Forum Discussion

ThomasP's avatar
ThomasP
Icon for Altostratus rankAltostratus
Jan 16, 2024

Cisco Duo 2fa on F5 Big ip cluster with multiple partitions

Hello,

We're currently deploying Cisco Duo as our 2-factor solution.

Our F5 cluster has 3 partitions in addition to the common partition (which is quite empty and unused at the moment) :

- internal (load-balancer service for our internal applications)

- dmz (mostly reverse proxy / lb in front of our public web applications)

- vpn (partition dedicated to VPN and portal access)

At first, we planned to go for the F5 BIG-IP RADIUS based configuration but we found out later on that this solution was going be depreciated soon.

So we started to implement the solution descrired as F5 BIG-IP APM with OIDC Web Duo Prompt.

First, we got the "HTTP error 503, DNS lookup failed" issue, that we solved by adding a specific DNS resolver configuration.

But now we're facing the following error : HTTP error 503, Connect failed. It looks like APM is not sending any trafic outside of our F5 devices when doing the POST request on the Cisco Duo API to get a token (no firewall log, no trafic captured with tcpdump).

We read the KB again and again, and eventually noticed :

Note: BIG-IP APM currently does not support OAuth token request through a non-default route domain. For example, if the Authorization server is configured on a non-default route domain from the BIG-IP APM system, the system will log this error message.

And then we found the following article :

BIG-IP APM systems configured with the OAuth client cannot obtain the access token because the 'OAuth Token Request' is sent through the default route domain (route domain 0) when attempting to communicate with the OAuth Authorization Server.

Do these notes mean that we can not set setup APM with Cisco Duo in our VPN partition ?How do you set this up on your side ?

We tried to move the Oauth settings to the common partition but we quickly faced the "DNS lookup" issue as we have no IP configuration in this partition.

We're a bit stuck it .. We don't really know what to do next.

Thank you for your help

Thomas

BIG-IP Access Policy Manager (APM)
security
  • ThomasP's avatar
    ThomasP
    Icon for Altostratus rankAltostratus
    Jan 16, 2024

    We just read again the howto for the Radius configuration and eventually noticed that a radius configuration is still possible.

    The iframe-based traditional Duo Prompt in F5 BIG-IP RADIUS configurations will reach end of life on March 30, 2024. Customers must migrate to a supported Duo Single Sign-On application with Universal Prompt or a RADIUS configuration without the iframe before that date for continued access
    • Michael_Saleem's avatar
      Michael_Saleem
      Icon for MVP rankMVP
      Jan 16, 2024

      Yep. So it looks like they are still supporting RADIUS Auto Push (as opposed to Duo Prompt w/ iFrame). If you wanted to go down this route, you would still need to setup a separate Duo Proxy server in your environment and edit the authproxy.cfg file as per the below article with a [radius_server_auto] heading:

      F5 BIG-IP APM with Duo RADIUS Auto Push | Duo Security

  • Michael_Saleem's avatar
    Michael_Saleem
    Icon for MVP rankMVP
    Jan 16, 2024

    Hi Thomas,

    Could you please run the following commands from TMSH (please omit any sensitive configuration from the output):

    cd /

list apm oauth oauth-resource-server recursive
list net route-domain recursive
list net route recursive
list net dns-resolver /*/*
list net dns-resolver /*/*/*