APM using Radius authentication with MFA breaks RDP/Citrix Single Sign-On

Question

Interesting issue discovered (v14).  We use Okta for MFA login on an APM policy.  Our Okta allows for answering a security question (yes, not TRUE MFA, working to fix that policy), but this also applies if you use a 6 digit code.  F5 is overwriting the session.logon.last.password variable with the last input on the Radius step, thus breaking the single-signon to RDP and Citrix.

jjarboe01 · Answer

So, the answer here is actually simple.  Right before the Radius authentication step, create a variable assign step, and set a variable called "session.original.last.password" to the value of the Session Variable "session.logon.last.password".  Then, after the Radius step in the policy, do the reverse of this to reset the session.logon.last.password value from session.original.last.password.  This way, you don't have to change every Citrix and RDP object in the policy to use another variable.

Forum Discussion

APM using Radius authentication with MFA breaks RDP/Citrix Single Sign-On

1 Reply

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

F5 Academies Are Back – And We’re Coming to a City Near You

Recent Discussions

Sending an HTTP request from iRule without delaying client requests

Route Domains HA & Traffic Groups

Horizon View iApp - Big-IP 17.5

r4600 Tenant CPU Assignment

BGP Over 2 vlans to 2 Network switch

Related Content

APM Cookbook: Single Sign On (SSO) using Kerberos

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Banking Authentication, Solar, Patch Tuesday, DEF CON

Zero Trust building blocks - Leverage F5 NGINX Plus Single Sign-On (SSO) and F5 XC

Doing mTLS Authentication per URL

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS