Forum Discussion
Sonny
Cirrus
CirrusConfiguring VS to access LTM
I have 2 management interfaces, x.x.10.1 and x.x.20.1. I normally access the device through 20.1. So I created a vs to access 10.1. However, looking at the tcpdump, I don't see any response back from 10.1 when I access it through the vs. Thus, I get page cannot display. IF I access 10.1, without going through the vs, it works fine. Just wondering if anyone knows what the issue may be off the top of their heads.
The reason I created a vs to access the device was so I can apply an access policy I created to use 2FA. The policy authn the user against the LDAP and then if successful will prompt for your CAC and then does a check for validity and if successful, allows the user to the pool member. In this case, 10.1. From the tcpdump, I see this happening. Again, I just don't see and response from 10.1.
SonnyKevin, this relates to the above. What is is best way to require 2FA when admins access the self-IP directly instead using my VS?
- Sonny
I used the self-IP as the VS IP. When I started this 5 days ago, this option didn't work. I found a quirky fix. I created another self-IP on the same VLAN. I then tested the VS config using the original self-IP. It now works. I then deleted the new self-IP and tested. It still works. Yes, cleared my cache and used a different browser, too. Kind of weird, BUT it works.
- Kevin_Stewart
Employee
What is is best way to require 2FA when admins access the self-IP directly instead using my VS?
In this case you have to rely on the management plane's authentication capabilities, which only supports "ClientCert LDAP" for two-factor authentication. Another option might be to set the self-IP's Port Lockdown setting to "Allow None". This would restrict direct access but still allow the VIP-iRule access to work.
- Sonny
Thanks Kevin. Yeah, I looking into those options, too. I was also thinking about 2FA when someone logs on via SSH. I found the below article but it doesn't provide 2FA only single factor (public key only). I know management will ask about this as well so just doing the research work now. Do you have any suggestions?
https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13454.html
- Kevin_Stewart
It's always been my understanding that OpenSSH doesn't natively support PKI x.509-style authentication without some modifications/patches. You could certainly get BIG-IP's SSH to do it, but it wouldn't be "supported" and would likely not survive an upgrade. Your best bet is to open a support case and request this functionality.
- Sonny
Thanks again Kevin. Management will have to live with the "not supported" answer.
