Bug ID 753536: iControl REST now allows basic authentication for Administrator role users with remote authentication

Last Modified: Jan 20, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP All(all modules)

Known Affected Versions:
13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 13.1.5,, 14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,,,, 15.0.0, 15.0.1,,,,, 15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 15.1.4,, 15.1.5,, 15.1.6,, 15.1.7, 15.1.8,, 16.0.0,, 16.0.1,,, 16.1.0, 16.1.1, 16.1.2,,, 16.1.3,,,, 17.0.0,,

Opened: Dec 18, 2018
Severity: 4-Minor


Prior to 13.1.0, basic authentication was not permitted in iControl REST with remote authentication configured. Starting in 13.1.0, basic authentication now succeeds when remote authentication is utilized, provided that the received role is that of Administrator.


iControl REST traffic using basic authentication with valid credentials with an Administrator role fails in versions 13.0.0 and earlier and succeeds in versions 13.1.0 and later.


Remote authentication configured and basic authentication utilized in iControl REST API calls, and one of the following: -- Software versions 13.0.0 and earlier. -- Software versions 13.1.0 and later.


This is intended behavior and is functioning properly. The result is a success (an implied HTTP code 200) or a failure (explicit code 401). In 13.0.0 and earlier, a 401 is received when performing basic auth with a user configured with any role. In 13.1.0 and later, basic auth succeeds if the user role is Administrator, otherwise it continues to fail in the same fashion it did previously.

Fix Information


Behavior Change

In v13.1.0 and later, iControl REST allows the use of basic authentication for users with a role of Administrator when remote authentication is configured. In v13.0.0 and earlier, the operation fails. Although this is a behavior change, it is intended functionality.