SSO stopped working when Radius auth is added

Question

Hi,
we have deployed citrix VIPs using iApp template (f5.citrix_vdi.v2.3.0) using APM policy. &nbsp;
But,if I add radius authentication (sms auth provider) after AD authentication and before SSO credentials mapping, the SSO stops working. Can it be related to redirect to page waiting for token for radius authentication and then the POST with credentials sent to servers is not working correctly? 
When I remove radius box from virtual policy editor, SSO works fine again.&nbsp;
Thanks for any tip,
Zdenek&nbsp;

yann_desmarest_ · Answer

Hello,&nbsp;
If you are using Wyze terminals or receiver clients, I think that SMS authentication is not supported by the client side.&nbsp;
But when you access your citrix apps using the webtop, it should works. Pay attention that the session.logon.last.username variable will be used by the radius auth. So that you need to save the username in an extra variable before radius auth occurs (e.g. session.logon.last.username1) and change the SSO Credential mapping username to fit that change&nbsp;

yann_desmarest · Answer

Hello,&nbsp;
If you are using Wyze terminals or receiver clients, I think that SMS authentication is not supported by the client side.&nbsp;
But when you access your citrix apps using the webtop, it should works. Pay attention that the session.logon.last.username variable will be used by the radius auth. So that you need to save the username in an extra variable before radius auth occurs (e.g. session.logon.last.username1) and change the SSO Credential mapping username to fit that change&nbsp;

greg_crosby_319 · Answer

APM policy for SecurID and RADIUS look similar, you would have to change the logon pages and authentication objects to use RADIUS server AAA object rather then SecurID. The manual configuration section of the deployment guide deployment guide lists the various APM policy's created by the iApp (Beginning on page 62) if you would like to try the setup manually. I would suggest running the iApp using the SecurID two factor option and then modify the noted portions to use RADIUS AAA profile rather than SecurID.

zdenda · Answer

Hi, I've tested it and verified session.logon.last.username through message box and it stayed the same all the time. It means that it is not changed during Radius auth process.

zdenda · Answer

Hi, I've tested it and verified session.logon.last.username through message box and it stayed the same all the time. It means that it is not changed during Radius auth process.

Forum Discussion

SSO stopped working when Radius auth is added

7 Replies

Recent Discussions

(How) can I get two client certificates in one APM session?

Open Redirection Mitigation

Using okta as SSO to login F5 GUI

snmp automatic stop mail send

BIG-IP DNS iRule issue with static variable

Related Content

iRule based RADIUS Client Stack

iRule based RADIUS Health Monitor Builder

HTTP Request Smuggling, what it is, how to find it and how to stop it

Detect and stop exfiltration attempts with F5 Distributed Cloud App Infrastructure Protection

Is your WAF as good as Tubbs and Crockette as stopping Smugglers?