1

I have an issue while trying to use remote authentication on iControl REST API.

I have tried to configure remote authentication using the following article Configuring Remote User Authentication and Authorization and have tried to make REST API calls using this article.

The following sentence was confusing for me:

"If you are using an external authentication provider, get the login reference from your system administrator.".

I'm not sure where can I get the login reference. When I try to create an authentication token without login reference it works but when I try to use the token from the response I get a 401 response.

I have also found a "workaround" on this site, and it sounds a little bit hacky too. I can't post a link to it, since I don't have 10 reputation points.

Can anyone confirm that the issue was fixed in v12 and has anyone tried using remote authentication with iControl REST API? If so, do you have any tips regarding the configuration and how to use it?

I have also asked the same question on f5 site but I haven't received an answer yet. I also forgot to mention that I can login to the device using web console and putty with external account.

Any help would be appreciated.

Thank you

prole92
  • 13
  • 4
  • I asked someone from the DevCentral team at F5 to take a look at this for you and they'll validate prior to posting an answer. – Chase Oct 27 '15 at 16:41
  • That's great, thanks a lot! Here is a question I have asked on devcentral: [https://devcentral.f5.com/questions/icontrol-rest-remote-authentication-big-ip-v12](https://devcentral.f5.com/questions/icontrol-rest-remote-authentication-big-ip-v12) if it can help. I have not posted it in original question because of the 2 links limit. – prole92 Oct 27 '15 at 21:31
  • I'll check it out on DC. – Chase Oct 28 '15 at 16:18

2 Answers2

1
URL: https://172.16.44.15/mgmt/shared/authn/login 
Method: POST
Headers: Content-Type: application/json
Payload: {
    "username": "remote_user_name", 
    "password": "remote_user_password", 
    "loginProviderName": "tmos"
    }

You will get a token that you will then place as the value in the X-F5-AUTH-TOKEN header.

Jason Rahm
  • 396
  • 1
  • 6
  • Hi Jason, thanks for your response. The tmos here was what I was looking for. It can't be found in the documentation. I tested this solution and it works with the slight modification when using LDAP. When using LDAP you still need to pass basic authentication in the header with credentials. – prole92 Nov 22 '15 at 21:58
  • This is true for the initial request, but shouldn't need it afterwards. – Jason Rahm Nov 26 '15 at 04:23
  • Of course, when you get the token, you just need to add it to the header. Once again, Thanks a bunch! This saved me a lot of trouble. – prole92 Nov 28 '15 at 11:18
1

Doing authenticate against LDAP is confusing. You have to pass both the Basic auth header, as well as the tmos token information.

if($f5Creds -eq $null)
{
    $f5Creds = Get-Credential
}

$base64EncodedAuth = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(('{0}:{1}' -f $f5Creds.UserName, $f5Creds.GetNetworkCredential().Password)))

$reqHeaders = @{    
    "Content-Type" = "application/json"
    "Authorization" = "Basic {0}" -f $base64EncodedAuth
}

$f5Host = '<f5 hostname or IP>'
$f5BaseUri = 'https://{0}/mgmt' -f $f5Host
$f5AuthUri = '{0}/shared/authn/login' -f $f5BaseUri

$f5AuthBody = @{
    "username" = $f5Creds.UserName
    "password" = $f5Creds.GetNetworkCredential().Password
    "loginProviderName" = "tmos"
} | ConvertTo-Json


$f5AuthToken = Invoke-RestMethod -Uri $f5AuthUri -Method:Post -Headers $reqHeaders -Body $f5AuthBody
Mike Veazie - MSFT
  • 121
  • 3