Forum Discussion

Jim_43682's avatar
Jim_43682
Icon for Nimbostratus rankNimbostratus
Jul 02, 2012

AD Remote Authentication over Managment interface?

Hello All,

 

 

Got a quick one for you. Is it possible to have the remote authentication requests go out the Management interface? Right now, after doing a tcpdump on both management interface and our "traffic" interface. I see LDAP authentication requests going out the "traffic" port and not the management.

 

 

Reason i ask is, we have a typical DMZ setup however security only want's authentication requests to go across the management vlan(which is cable plugged into the management interface.).

 

 

thanks for your help,

 

 

 

Jim

 

 

 

  • have you tried to add management route for active directory server?

     

     

    sol3669: Overview of management interface routing (9.x - 10.x)

     

    http://support.f5.com/kb/en-us/solutions/public/3000/600/sol3669.html
  • Thanks nitass. That got me started, now ldaps request are originating from the management interface . However, now the secure logs state that:

     Jul  2 11:26:43 local/gtmhostname err httpd[20108]: [error] [client 1.1.1.1] Could not obtain user credentials
    r also happens when ssl handshakes go wrong.
    Jul  2 11:26:46 local/gtmhostname alert httpd[20301]: pam_unix(httpd:auth): check pass; user unknown
    user= rhost=1.1.1.1 

    Which is werid because its the same config from our Internal environment, and I've verified the firewall is set to allow connections over 636. Tested with telnet.

  • I run this on the F5 and get back results:

     
    ldapsearch -x -D "CN=bindUser,OU=it,OU=internal,DC=domain,DC=company,DC=com" -b "DC=domain,DC=company,DC=com" -H ldaps://ADserver -W CN=F5admingroup
    

    But when I try to log in from the WebGUI. It just hangs for 5min and then says connection rest??.

    Logs says nothing. Doesn't even move. I was tailing it the whole time.

    Any ideas?

  • would it be possible to capture packet between bigip and ldaps? do you have private key to decrypt it?
  • No. Is there anything I can try? I don't understand how the ldapsearch command works on the F5 device. but the log in doesn't.

     
    auth ldap system-auth {
       service ldaps
       ssl enable
       search base dn "DC=domain,DC=company,DC=com"
       bind dn "CN=binduser,DC=domain,DC=company,DC=com"
       bind pw "binduserpw"
       login attr "samaccountname"
       servers {
          "167.69.x.x"
          "167.69.x.y"
          "167.69.x.z"
       }
    }
    
  • the configuration looks okay to me. if i were you, i would try normal ldap (plain text) and capture packet to see what wrong is.

    this is my configuration.

    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list auth source
    auth source {
        type active-directory
    }
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list auth remote-user
    auth remote-user {
        default-role admin
        remote-console-access tmsh
    }
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list auth ldap
    auth ldap system-auth {
        bind-dn cn=administrator,cn=users,dc=abc,dc=com
        bind-pw password
        login-attribute samaccountname
        port 636
        search-base-dn DC=abc,DC=com
        servers { 172.28.19.78 }
        ssl enabled
    }
    
    [root@ve11a:Active:In Sync] config  tail /var/log/secure
    Jul  6 19:28:03 ve11a notice httpd[31839]: 01070417:5: AUDIT - user tasmania - RAW: httpd(mod_auth_pam): user=tasmania(tasmania) partition=[All] level=Administrator tty=/usr/bin/tmsh host=192.168.206.55 attempts=1 start="Fri Jul  6 19:28:03 2012".
    
  • Really stumped here. The ldapsearch string works flawlessly, however the web GUIlog in hangs for about a minute then drops. I tail'd the logs during the web GUIlog in, and no new statements are generated. I've tried increasing the logging level to debug and still nothing in the logs. Is there anywhere else I can check to figure out what is going on here.
  • have you tried to open a support case? if you can provide them packet capture, they should be able to help you to look into the capture.