AUTH::abort

Description¶

Cancels any outstanding auth operations in this authentication session, and generates an AUTH_FAILURE event if there was an outstanding authentication query in progress. This command invalidates the specified authentication session ID, which should be discarded upon calling this command.

Syntax¶

AUTH::abort authid

AUTH::abort authid¶

Cancels any outstanding auth operations in this authentication session, and generates an ‘’’AUTH_FAILURE* event if there was an outstanding authentication query in progress. This command invalidates the specified authentication session authentication ID, which should be discarded upon calling this command.

Examples¶

This rule demonstrates one possible implementation of a 2-out-of-3 authentication scheme. 3 auth servers are contacted simultaneously. The connection is permitted to proceed as soon as 2 servers report success.

when CLIENT_ACCEPTED {
    set auth_http_successes 0
    set auth_http_sufficient_successes 2
}
when HTTP_REQUEST {
    if {$auth_http_successes >= $auth_http_sufficient_successes} {
        return
    }

    set auth_sid [AUTH::start pam default_ldap]
    set auth_http_sids(ldap) $auth_sid
    AUTH::username_credential $auth_sid [HTTP::username]
    AUTH::password_credential $auth_sid [HTTP::password]
    AUTH::authenticate $auth_sid

    set auth_sid [AUTH::start pam default_radius]
    set auth_http_sids(radius) $auth_sid
    AUTH::username_credential $auth_sid [HTTP::username]
    AUTH::password_credential $auth_sid [HTTP::password]
    AUTH::authenticate $auth_sid

    set auth_sid [AUTH::start pam default_tacacs]
    set auth_http_sids(tacacs) $auth_sid
    AUTH::username_credential $auth_sid [HTTP::username]
    AUTH::password_credential $auth_sid [HTTP::password]
    AUTH::authenticate $auth_sid

    HTTP::collect
    set auth_http_collect_count 3
}
when AUTH_RESULT {
    if {[array size auth_http_sids] == 0} {
        return
    }
    set auth_sid [AUTH::last_event_session_id]
    if {[AUTH::status] == 0} {
        incr auth_http_successes
        if {$auth_http_successes >= $auth_http_sufficient_successes} {
            foreach {type sid} [array get auth_http_sids] {
                unset auth_http_sids($type)
                if {$sid != -1} {
                    AUTH::abort $sid
                }
            }
            set auth_http_collect_count 0
            HTTP::release
            return
        }
    }
    foreach {type sid} [array get auth_http_sids] {
        if {$sid == $auth_sid} {
            unset auth_http_sids($type)
            AUTH::abort $sid
            incr auth_http_collect_count -1
            if {$auth_http_collect_count == 0} {
                HTTP::respond 401
            }
            break
        }
    }
}

Related Information¶

Valid Events:

HTTP_REQUEST, HTTP_REQUEST_DATA

Warning

The links to the sample code below are remnants of the old DevCentral wiki and will result in a 404 error. For best results, please copy the link text and search the codeshare directly on DevCentral.

Sample Code:

Introduced: BIGIP-9.0.0

The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.

AUTH::abort¶

Description¶

Syntax¶

AUTH::abort authid¶

Examples¶

Related Information¶