Configuring VS to access LTM

Kevin, this relates to the above. What is is best way to require 2FA when admins access the self-IP directly instead using my VS?

I used the self-IP as the VS IP. When I started this 5 days ago, this option didn't work. I found a quirky fix. I created another self-IP on the same VLAN. I then tested the VS config using the original self-IP. It now works. I then deleted the new self-IP and tested. It still works. Yes, cleared my cache and used a different browser, too. Kind of weird, BUT it works.

What is is best way to require 2FA when admins access the self-IP directly instead using my VS?

In this case you have to rely on the management plane's authentication capabilities, which only supports "ClientCert LDAP" for two-factor authentication. Another option might be to set the self-IP's Port Lockdown setting to "Allow None". This would restrict direct access but still allow the VIP-iRule access to work.

Thanks Kevin. Yeah, I looking into those options, too. I was also thinking about 2FA when someone logs on via SSH. I found the below article but it doesn't provide 2FA only single factor (public key only). I know management will ask about this as well so just doing the research work now. Do you have any suggestions?

https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13454.html

It's always been my understanding that OpenSSH doesn't natively support PKI x.509-style authentication without some modifications/patches. You could certainly get BIG-IP's SSH to do it, but it wouldn't be "supported" and would likely not survive an upgrade. Your best bet is to open a support case and request this functionality.

Thanks again Kevin. Management will have to live with the "not supported" answer.