Forum Discussion

Cleo1's avatar
Cleo1
Icon for Altostratus rankAltostratus
Feb 20, 2019

Configuring 2FA for BigIP management interface using Symantec VIP Enterprise Gateway

I have a requirement to support two-factor authentication on the BIG-IP MGMT interfaces using Symantec VIP Enterprise Gateway as authentication source. The BigIP is hosted on VM with version 13.0.0. To be clear; when user tries to log in into its GUI by applying username and password the next step is it should ask for 2FA. Does anyone have details on the setup process on both ends (F5 and Symantec VIP Enterprise Gateway)?. Thanks in advance

 

  • Did you find a solution for your case?

     

    I need something like this, and I didn't find anything native. The only alternative I found would be using APM.

    • Cleo1's avatar
      Cleo1
      Icon for Altostratus rankAltostratus

      Hi Adriano,

       

      I did not anything except using APM.

  • Hello Cleo1 , 

       I have been working on this matter as well. I am using 15.1.5 code for our lab boxes. I have the boxes pointed to Cisco ISE for authentication. We had to do the work on the ISE boxes to include the Symantec VIP as a external Identity source under Radius token. Once the Symantec VIP server is added to that we then had to go under Administration > Identity Management > Identity Source Sequences. There we made a new sequence with Authentication source list to have the Symantec Radius token first followed by our domain(s). The biggest item is the Advance search settings in selecting "Do not access other stores in the sequence and set the "AuthenticationStatus" attribute to "ProcessError"" If you select to continue the 2FA can timeout and let your user in. Once all this was completed I added it to the authentication policy for the F5. The biggest thing to note is that there is no pop-up for a push so if you do not enter the 6 digit pin after the password (password123456) then you must look to your device for the push notification (if you have that enabled). This has seem to work so far for us and we are moving to get it into production. I hope this helps.