Forum Discussion

Nimbostratus

Sep 24, 2021

APM using Radius authentication with MFA breaks RDP/Citrix Single Sign-On

Interesting issue discovered (v14). We use Okta for MFA login on an APM policy. Our Okta allows for answering a security question (yes, not TRUE MFA, working to fix that policy), but this also appl...

application delivery

BIG-IP Access Policy Manager (APM)

jjarboe01

Nimbostratus

Sep 24, 2021

So, the answer here is actually simple. Right before the Radius authentication step, create a variable assign step, and set a variable called "session.original.last.password" to the value of the Session Variable "session.logon.last.password". Then, after the Radius step in the policy, do the reverse of this to reset the session.logon.last.password value from session.original.last.password. This way, you don't have to change every Citrix and RDP object in the policy to use another variable.

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

APM using Radius authentication with MFA breaks RDP/Citrix Single Sign-On

Jonathan - March 2026 Featured Member

F5 AppWorld 2026 Las Vegas - iRules Contest Winners!

2026 F5 DevCentral MVP Announcement

Recent Discussions

Help with an iRule to disconnect active connections to Pool Members that are "offline"

block a specific user

ASM/AWAF declarative policy

OOB Security Notification — Why you should patch NGINX Plus/Open Source now

Cloud Apps Protection

Related Content

APM Cookbook: Single Sign On (SSO) using Kerberos

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Apache mod_auth_tkt Single Sign On

Digest based Single-Sign-On

iControl REST Authentication Token Management

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS