Configuring LTM access so it uses 2-factor Authn

Do you mean 2FA on the admin interface ?

We have done APM+Duo 2FA and it works great.

cheers.

Yes, accessing the LTM on the management interface. How?

11.6.0 Release Note has some additional details:

Enhanced system authentication methods for LTM BIG-IP

Utilizing APM, this release provides enhanced LTM System Authentication for the different methods: LDAP, RADIUS, Local User, TACACS+ to deliver a richer set of options such as AAA, fail-back, and dual-authentication.

https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-ltm-11-6-0.htmlrn_new

I have not tried it directly but it seems like you can select the option "Remote - APM based" in the User Directory option of the authentication tab and then point the authentication against an APM access policy end point. So the 2FA will need that your device is licensed for APM

it also depends on what exactly you call 2 factor.

depending on the vendor you sometimes combine a password and token code into one field and use that.

several options, something for you to choose :)

I upgraded to 11.6 HF5 and tried the "Remote - APM based" feature for authenication. It looks like you can't really apply your own access policy. It just gives the options of AD, http, LDAP, RADIUS and TACACS+.

I found this article while searching for alternatives. https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-6-0/56.html

so can or can't you combine things there like with a normal APM policy? there won't be any specific 2 factor item, you need something there like RADIUS for a token system or HTTP for SMS message.