Forum Discussion

Stefan_Klotz's avatar
Stefan_Klotz
Icon for Cumulonimbus rankCumulonimbus
Jun 11, 2019

Google Authenticator implementation

Hello,

we want to configure MFA/2FA using Google Authenticator (or at least the underlying time-based one-time password (TOTP) solution).

We found several articles and guides here on DevCentral, but as some of them are quite some years old and also referenced links seems to not working anymore, I have some questions:

  • Is it really necessary to have the APM-module activated for this? Because based on one of the initial articles, it seems to be possible just with the LTM authentication profile? But when checking the options, I don't have the mentioned "LDAP"-type available. I see only "SSL client certificate LDAP" (and two others).
  • What are pros and cons of an implementation with/without APM-module?
  • Based on the preferred solution is there any current/up-to-date configuration guide available, how to configure this?

Thank you!

 

Ciao Stefan :)

  • Ok, I got at least the APM-solution to work. And I want to share with you the combined iRule based on:

    • Google Authenticator Token Verification iRule For APM
    • Google Authenticator Verification iRule (TMOS v11.1+ optimized)

    Maybe this is helpful for someone out there.

    I made some testings and it looks fine so far, but maybe the experts can have a look on it as well. I tested this with version 13.0.0

     

    But besides this, I would still be interested in the options to get this working even without APM at all. Is this still be possible via an Authentication-profile or are these features no more available in latest TMOS versions?

     

    Special thanks here to George Watkins and Kai Wilke for the good work!!!

     

    Ciao Stefan :)

  • Stefan,

     

    Many thanks for updating and optimizing the code. as I am looking at implementing such solution.

     

    Unfortunately, there is one important missing part in all the documentation I read this far: how to automate user registration. I have over 500 users, it is not possible and not sustainable to manually add them in the local datagroup. Provisioning should be self-service.

     

    Anyone has a solution for implementing auto-provisioning of users and passcode or, did you all use the same passcode for all users?

     

    Thanks!!

      • Denis_Figeys's avatar
        Denis_Figeys
        Icon for Nimbostratus rankNimbostratus

        Thanks Niels... looks a bit like hacking the system. I wish F5 would have provided us a better, standard way of achieving this.

         

        Regards, Denis.

  • ​Hi Denis,

    it's quit some months ago and I currently can't remember exactly, but I think I used the code provided from Niels above as well.

    In general our logic now works as follows:

    • User gets APM Login-Page displayed, where normal AD-credentials need to be entered
    • Credentials will be checked via AAA-profile
    • If successful a newly created AD-attribute for the shared secret will be checked
    • If available, the OTP will be created via iRule and requested in parallel from the user on a second APM-page -> if both are identical access is granted
    • If not available, APM via iRule/iRuleLX will create a new shared secret for that user and displays the result on a second APM-page -> once the user confirms that he's activate this key on his mobile-app, APM will update the AD and saves the shared key for that user -> additionally the OTP will be created and requested from the user as mentioned above

    So each user has to initialize his own OTP-app the first time he uses a MFA-protected VS. APM will manage all the users automatically via AD-Attribute.

    Hope that helps a little bit more.

     

    Ciao Stefan :)

    • Denis_Figeys's avatar
      Denis_Figeys
      Icon for Nimbostratus rankNimbostratus

      Stefan,

       

      Unfortunately, I cannot add or use an attribute in AD for this, hence I need therefore to use the local datagroup.

       

      Regards, Denis.