Forum Discussion

Nimbostratus

Aug 05, 2016

APM - RADIUS Variables

We have a APM profile that runs our VPN. Currently, the users input the SAMAccountName into the username field, and then in the password field, the combine their 2 factor token and their password. We...

application delivery

BIG-IP Access Policy Manager (APM)

security

Lucas_Thompson_
Aug 05, 2016
Unfortunately all authentication Policy items (AD auth, RADIUS auth, LDAP, securid auth) assume that:

The source of the username is "session.logon.last.username"
The source of the password is "session.logon.last.password"
The source of the password is encrypted

So in order to do any 2-factor authentication you have to:

collect the token, username, and password together in the logon page
make sure your token code is in session.logon.last.password (use a variable assign)
do the token auth
make sure your password is in session.logon.last.password (use a variable assign)
do the password auth
make sure the SSO variables are mapped to the password auth

We do have an enhancement request ID400742 to allow for a user-defined tokencode source for RADIUS, which eliminates the variable assign step(s) (1-2 depending on how your access policy is set up). If you think this would be helpful, you can feel free to open a support ticket to request this functionality. Provide the ID number in the ticket.

Lucas_Thompson_

Historic F5 Account

Aug 05, 2016

Unfortunately all authentication Policy items (AD auth, RADIUS auth, LDAP, securid auth) assume that:

The source of the username is "session.logon.last.username"
The source of the password is "session.logon.last.password"
The source of the password is encrypted

So in order to do any 2-factor authentication you have to:

collect the token, username, and password together in the logon page
make sure your token code is in session.logon.last.password (use a variable assign)
do the token auth
make sure your password is in session.logon.last.password (use a variable assign)
do the password auth
make sure the SSO variables are mapped to the password auth

We do have an enhancement request ID400742 to allow for a user-defined tokencode source for RADIUS, which eliminates the variable assign step(s) (1-2 depending on how your access policy is set up). If you think this would be helpful, you can feel free to open a support ticket to request this functionality. Provide the ID number in the ticket.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

APM - RADIUS Variables

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

APM Cookbook: Dynamic APM Variables

iRule based RADIUS Health Monitor Builder

APM Session Variable Logging

iRule based RADIUS Server Stack

BIG-IP APM: RADIUS and SSO mapping broken

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS