RADIUS Auth Profile: 2-Factor/401 Prompt Behavior

Hi all - I'm posting my specific situation to the i-Rule Forums in hope of potential solutions.

 

---

 

 

On our 9.4.x LTM, we have configured a RADIUS auth profile to protect a mission critical VIP. The RADIUS profile corresponds to a 2-factor authentication method, where one factor (SSL token) changes every 60 seconds. The issue we're seeing is that the RADIUS auth profile sends authentication requests to our RADIUS server constantly while there is activity on the VIP. This would be fine with a static password, but because our password changes every 60 seconds, the RADIUS server rejects the request on the 61st second and the user must re-authenticate ever 60 seconds, which is no good.

 

 

In a nutshell, the client successfully authenticates, the F5 caches the "good" passcode and re-transmits (re-authenticates) each time any browser activity occurs. After 60 seconds, the SSL token changes and the RADIUS server no longer honors the old/bad passcode, so the F5 asks the client/user for new username/password. At this point, we can enter the new 2-factor password, and continue on for another 60 seconds.

 

 

What we need to determine is whether we can modify the F5 RADIUS authentication profile to honor the "good" authentication session longer than 60 seconds, irrespective of the client's token changing every 60 seconds?

 

 

We're also looking at options on our RADIUS servers.