ltm rule command AUTH authenticate continue
iRule(1) BIG-IP TMSH Manual iRule(1)
AUTH::authenticate_continue
Continues an authentication operation.
SYNOPSIS
AUTH::authenticate_continue AUTH_ID RESPONSE
DESCRIPTION
Continues an authentication operation by providing the specified string as the credential response for the most recent
authorization prompt. This command is only available when the event AUTH_WANTCREDENTIAL is the most recent event
generated, and no AUTH::credential commands have been issued since the event, for the specified authentication ID. Unlike
the AUTH::credential commands, the string credential provided by this command does not get cached, even if the desired
credential type had been identified (see the AUTH::wantcredential_type command). This command is especially useful in
providing authentication services to interactive protocols (such as telnet, ftp, and so on), where the actual text prompts
and responses might be directly communicated with the remote user.
AUTH::authenticate_continue
* Continues an authentication operation by providing the specified
string as the credential response for the most recent authorization
prompt.
RETURN VALUE
VALID DURING
EXAMPLES
The example below is less efficient than the builtin system auth rules,
and should be considered only a demonstration of
AUTH::authenticate_continue. The AUTH::authenticate_continue command
serves limited purpose at this time since as of this writing, the
authentication modules present on BIG-IP are primarily
username/password based. Since the authentication credential prompts
are well-known, one can always provide the credentials in advance of
calling AUTH::authenticate.
when CLIENT_ACCEPTED {
set auth_stage 0
}
when HTTP_REQUEST {
if {$auth_stage > 0} {
return
}
set auth_sid [AUTH::start pam some_interactive_pam_auth_service]
set http_username [HTTP::username]
set http_password [HTTP::password]
AUTH::authenticate $auth_sid
HTTP::collect
}
when AUTH_RESULT {
set auth_status [AUTH::status]
if {$auth_status == 0} {
incr auth_stage
AUTH::abort $auth_sid
HTTP::release
} elseif {$auth_status == 2} {
set auth_prompt [string tolower [string range [AUTH::wantcredential_prompt $auth_sid] 0 7]]
if {($auth_prompt == "username") and ($http_username != "")} {
AUTH::authenticate_continue $auth_sid $http_username
} elseif {($auth_prompt == "password") and ($http_password != "")} {
AUTH::authenticate_continue $auth_sid $http_password
} else {
HTTP::respond 401
}
} else {
HTTP::respond 401
}
}
HINTS
SEE ALSO
CHANGE LOG
@BIGIP-9.0.0 --First introduced the command.
BIG-IP 2022-04-12 iRule(1)