AD Remote Authentication over Managment interface?

Question

Hello All,&nbsp;
&nbsp;Got a quick one for you. Is it possible to have the remote authentication requests go out the Management interface? Right now, after doing a tcpdump on both management interface and our "traffic" interface. I see LDAP authentication requests going out the "traffic" port and not the management.&nbsp;
&nbsp;Reason i ask is, we have a typical DMZ setup however security only want's authentication requests to go across the management vlan(which is cable plugged into the management interface.).&nbsp;
&nbsp;thanks for your help,&nbsp;&nbsp;
&nbsp;Jim&nbsp;&nbsp;&nbsp;

nitass · Answer

have you tried to add management route for active directory server? 
&nbsp;  
&nbsp; sol3669: Overview of management interface routing (9.x - 10.x) 
&nbsp; http://support.f5.com/kb/en-us/solutions/public/3000/600/sol3669.html

jim_43682 · Answer

Thanks nitass. That got me started, now ldaps request are originating from the management interface . However, now the secure logs state that: 
  
  Jul  2 11:26:43 local/gtmhostname err httpd[20108]: [error] [client 1.1.1.1] Could not obtain user credentials
r also happens when ssl handshakes go wrong.
Jul  2 11:26:46 local/gtmhostname alert httpd[20301]: pam_unix(httpd:auth): check pass; user unknown
user= rhost=1.1.1.1  
  
 Which is werid because its the same config from our Internal environment, and I've verified the firewall is set to allow connections over 636. Tested with telnet.

jim_43682 · Answer

I run this on the F5 and get back results: 
  
ldapsearch -x -D "CN=bindUser,OU=it,OU=internal,DC=domain,DC=company,DC=com" -b "DC=domain,DC=company,DC=com" -H ldaps://ADserver -W CN=F5admingroup

But when I try to log in from the WebGUI. It just hangs for 5min and then says connection rest??. 
 Logs says nothing. Doesn't even move. I was tailing it the whole time. 
  
 Any ideas?

nitass · Answer

would it be possible to capture packet between bigip and ldaps? do you have private key to decrypt it?

jim_43682 · Answer

No. Is there anything I can try? I don't understand how the ldapsearch command works on the F5 device. but the log in doesn't. 
  
auth ldap system-auth {
   service ldaps
   ssl enable
   search base dn "DC=domain,DC=company,DC=com"
   bind dn "CN=binduser,DC=domain,DC=company,DC=com"
   bind pw "binduserpw"
   login attr "samaccountname"
   servers {
      "167.69.x.x"
      "167.69.x.y"
      "167.69.x.z"
   }
}

Forum Discussion

AD Remote Authentication over Managment interface?

8 Replies

Recent Discussions

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Port Group on F5OS network setting

Related Content

Application Programming Interface (API) Authentication types simplified

Re: Configuring Smart Card Authentication to the BIG-IP Traffic Management User Interface (TMUI) usi

management interface failover

NGINX Management Suite API Connectivity Manager - Modern API driven Applications

Re: Management Certificate