For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

winddlover_9858's avatar
winddlover_9858
Icon for Nimbostratus rankNimbostratus
Dec 12, 2012

F5 APM Mutiple Authentication Method

We are going to migrate remote access from Firepass to F5 APM.   On Firepass, it is easy to setup authentication against AD and RSA token. user has to enter username, AD password, and token pass...
config
design
nash_65851's avatar
nash_65851
Icon for Nimbostratus rankNimbostratus
Jan 22, 2013
Not sure if you figured this out yet or not, but the answer is yes, it is possible to do what you want. Below is the way I achieved it. It may well not be the best way, but it certainly works.

 

 

1.) Set up the AAA resources for AD and RSA (sounds like you have this bit done fine)

 

2.) Add the logon page to the APM Visual Policy

 

3.) Add a password field to line 3 of the available fields and give it a Post/Session Variable Name (for example "token")

 

4.) After the logon page entry in the Visual Policy editor, add an AD Auth component to check the domain credentials (sounds like you got this right too)

 

 

Now what happens is for the RSA auth to happen, it is going to want the token number that the user entered to be in the session.logon.last.password session variable (which is currently holding the domain password). So you are going to need to "juggle" the password with some variable swapping.

 

 

5.) On the "Successful" arm of the AD Auth component, add a Variable Assign component. And in this you want to store the domain password in a temporary password variable and then store the contents of the token session variable in the password session variable. Here is an example of the 2 entries you could use (this assumes that you used "token" as the session variable for the token field on the logon page):

 

session.custom.holder = expr { [mcget {session.logon.last.password}] }

 

session.logon.last.password = expr { [mcget {session.logon.last.token}] }

 

 

6.) After you have juggled the token field into the session.logon.last.password session variable, you add your component to do RSA Auth (which should now work as the password session variable is now holding the tokencode)

 

7.) On the successful arm of the RSA Auth component, you now need to swap the domain password back into the session.logon.last.password session variable in case you need it again. So add another Variable Assign component and use the following to do that swap (assuming that you used the code from step 5).

 

session.logon.last.password = expr { [mcget {session.custom.holder}] }

 

 

8.) Should be able to authenticate now.
  • André_Vieira_21's avatar
    André_Vieira_21
    Icon for Nimbostratus rankNimbostratus
    Nov 15, 2016

    You are the King! Simple and very easy to follow explanation how to configure the 2 Factor authentication with 1 Logon Page. I was searching for this a long time and here is a perfect solution for this! It works perfectly. Thank you very much!