Multiple Auth

I haven't tested this, but the profile_base.conf describes this:

 

 

 

When multiple auth http profiles (ldap, radius, tacacs) are simultaneously

 

configured on a single virtual server, AND-based logic is used by default,

 

i.e., all authentication methods must succeed for the request to be allowed.

 

It is also possible to configure OR-based logic, e.g., if either ldap or

 

radius are successful, allow the request. PAM service configurations could

 

be manually edited to accomplish this, but a simple iRule can also be used:

 

Add a custom CLIENT_ACCEPTED rule to the same virtual server and have the

 

rule set the variable tmm_auth_http_sufficient_successes to 1. Generically,

 

this variable may be set to the minimum number of successful auth results

 

that are necessary to permit the request. For example, setting the value

 

to 2 while ldap, radius, and tacacs profiles are each configured on a

 

virtual will cause requests to be permitted when at least 2 of these 3

 

auth methods are successful.

 

These auth profile default rules can be optionally configured to subscribe

 

to out-of-band auth response data (obtained via AUTH::response_data).

 

Subscriptions are enabled by setting the variable tmm_auth_subscription

 

prior to system auth rule invoking AUTH::start call, e.g.,

 

 

 

 

So I think you could add both auth profiles to the VIP and add an iRule which sets tmm_auth_http_sufficient_successes to 1 in CLIENT_ACCEPTED.

 

 

Aaron