Configuring 2FA for BigIP management interface using Symantec VIP Enterprise Gateway

Hello Cleo1 , 

   I have been working on this matter as well. I am using 15.1.5 code for our lab boxes. I have the boxes pointed to Cisco ISE for authentication. We had to do the work on the ISE boxes to include the Symantec VIP as a external Identity source under Radius token. Once the Symantec VIP server is added to that we then had to go under Administration > Identity Management > Identity Source Sequences. There we made a new sequence with Authentication source list to have the Symantec Radius token first followed by our domain(s). The biggest item is the Advance search settings in selecting "Do not access other stores in the sequence and set the "AuthenticationStatus" attribute to "ProcessError"" If you select to continue the 2FA can timeout and let your user in. Once all this was completed I added it to the authentication policy for the F5. The biggest thing to note is that there is no pop-up for a push so if you do not enter the 6 digit pin after the password (password123456) then you must look to your device for the push notification (if you have that enabled). This has seem to work so far for us and we are moving to get it into production. I hope this helps.