BigIP APM - AD & RSA auth

Question

Hi, Am looking to setup Access policy on a Big IP so that users need to 2FA with an AD username password and a native secured pin to be able to login. Currently can get one of them working but not both. Is this achieveable and straight forward? thanks.

kevin_stewart · Answer

Do you want to present a logon page where the user enters user/pass and PIN? If so, try this:

In the visual policy editor, start with your logon page and add a third field (we'll call it "token") - of type password.

Both AD auth and SecurID agents use the session.logon.last.password session variable, so after the logon page, save the logon page's password to a separate session (temporary) session variable, re-assign session.logon.last.password to be the token value from the logon page, and pass this to the RSA SecurID agent. 
session.logon.temp.password = mcget {session.logon.last.password}
session.logon.last.password = mcget {session.logon.last.token}

Out of the successful branch of the SecurID agent, swap the variables so that the user's password is back in the session.logon.last.password session variable, and pass to AD Auth.
session.logon.last.password = mcget {session.logon.temp.password}

This should get you through both auth agents.

cymru81 · Answer

Thanks, we do want to present a logon page where the user enters domain username, domain password and secure id pin.  I tried adding the variable straight out of the logon page and am getting:&nbsp;
010712163: in variable assignment agent (/common/uris_2_act_variable_assign_Ag) varname (session.login.temp.password) can only have [A-Za z0-9_/-,], &nbsp;
I might be doing this wrong as im totally new to this...!&nbsp;

kevin_stewart · Answer

Your variable assignment just needs to store the user-entered value from the logon page into a temporary session variable, then swap it back after the first auth agent. How do you have it configured now?

cymru81 · Answer

think it was my typo or similar, used this and it appears to be going:&nbsp;
session.logon.last.password = expr { [mcget -secure session.logon.last.token] }&nbsp;
thanks very much!&nbsp;

thexfactor82_91 · Answer

When building the policy within APM is there any preference as to which agent comes first after the login page? My assumption would be SecurID followed by AD but I've seen another post showing the opposite (https://devcentral.f5.com/questions/f5-apm-mutiple-authentication-method)

F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

BigIP APM - AD & RSA auth

6 Replies

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Service discovery is not happening in AS3

Load balanced RDP VIP use in APM

Deleting an AS3 Tenant

Request for Bug Tracker/Known Issues – BIG-IP Version 17.5.1.2

AST Configuration Assistance

Related Content

Re: BigIP Report

BigIP Report Old

APM Access Policy|SSLVPN | SAML auth questionnaires

APM Kerberos Auth or fallback to another authentication method

Securing APIs with BigIP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS