Cisco Duo 2fa on F5 Big ip cluster with multiple partitions
Hello,
We're currently deploying Cisco Duo as our 2-factor solution.
Our F5 cluster has 3 partitions in addition to the common partition (which is quite empty and unused at the moment) :
- internal (load-balancer service for our internal applications)
- dmz (mostly reverse proxy / lb in front of our public web applications)
- vpn (partition dedicated to VPN and portal access)
At first, we planned to go for the F5 BIG-IP RADIUS based configuration but we found out later on that this solution was going be depreciated soon.
So we started to implement the solution descrired as F5 BIG-IP APM with OIDC Web Duo Prompt.
First, we got the "HTTP error 503, DNS lookup failed" issue, that we solved by adding a specific DNS resolver configuration.
But now we're facing the following error : HTTP error 503, Connect failed. It looks like APM is not sending any trafic outside of our F5 devices when doing the POST request on the Cisco Duo API to get a token (no firewall log, no trafic captured with tcpdump).
We read the KB again and again, and eventually noticed :
Note: BIG-IP APM currently does not support OAuth token request through a non-default route domain. For example, if the Authorization server is configured on a non-default route domain from the BIG-IP APM system, the system will log this error message.
And then we found the following article :
BIG-IP APM systems configured with the OAuth client cannot obtain the access token because the 'OAuth Token Request' is sent through the default route domain (route domain 0) when attempting to communicate with the OAuth Authorization Server.
Do these notes mean that we can not set setup APM with Cisco Duo in our VPN partition ?How do you set this up on your side ?
We tried to move the Oauth settings to the common partition but we quickly faced the "DNS lookup" issue as we have no IP configuration in this partition.
We're a bit stuck it .. We don't really know what to do next.
Thank you for your help
Thomas