Forum Discussion
NimbostratusF5 APM Mutiple Authentication Method
We are going to migrate remote access from Firepass to F5 APM.
On Firepass, it is easy to setup authentication against AD and RSA token. user has to enter username, AD password, and token passcord to logon VPN session.
However, I have difficult to configure the same thing in APM.
The logon page in APM has the field "password". I tested AD along which it works. However, If I added another field "passcord" which will be used for entering token code,
I don't know how to pass the value to the RSA authentication, There is no way to pass the customaize filed to AAA authentication process except for default "password"
This is supposed a very common setting to require user entering both AD password and Token code, no sure if I miss anything as I am new for APM thing.
Any help is apperciated.
9 Replies
nash_65851Not sure if you figured this out yet or not, but the answer is yes, it is possible to do what you want. Below is the way I achieved it. It may well not be the best way, but it certainly works.
1.) Set up the AAA resources for AD and RSA (sounds like you have this bit done fine)
2.) Add the logon page to the APM Visual Policy
3.) Add a password field to line 3 of the available fields and give it a Post/Session Variable Name (for example "token")
4.) After the logon page entry in the Visual Policy editor, add an AD Auth component to check the domain credentials (sounds like you got this right too)
Now what happens is for the RSA auth to happen, it is going to want the token number that the user entered to be in the session.logon.last.password session variable (which is currently holding the domain password). So you are going to need to "juggle" the password with some variable swapping.
5.) On the "Successful" arm of the AD Auth component, add a Variable Assign component. And in this you want to store the domain password in a temporary password variable and then store the contents of the token session variable in the password session variable. Here is an example of the 2 entries you could use (this assumes that you used "token" as the session variable for the token field on the logon page):
session.custom.holder = expr { [mcget {session.logon.last.password}] }
session.logon.last.password = expr { [mcget {session.logon.last.token}] }
6.) After you have juggled the token field into the session.logon.last.password session variable, you add your component to do RSA Auth (which should now work as the password session variable is now holding the tokencode)
7.) On the successful arm of the RSA Auth component, you now need to swap the domain password back into the session.logon.last.password session variable in case you need it again. So add another Variable Assign component and use the following to do that swap (assuming that you used the code from step 5).
session.logon.last.password = expr { [mcget {session.custom.holder}] }
8.) Should be able to authenticate now.
André_Vieira_21You are the King! Simple and very easy to follow explanation how to configure the 2 Factor authentication with 1 Logon Page. I was searching for this a long time and here is a perfect solution for this! It works perfectly. Thank you very much!
winddlover_9858it is exact what I want to achieve.
I managed to get token work by setup variable swapping, but has an issue for SSO as the session.logon.last.password became token cord
Haven't figure out until saw your reply to use temp variable to restore AD password. That's a pretty smart way.
That's great. Many thanks! Nash,- nash_65851Good show... Glad it has sorted the issue out for your SSO.
- winddlover_9858Just get another issue for http basic authentication. How can I combine domain name with username in SSO configuration?
Currently APM send username and password combination to back end server, but it appears back end server only accept the format: domain\username.
Is there way to add domain in front to username? In basic authentication, no place to set domain.
Thanks in advance - winddlover_9858I managed to get this thing work by using below assignment:
session.logon.last.username = [concat "domain\\[mcget {session.logon.last.username}]" ]
It will add static domain entry as part of username and pass the server. 
ehinkle_104407What if I would like to swap domain names if my UPN is different. Say i login with doman1\name and my upn is domain1internal, so when I do an ldap query it uses domain1internal. Tried below and it did not work. in a variable assignment.
if ( mcget {session.logon.last.domain} contains “domain1” ) { return “domain1internal”} else { return mcget {session.logon.last.domain};- ehinkle_104407What if I would like to swap domain names if my UPN is different. Say i login with doman1\name and my upn is domain1internal, so when I do an ldap query it uses domain1internal. Tried below and it did not work. in a variable assignment.
if ( mcget {session.logon.last.domain} contains “domain1” ) { return “domain1internal”} else { return mcget {session.logon.last.domain}; - Kevin_Stewart
Employee
Try this:if { [expr { [mcget {session.logon.last.domain}] contains "domain1"}] } { return "domain1internal" } else { return [mcget {session.logon.last.domain}] }
