Multiple Auth

That is strange. Could you try 2 things,

 

1. see if the default auth rule works properly in your config

 

2. add few log statements in your rule, to see where it goes

 

 

BTW, did you make sure your rule is the only auth rule applied? The auth profile always has a default auth rule inherited if you didn't none it.

I do think there is an issue with os versions. I installed a fresh copy of 9.1.0 on one server and 9.2.2 on another. The rule I previously posted worked great on the 9.1.0 system (below are the logs [each system has its own timestamp])

 

 

9.1.0

 

19:42:31 Rule ldap: entering auth credential

 

 

19:42:35 Rule ldap: entering auth success

 

 

9.2.2

 

11:27:12 Rule ldap AUTH_WANTCREDENTIAL: entering auth want credential

 

 

11:32:12 Rule ldap AUTH_SUCCESS: entering auth success

 

 

11:32:31 Rule ldap AUTH_ERROR: entering auth error

 

 

The page still displays correctly on 9.2.2 as it did on 9.1.0.

 

 

The default auth sys ldap rule works great on both systems; however I don't like some of the side effects of sys auth ldap. I connect to the virtual server and type and invalid username and leave the password blank. It prompts me for the username and password again. I type the real username and password which does not work. I type it correctly again and the system returns a blank page. This is not the same as the rule I have posted on a 9.1.0 system. I enter an invalid username and leave the password blank. I enter the correct credentials on the second and it works. I could even wait for the third (second attempt is the real username and blank password) to make it work.

 

 

As far as the placement of the rule, I have attached the new Irule in the ldap profile (replacing the existing sys auth ldap Irule). I do not add an Irule to the virtual server under Resources/Irule. I add the ldap profile (with the new Irule) to the auth profiles in the virtual server.

 

 

I see that there is a 9.2.3 version out. How would I go about obtaining a copy?

 

I've done it before but can't remember how I requested it. I would be interested to see if it behaves the same way.

 

 

Thank you for your help,

 

Rob

 

Hi all,

 

we want use the original iRule to do radius authentication OR Ldap authentication on user type bases. I created iRule but I don't understand how manage Authentication profile on virtual server.

 

 

We configured:

 

- iRule (similar the original "rule twoauth")

 

 

- Configuration to set Ldap server

 

- Configuration to set Radius Server

 

 

- Auth Profile to set Ldap server and iRule

 

- Auth Profile to set Radius server and iRule

 

 

- Virtual server

 

 

I can't use our auth profiles (Radius and Ldap) because they use the same iRule. How I can manage this issue?

 

 

Thanks for help!

I think you could configure separate iRules on separate auth profiles and then add both auth profiles to the same VIP. You'll probably want to rename any variables named the same in the two iRules so the two instances don't trample on each other.

 

 

Aaron

Hi hoolio,

 

thanks for your help.

 

 

The problem is that since I want to use either radius OR ldap (mutually exclusive), I need to use a control (if... then... else).

I haven't tested this, but the profile_base.conf describes this:

 

 

 

When multiple auth http profiles (ldap, radius, tacacs) are simultaneously

 

configured on a single virtual server, AND-based logic is used by default,

 

i.e., all authentication methods must succeed for the request to be allowed.

 

It is also possible to configure OR-based logic, e.g., if either ldap or

 

radius are successful, allow the request. PAM service configurations could

 

be manually edited to accomplish this, but a simple iRule can also be used:

 

Add a custom CLIENT_ACCEPTED rule to the same virtual server and have the

 

rule set the variable tmm_auth_http_sufficient_successes to 1. Generically,

 

this variable may be set to the minimum number of successful auth results

 

that are necessary to permit the request. For example, setting the value

 

to 2 while ldap, radius, and tacacs profiles are each configured on a

 

virtual will cause requests to be permitted when at least 2 of these 3

 

auth methods are successful.

 

These auth profile default rules can be optionally configured to subscribe

 

to out-of-band auth response data (obtained via AUTH::response_data).

 

Subscriptions are enabled by setting the variable tmm_auth_subscription

 

prior to system auth rule invoking AUTH::start call, e.g.,

 

 

 

 

So I think you could add both auth profiles to the VIP and add an iRule which sets tmm_auth_http_sufficient_successes to 1 in CLIENT_ACCEPTED.

 

 

Aaron