Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
code share

Google Authenticator iRule For Two-Factor Auth With LDAP

Problem this snippet solves:

This iRule requires LTM v10. or higher.

This iRule adds two-factor authentication to a virtual server by combining an LDAP account with a Google Authenticator token.

The implementation is described in George Watkins' article: Two Factor Authentication with Google Authenticator

The iRule should be added to an LDAP authentication profile on an LTM, then applied to a virtual server. The users' Google Authenticator secrets are mapped using a data group defined by the 'user_to_google_auth_class' variable in the RULE_INIT section of the iRule. Here are a list of all the configurable options:

  • auth_cookie - name of cookie used to track user's authentication status
  • auth_cookie_aes_key - key used to encrypt user's cookie to prevent tampering
  • auth_timeout - defines how much time is allowed to elapse before the user's session become invalid
  • auth_lifetime - defines a finite period of validity for user's session, set to 0 for indefinite
  • user_to_google_auth_class - name of data group that contains user to Google Authenticator secret mappings
  • lockout_attempts - number of attempts a user is allowed to make prior to being locked out temporarily
  • lockout_period - duration of lockout period
  • logging - log level - 0 - logging off, 1 - log only successes, failures, and lockouts, 2 - log every attempt to access virtual as well as authentication process details
  • login_page - HTML for login page presented to user (could alternatively be housed on application server)
Tested on Version:
Comments on this Snippet
Comment made 09-Sep-2016 by Garry 0

This works great once you figure out that the posted variables are passed in the payload URI encoded. Reserved characters are replaced with the hex encoded equivalents and thus passwords that contain these are never going to authenticate.

To fix this change the code below..

  foreach param [split [HTTP::payload] &] {
    set [lindex [split $param =] 0] [lindex [split $param =] 1]

to this

foreach param [split [HTTP::payload] &] {
        set [lindex [split $param =] 0] [URI::decode [lindex [split $param =] 1]]
Comment made 30-May-2017 by BobDob 1

Hi George, et al, I'm looking to implement this but the problem is LTM doesn't support LDAP Authentication Profiles any more (only APM? refer https://devcentral.f5.com/questions/authentication-profile-type-is-missing-on-bigip-ltm-ve-trial) so I'm at a bit of a loss as to how and where to apply this iRule.