Forum Discussion

Tom_Schaefer's avatar
Jun 10, 2020

Supported way to use MFA to BIG-IP GUI and shell

I have read on DevCentral various mechanisms to implement 2FA (MFA) using APM and even some packages to change the PAM and implement this on the SSH shell.


Are there any supported mechanisms to protect the BIG-IP Web interface via multi-factor? Even if one had the APM, can it be turned around to control the BIG-IP GUI itself?


Also, what about SSH access?


I am curious if others have solved this issue. It is surprising to me that at least the GUI does not have a native MFA solution to basic administration.





5 Replies

  • Hi Tom,

    Curious to me, I pray for the security, but I never thought about MFA on GUI since BIG-IP is out-of-band traffic management and the access should be in a private and secure network.


    Kind regards

    • Tom_Schaefer's avatar
      Icon for Cirrus rankCirrus

      Our security requirements do not differentiate where the device resides in the network. If a sysadmin/netadmin accesses the system, it requires MFA to login.

      • liborj's avatar
        Icon for Nimbostratus rankNimbostratus

        we have the same requirements. Even though access to our BigIPs are on a protected and access restricted network we still need to implement MFA.

  • Hi,

    From BIG-IP 11.6.0 LTM and TMOS Release Notes:

    Enhanced system authentication methods for LTM BIG-IP

    Utilizing APM, this release provides enhanced LTM System Authentication for the different methods: LDAP, RADIUS, Local User, TACACS+ to deliver a richer set of options such as AAA, fail-back, and dual-authentication.

    System ›› Users : Authentication | User Directory | Remote - APM Based

    • liborj's avatar
      Icon for Nimbostratus rankNimbostratus

      This link does not actually address the complete solution for the MFA.

      I would like to see the complete guide and if someone actually completed the MFA successfully. It looks like there is lot of suggestions but no one really shared and definitely said what solution worked and how it needs to be configured.

      We would like to use our external SAML IdP but it seems that the policy in APM does not allow the SAML auth. In the Access Policy you have to set the Profile Type to system authentication, but when you do that it does not list the option to use SAML auth. You only see the options as are shown on the snapshot on the right. If you create a policy with the Profile Type - All then you see the option of the Saml Auth as you see it on the snapshot on the left.

      It would be good to hear if there is a POC with a complete solution.