Forum Discussion

Tom_Schaefer's avatar
Tom_Schaefer
Icon for Cirrus rankCirrus
Jun 10, 2020

Supported way to use MFA to BIG-IP GUI and shell

I have read on DevCentral various mechanisms to implement 2FA (MFA) using APM and even some packages to change the PAM and implement this on the SSH shell.   Are there any supported mechanisms t...
BIG-IP Access Policy Manager (APM)
security
TMSH
Pedro_Haoa's avatar
Pedro_Haoa
Ret. Employee

Hi,

From BIG-IP 11.6.0 LTM and TMOS Release Notes:

Enhanced system authentication methods for LTM BIG-IP

Utilizing APM, this release provides enhanced LTM System Authentication for the different methods: LDAP, RADIUS, Local User, TACACS+ to deliver a richer set of options such as AAA, fail-back, and dual-authentication.

System ›› Users : Authentication | User Directory | Remote - APM Based

https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-local-traffic-manager-implementations/implementing-apm-system-authentication.html

liborj's avatar
liborj
Icon for Nimbostratus rankNimbostratus
Nov 29, 2023

This link does not actually address the complete solution for the MFA.

I would like to see the complete guide and if someone actually completed the MFA successfully. It looks like there is lot of suggestions but no one really shared and definitely said what solution worked and how it needs to be configured.

We would like to use our external SAML IdP but it seems that the policy in APM does not allow the SAML auth. In the Access Policy you have to set the Profile Type to system authentication, but when you do that it does not list the option to use SAML auth. You only see the options as are shown on the snapshot on the right. If you create a policy with the Profile Type - All then you see the option of the Saml Auth as you see it on the snapshot on the left.

It would be good to hear if there is a POC with a complete solution.