS encryption in our setup, which is why this works; CHAP would prevent this from working. We've been having trouble with the stability of our FreeRADIUS server and we would like to leverage our much more stable Aruba ClearPass infrastructure which is load balanced globally with our GTMs and LTMs and highly stable. This also moves control of the RADIUS piece away from the systems team and onto the network team (me, specifically). Unfortunately, ClearPass doesn't have a direct mechanism to break the password from the token, and PAN doesn't have a way to transmit the token separately. This is where we would like to leverage an iRule. Basically, the way I envision this working is as such: Decrypt the password+OTP that is received from PAN using the authenticator value and shared secret Rewrite AVP 2 as just the password, encrypted by the shared secret (make sure to adjust the length of the AVP) Insert AVP 17 (which is not defined by the IEFT) with the token (ClearPass can be configured to look for this by modifying its RADIUS dictionary). Rewrite the length value at layer 7 if necessary - not sure if this would happen automatically by the F5; probably not. Ship the modified RADIUS packet to ClearPass I know how to accomplish all of this on the ClearPass side, but my dev skills are weak, I'm not very familiary with Tcl, and I don't have a solid understanding of how to encrypt/decrypt the password correctly. I've search high and low but the only solutions for decrypting the password seem to be written in languages that are even more difficult to understand like C. I obviously understand it is too much to expect someone to write the entire solution for me, but any advice on where to start would be very helpful. I think the trickiest part for me would be the encrypt/decrypt step.Solved2.8KViews0likes21CommentsCisco ISE load-balancing and Change of Authorization (CoA)
First, let me clearly state that I do not have a Cisco background. I have no experience with the RADIUS protocol, and am not familiar with the details of the CoA, so I am not in a position to know if what I'm being asked to do is appropriate/necessary/makes sense or not. Our Cisco guys came to me asking for a RADIUS load-balancing VIP, with persistence based on CALLING-STATION-ID. I found https://devcentral.f5.com/questions/load-balance-cisco-ise-servers easily enough. So I created a wildcard UDP VIP with the iRule. But, they came back with an additional CoA requirement. They claim that the ISE servers periodically send "a CoA packet" to the clients of the RADIUS VIP. They want the LTM to intercept these packets, and SNAT it from the RADIUS VIP address. They claim that the clients of the RADIUS service will only accept CoA packets from the VIP address. Apart from the link above, the only good resource on the subject I can find is https://supportforums.cisco.com/blog/153056/ise-and-load-balancing. I get somewhat lost in the terminology, but this statement seems important: Each PSN gets listed individually in the Dynamic-Authorization (CoA). Use the real IP Address of the PSN, not the VIP. In the context of this document it sounds to me like the "PSN" is also the Pool Member of the RADIUS VIP, and that we should be adding the IP address of the Pool Member in some CoA field on the clients of the RADIUS VIP. But again not being familiar with RADIUS, I'm very uncertain. Apart from the question of whether or not I can SNAT from a VIP address at all (which I highly doubt), does anyone have some insight into how to account for these RADIUS/CoA packets in a load-balancing context?2.7KViews0likes8CommentsRadius Authentication role not working
Hi Guys, We setup authentication setup using this article: https://support.f5.com/csp/article/K14324#3 But when we logged in using the accounts on the radius, f5 sets the user as admin account even the account should be read only. Are we missing some configurat2.2KViews0likes13CommentsRADIUS Access-Challenge Response Issue
Hi, I'm trying to configure the APM functionality on a BigIP running 13.1.02 to support the "Change PIN" request of the Swivel Secure PINsafe authentication; but I seem to be hitting a more fundamental issue with the BigIP's RADIUS Access-Challenge support. Normal RADIUS authentication against the Swivel authentication server is working fine. The user logs in; with their credentials submitted over HTTP to the F5 and from there via a RADIUS Access-Request to the Swivel server: RADIUS Protocol Code: Access-Request (1) Packet identifier: 0xf2 (242) Length: 103 Authenticator: f25**********************aa92 [The response to this request is in frame 3] Attribute Value Pairs AVP: t=User-Name(1) l=10 val=XXXXXXXXX AVP: t=User-Password(2) l=18 val=Decrypted: 3407 Type: 2 Length: 18 User-Password: 3407 AVP: t=NAS-IP-Address(4) l=6 val=10.XXX.XXX.XXX AVP: t=NAS-Identifier(32) l=21 val=XXXXXXXXXXXXX AVP: t=Service-Type(6) l=6 val=Authenticate-Only(8) AVP: t=Tunnel-Client-Endpoint(66) l=16 val=192.168.86.142 AVP: t=NAS-Port(5) l=6 val=0 If the user requires that their PIN be changed; the Swivel authentication server responds with a RADIUS Access-Challenge: RADIUS Protocol Code: Access-Challenge (11) Packet identifier: 0xf2 (242) Length: 31 Authenticator: f034de3****************586dd5 [This is a response to a request in frame 2] [Time from request: 0.021004000 seconds] Attribute Value Pairs AVP: t=Reply-Message(18) l=11 val=changepin Type: 18 Length: 11 Reply-Message: changepin The F5 successfully detects this Access-Challenge request and presents the user with a further login page containing the Reply-Message as the header (so "changepin" in this case); followed by a single input element (id of "input_1" and name of "_F5_challenge") into which the user can respond. With the user's response typed into the single input element and the new form submitted; I can see in the HTTP request from the web browser to the F5 the form variable of "_F5_challenge" correctly set to the value typed into the input element. Looks good so far... From the RADIUS RFC 2865: "If the client receives an Access-Challenge and supports challenge/response it MAY display the text message, if any, to the user, and then prompt the user for a response. The client then re-submits its original Access-Request with a new request ID, with the User-Password Attribute replaced by the response (encrypted), and including the State Attribute from the Access-Challenge, if any." I would therefore expect that the F5 would use value it received in _F5_challenge HTTP form parameter as the new User-Password value within theRADIUS Access-Request that responds to the Access-Challenge. This is not what I see – if I capture and decode this RADIUS Access-Request I can see that User-Password is the same value as from the original RADIUS Access-Request from the initial logon page: RADIUS Protocol Code: Access-Request (1) Packet identifier: 0xaa (170) Length: 105 Authenticator: aaf*********************3075 [The response to this request is in frame 5] Attribute Value Pairs AVP: t=User-Name(1) l=10 val=XXXXXXXXXX AVP: t=User-Password(2) l=18 val=Decrypted: 3407 Type: 2 Length: 18 User-Password: 3407 AVP: t=NAS-IP-Address(4) l=6 val=10.XXX.XXX.XX AVP: t=NAS-Identifier(32) l=21 val=XXXXXXXXXXXXXXX AVP: t=Service-Type(6) l=6 val=Authenticate-Only(8) AVP: t=Tunnel-Client-Endpoint(66) l=16 val=192.168.86.142 AVP: t=NAS-Port(5) l=6 val=0 AVP: t=State(24) l=2 val= Type: 24 Length: 2 State: <MISSING> Of course; the original password (PIN in this case) is not valid for the replacement PIN within the Swivel server and therefore the PIN change process fails. The fundamental issue seems to be that I'm unable to control the User-Password element of the F5's reply to the Access-Challenge based on that HTML input element. Any idea what could be wrong here? Many thanks aid1.5KViews0likes0CommentsBIG-IP APM: RADIUS and SSO mapping broken
Hi All I think that using a combination of RADIUS authentication (with one-time token) and SSO credential mapping within APM is broken. Credentials entered on the logon page are stored in the username & password session variables. If you do a RADIUS authentication with one-time token, the password variable will be overwritten with the token. So an SSO credential mapping after the RADIUS authentication will get a wrong password. You can prevent this with either putting the SSO credential mapping before the RADIUS block, or "caching" the initial password in a separate variable with variable assign before ( password2 = password ) and after ( password = password2 ) the RADIUS block. However, this fix will not work if the user enters the wrong password initially. The RADIUS block will reload the login page and show you the "wrong credential" warning as often as you define, but the SSO credential mapping or variable assign defined BEFORE the RADIUS authentication won't be updated with the correct password. I know that I could set the "max. attempts allowed" to 1 and have a completely new APM session after every wrong credential or I could build a loop and lose the "wrong credential" message, but those 2 options are not that pretty in my opinion. I'm just wondering if someone has a nice solution to this problem. Cheers PatrickSolved1.5KViews1like4CommentsAdmin Auth via NPS Radius
Hi Everyone, Am wating to implement radius auth of our BIG-IP administrators (GUI and SSH), radius is a supported auth method so we would like to use the Microsoft NPS services. Has anyone successfully implemented GUI / SSH authentication of BIG-IP Administrators via radius to Microsoft NPS? Would be great to hear of your learnings and any advice you can provide. TIA (currently running v16.1.3.1)799Views0likes3CommentsDUO Security Proxy servers in HA configuration
Has anyone setup HA for the DUO Proxy servers? I don't believe I can use the Radius iApp due to the specific port per DUO application(s)? I can successfully create a radius server with a "direct" server connection association to a single node (DUO Auth Proxy). However, I've been unsuccessful at setting up a HA configuration to include a second DUO Auth Proxy server. I've tried the following manual configurations (both failed): 1. Updated the "direct" server connection to point to a VIP (instead of a node) whereas the VIP was associated to a pool of DUO Auth Proxy servers. Failed (no response from server) 2. Created a new radius server referencing the pool of DUO Auth Proxy servers (not direct server connection). Essentially removing the VIP. Same error as above. *** The pool I used has Priority Grouping to prioritize its local site DUO Auth Proxy server unless its unavailable, then do to the other datacenter for DUO Auth Proxy. I have not setup a persistence profile due to the priority grouping. But, I will try that today. Hoping someone has tried setting up DUO Proxy HA and can provide any helpful insight. Thank you in advance. ~Jeff715Views0likes2CommentsRadius External Monitor (Python)
This'll be a long post so get a cup of coffee or whatever your poison of choice is. Sooooo, from all my digging around, Python based External Monitors are something that nobody talks about, has gotten right or maybe they just keep the solution to themselves or have realised the futility of python for advanced external monitors. I am unfortunately pretty stubborn when I am faced with an interesting challenge so like a dog with a bone persisted until I got everything working except the actual F5 monitoring part. Bear in mind I am no coder, I'm ok at python, I know F5's relatively well and this is my first external monitor that I have written. The shyte part is that there is, as far as I have seen, no information on using python for external monitors other than a couple of mentions here and there saying that it is possible. As many of you know F5's current Radius monitor will only mark a member up when it has a successful login against a user account and has no means of establishing a connection then simply testing for ANY valid radius response regardless of whether the account supplied is valid or not. This effectively shuts out the use of the F5 Radius monitor for Two Factor Auth systems where security is stringent enough to disallow the use of a single factor auth account with a fixed password for monitoring purposes. To try solve this I wrote up this python script that will establish a connection to a radius server regardless of the number of auth factors it requires, it will then fire off a bogus(or not) authentication attemmpt to the radius server. It's pretty crude, but as long as the connection doesn't time out there will be some sort of response from the radius server which will result in the script writing to stdout so that the F5 will mark the member as up. If there is a timeout the script's exit code is zero with no output so that the member will be marked as down. After importing the script it works like a charm when run from /config/filestore/files_d/Common_d/external_monitor_d/ with the various options. It happily handles the ::ffff: prefix to the IPv4 addresses as well as strips, for now, the routing domain tag in case it's appened to the address, but when it is executed as part of a monitor it fails. For the life of me I can't figure out why and nor have I figured out how to do a detailed debug of the script and what parameters are being handed to it at execution by the F5. So this is where you guys and gals come in and hopefully you can help. The issues I have are as follows: I don't know if I'm envoking the python shebang correctly for F5. Unable to debug the script and /var/log/monitors/Common_radius_monitor.log doesn't have anything relating to script runtime errors. Inspite of using a Syslog handler to try write to syslog-ng I'm unable to output to /var/log/ltm so there isn't anything useful in there (for now). This entire thing might be a complete non-starter if the F5 is super strict about code execution and is shutting out my use of the six and radius modules stored in /config/eav/, but without a run-time debug I can't tell what it's problem is. Unfortunately because of the length of the code and this description I've had to add my script via code share: External Radius Monitor using Python670Views0likes3CommentsUse debug on health monitor to retrieve lost radius secret
Hi Is it possible to use debug function on health monitors to retreive the radius secret? Found this old blogpost http://socpuppet.blogspot.com/2016/11/how-to-recover-lost-big-ip-f5-secret.html and followed the steps 1) Created a health monitor with a random username and password plus a random secret. Enabled debug 2) Edit the health monitor and entered the hashed secret from the radius setup 3) Added the health monitor to a pool and attached the pool to a new virtual server used to test 4) Check in /var/log but no debug log is created Is something missing or is it not possible to do this anymore? Best regards Daniel576Views0likes1CommentAPM - Centrify RADIUS Access-Challenge failure
Hi All, I have configured Centrify RADIUS under access->authentication and using it under APM for user authetication for MFA. I get "error: packet verification failed, most likely the shared secret is not correct" when i try to authenticate, i know it is not secret issue, as i could see Access-Challenge code reply by RADIUS with Attribute value pairs. On RADIUS, i have set to ask for security question and i do see AVP type 18 (Reply-Message), but i dont see F5 is presenting that on user login screen. I have opened case with F5, but we are not making any progress. I appreciate any suggestion to address this issue575Views0likes2Comments