Forum Discussion

Nimbostratus

Sep 24, 2021

APM using Radius authentication with MFA breaks RDP/Citrix Single Sign-On

Interesting issue discovered (v14). We use Okta for MFA login on an APM policy. Our Okta allows for answering a security question (yes, not TRUE MFA, working to fix that policy), but this also appl...

application delivery

BIG-IP Access Policy Manager (APM)

jjarboe01

Nimbostratus

Sep 24, 2021

So, the answer here is actually simple. Right before the Radius authentication step, create a variable assign step, and set a variable called "session.original.last.password" to the value of the Session Variable "session.logon.last.password". Then, after the Radius step in the policy, do the reverse of this to reset the session.logon.last.password value from session.original.last.password. This way, you don't have to change every Citrix and RDP object in the policy to use another variable.

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

APM using Radius authentication with MFA breaks RDP/Citrix Single Sign-On

Security Best Practices for F5 Products

F5 AppWorld 2026 Registration - early bird pricing.

Kostas Injeyan - October 2025 Featured Member

Recent Discussions

Need Advice on below issue

SSO login for APM Profiles

Virtual Server Configuration requirements for ISO 8583 traffic (Single persistent TCP session)

threat hunting guide

Webtop which has VNC for macos users

Related Content

APM Cookbook: Single Sign On (SSO) using Kerberos

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Apache mod_auth_tkt Single Sign On

Digest based Single-Sign-On

iControl REST Authentication Token Management

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS