Forum Discussion

Luis_P__219317's avatar
Luis_P__219317
Icon for Nimbostratus rankNimbostratus
Sep 11, 2015

New password policy enforcement on APM local users

Hi,

 

I'm setting up a new APM to give users remote access to specific networks. Users are created in the local database (I'm not using remote authentication). I've checked the "Force Password Change" on all users to allow them to use the pass they want, but there isn't any restriction about the new password (lenght, type of characters to use...)

 

Instead, there's a single field to introduce the new password, which means that if the user's new password has a typing mistake, he/she won't be able to log in again.

 

Do you know to set a two-field new password prompt? How can I check if the new password meet some enforcement requeriments (I don't know how to read/check this variable)?

 

I've searching several webs, but didn't figure out how to do this.

 

Thanks in advance!

 

Regards, Luis.

 

APM
deployment
security

3 Replies

Sort By
  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Sep 15, 2015

    im afraid that isn't possible at this moment. but as with APM you can built something yourself if you feel upto it, see the link for some inspiration:

     

    https://devcentral.f5.com/questions/apm-1141-local-user-database-password-policy

     

    the same goes for the double password field, add a second one and add logic to compare them to each other.

     

    might not be what you want but i believe this is what you get at this stage. feel free to join the RFE mentioned in the link and add another for the double field.

     

  • Luis_P__219317's avatar
    Luis_P__219317
    Icon for Nimbostratus rankNimbostratus
    Sep 16, 2015

    This is how I finally did it. I've checked it and seems to be fine:

     

    You have to edit the logon page on:

     

    Access Policy / Customization / Advanced

     

    Then, in the folder tree structure on the left, you have to go to:

     

    Customization Settings / Access Profiles / / Access Policy / Logon Pages / Logon Page / logon.inc

     

    By clicking the "logon.inc" file, you should see an editor on the right.

     

    There, you'll see the section where new password is required:

     

    // varname _F5_challenge is reserved post var name for challenge password
if ($challenge == 1) {

    $fields_settings = array(   1 => array( "type" => "password", "name" => "_F5_challenge",  "varname" => "password", "rw" => "1", "caption" => "" ),
                                2 => array( "type" => "none" ), 3 => array( "type" => "none" ), 4 => array( "type" => "none" ), 5 => array( "type" => "none" ) );

    You have to set the second field of the array to get a new field on the form. Also, you may add a "caption", which will be the text before the field:

     

    // varname _F5_challenge is reserved post var name for challenge password
if ($challenge == 1) {

    $fields_settings = array(   1 => array( "type" => "password", "name" => "_F5_challenge",  "varname" => "password", "rw" => "1", "caption" => "New pass" ),
                                2 => array( "type" => "password", "name" => "_F5_verify_password",  "varname" => "verify_password", "rw" => "1", "caption" => "Verify new pass" ), 3 => array( "type" => "none" ), 4 => array( "type" => "none" ), 5 => array( "type" => "none" ) );

    Using that field "name" and "varname", the code will automatically check whether the two fields match.

     

    That is done on the verifyNewPassword function, which I also edited to check the field length:

     

    Look for this code:

     

    if( inputs[0].value != inputs[1].value ){
            alert("%[wrong_match]");
            inputs[0].focus();
            return false;
        }

    There is where the code checks if two inputs match.

     

    Then, I added:

     

    else {
            if( inputs[0].value.length < 6 ){
                alert("New password must have 6 characters at least.");
                inputs[0].focus();
                return false;
            }

    So the verifyNewPassword function will look like this:

     

    function verifyNewPassword()
{
    var form = document.getElementById( globalFormId );
    if( form == null ){
        return true;
    }

    var inputs = form.getElementsByTagName("input");
    if( inputs.length >= 2 && inputs[0].name == "_F5_challenge" && inputs[0].type == "password" && inputs[1].name == "_F5_verify_password" && inputs[1].type == "password" ){
        if( inputs[0].value != inputs[1].value ){
            alert("Two fields doesn't match.");
            inputs[0].focus();
            return false;
        } else {
            if( inputs[0].value.length < 6 ){
                alert("New password must have 6 characters at least.");
                inputs[0].focus();
                return false;
            }else{
                // Not sending the second field.
                inputs[1].disabled = true;

                try{
                    if( window.external ){
                        if( undefined != window.external.WebLogonPassword ){
                            window.external.WebLogonPassword = inputs[0].value;
                        }
                    }
                } catch(e) { }
            }
        }
    }
    return true;
}

    Then, just save the code and apply the new policy.