F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

cymru81's avatar
cymru81
Icon for Altocumulus rankAltocumulus
Sep 10, 2013

BigIP APM - AD & RSA auth

Hi, Am looking to setup Access policy on a Big IP so that users need to 2FA with an AD username password and a native secured pin to be able to login. Currently can get one of them working but not b...
BIG-IP Access Policy Manager (APM)
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Sep 10, 2013

Do you want to present a logon page where the user enters user/pass and PIN? If so, try this:

  1. In the visual policy editor, start with your logon page and add a third field (we'll call it "token") - of type password.

  2. Both AD auth and SecurID agents use the session.logon.last.password session variable, so after the logon page, save the logon page's password to a separate session (temporary) session variable, re-assign session.logon.last.password to be the token value from the logon page, and pass this to the RSA SecurID agent. 

    session.logon.temp.password = mcget {session.logon.last.password}
session.logon.last.password = mcget {session.logon.last.token}

  3. Out of the successful branch of the SecurID agent, swap the variables so that the user's password is back in the session.logon.last.password session variable, and pass to AD Auth.

    session.logon.last.password = mcget {session.logon.temp.password}

This should get you through both auth agents.