Hamish_35071
Dec 02, 2009Nimbostratus
TACACS password authentication - Handling Password Expiry
I'm implementing client authentication on an F5 using forms. Mostly based upon the auth-by-forms iRule found on codeshare. But I need to add in a new feature. Password Expiry.
The TACACS server (Cisco ACS) has been successfully configured to expire a password after the first use (If it's been changed by an admin). But I need to detect that at the F5 in an iRule and give back a form to change the password... WHich needs two things.
1. The ability to detect the password has expired.
2. The ability to pass through a request to update a password.
I should mention that this is all being done without the use of a separate webserver.
now since the authentication uses PAM, it should be possible to pickup the state and change the password. Since PAM can doit. But I don't see any docs that say how to interface to that with an iRule.
Anyone know?
TIA
Hamish.