* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

* Podcasts
* Social Channels
* Video Streaming

 

 

 

 

 

ABOUT DEVCENTRAL

DevCentral News Technical Forum Technical Articles Technical CrowdSRC Community Guidelines DevCentral EULA Get a Developer Lab License Become a DevCentral MVP

RESOURCES

Product Documentation White Papers Glossary Customer Stories Webinars Free Online Courses F5 Certification LearnF5 Training

SUPPORT

Manage Subscriptions Professional Services Professional Services Create a Service Request Software Downloads Support Portal

PARTNERS

Find a Reseller Partner Technology Alliances Become an F5 Partner Login to Partner Central

---

©2024 F5, Inc. All rights reserved.

Greeting,

Need a little assistance.  Trying to integrate our F5 Access Policy using RADIUS Authentication in support of our PortalGuard 2FA solution.  PortalGurad uses LDAP Authentication on it's end and we have 3 Domains configured in support of 2FA.  PortalGuard is dependent on a prefixed domain\\username logon authentication.  Also configured in PortalGuard is a RADIUS server for the F5 to use for authentication and presents the OTP challenge.

The current Test F5 Access Policy I have has a Logon Page that has you pick the Domain you want to authenticate to and uses a Domain Selct Macro that also servers as the 1st Factor Authentication.  The Macro is configured to use AD Authentication using a configured AAA server using an AD Query search filter  sAMAccountName=%{session.logon.last.username}.  I have the PortalGuard RADIUS Authentication inserted between the Domain Select and SSO Credential Mapping using expr { \"[mcget {session.logon.last.domain}]\\\\[mcget {session.logon.last.username}]\" }. 

How do I configure the Access policy to use a prefixed logon scheme domain\\username rather than just a SAM account only?  I need to satisfy AD Auth as the 1st authentication and pass along the authentication format to PortalGuard as the 2nd factor.  Hope this makes sense.

Greeting,

Need a little assistance.  Trying to integrate our F5 Access Policy using RADIUS Authentication in support of our PortalGuard 2FA solution.  PortalGurad uses LDAP Authentication on it's end and we have 3 Domains configured in support of 2FA.  PortalGuard is dependent on a prefixed domain\\username logon authentication.  Also configured in PortalGuard is a RADIUS server for the F5 to use for authentication and presents the OTP challenge.

The current Test F5 Access Policy I have has a Logon Page that has you pick the Domain you want to authenticate to and uses a Domain Selct Macro that also servers as the 1st Factor Authentication.  The Macro is configured to use AD Authentication using a configured AAA server using an AD Query search filter  sAMAccountName=%{session.logon.last.username}.  I have the PortalGuard RADIUS Authentication inserted between the Domain Select and SSO Credential Mapping using expr { \"[mcget {session.logon.last.domain}]\\\\[mcget {session.logon.last.username}]\" }. 

How do I configure the Access policy to use a prefixed logon scheme domain\\username rather than just a SAM account only?  I need to satisfy AD Auth as the 1st authentication and pass along the authentication format to PortalGuard as the 2nd factor.  Hope this makes sense.

The F5 Certification is excited to announce that all five of the NEW F5 Certified BIG-IP Administrator Certification (F5 CAB) exams are now live and available to schedule via the new Education Services Portal.

The F5 Academy Roadshow is rolling into 19 cities (plus two virtual stops), and if you work with apps, APIs, or infrastructure, this event was built for you.

Hi

So if I'm reading this right, you want to rewrite the session.logon.last.username variable to include the DOMAIN/ in it prior to AD auth?

If so, then add in a new Variable Assign object into your policy and rewrite the username variable as you have done with your SSO object.  Stanislas wrote a great post regarding APM variables which includes such an example. https://community.f5.com/t5/codeshare/apm-variable-assign-examples/ta-p/287962

Yes your undestanding is correct.  Thanks for the reference and came across this article a while back and was trying out refrenced variable but I don't think I was using the correct one and\\or nor applying it correctly.  You have to excuse me, I'm still learning as to Access Policy matter of things.

So I see what looks like 2 possible variable options in the article that looks like applies to Domain and username below.   Which of the two is more fitting as to what I'm trying to achieve

expr { \"[mcget {session.logon.last.domain}]\\\\[mcget {session.logon.last.username}]\" } 

if { [mcget {session.logon.last.username}] contains \"\\\\\" } { \n    set username [string tolower [mcget {session.logon.last.logonname}]];  \n    return [string range $username 0 [expr {[string first \"\\\\\" $username] -1}] ];  \n} else {  \n    return {}  \n}

So based on my Access Policy example I uploaded, where would I inject the appropriate variable to perform the rewrite? Before Domain select or after Domain Select prior to the RADIUS Server?

Thank you for your time and assitance and much appreciated.

Ok using your guidence with the article with some thought and trial I was able to insert the rewrite viarable and everything is working as it should.  Thank you again for your help.