Bug ID 1350717: When the client IP address changes immediately after the authentication to the Configuration Utility, HTTPD could enforce the source IP check even if 'auth-pam-validate-ip' is set to 'off'

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP LTM, TMOS(all modules)

Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3

Opened: Sep 11, 2023

Severity: 3-Major

Symptoms

The sys httpd auth-pam-validate-ip setting is 'on' by default. This setting restricts each client session to a single source IP address: the session is terminated if the source IP of the client changes during the session. If browsers connect to the Configuration Utility through a proxy, their source IP addresses might change during a session: in this case you might want to set auth-pam-validate-ip to 'off' to avoid session termination when mod_auth_pam detects a client IP change for one of the existing sessions tokens (see https://my.f5.com/manage/s/article/K13048). When auth-pam-validate-ip is set to 'off', the setting does not work as expected if the client IP address of the browser changes immediately after the HTTP POST that authenticates the user into the Configuration utility. If the client IP address changes after a few HTTP requests and responses, instead of changing immediately after the user authentication, then the user is correctly allowed to continue their Configuration utility session.

Impact

A user trying to authenticate into the Configuration utility is redirected to the authentication page immediately after inserting their username and password, even if the username and password are accepted by the system.

Conditions

- The "tmsh /sys httpd auth-pam-validate-ip" configuration setting is set to 'off'. OR - The same setting in the Configuration utility, the check box under "System > Preferences > Require A Consistent Inbound IP For the Entire Web Session", is cleared. - The client IP address of the browser changes immediately after the HTTP POST that authenticates the user into the Configuration utility.

Workaround

If the users of the Configuration utility are behind a proxy that might change their IP address, use the same IP address for as long as possible (configure source address persistence on the proxy).

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips