Forum Discussion

Tom_Schaefer's avatar
Tom_Schaefer
Icon for Cirrus rankCirrus
Jun 10, 2020

Supported way to use MFA to BIG-IP GUI and shell

I have read on DevCentral various mechanisms to implement 2FA (MFA) using APM and even some packages to change the PAM and implement this on the SSH shell.

 

Are there any supported mechanisms to protect the BIG-IP Web interface via multi-factor? Even if one had the APM, can it be turned around to control the BIG-IP GUI itself?

 

Also, what about SSH access?

 

I am curious if others have solved this issue. It is surprising to me that at least the GUI does not have a native MFA solution to basic administration.

 

Thanks,

 

Tom

BIG-IP Access Policy Manager (APM)
security
TMSH
  • Pedro_Haoa's avatar
    Pedro_Haoa
    Ret. Employee
    Sep 07, 2022

    Hi,

    From BIG-IP 11.6.0 LTM and TMOS Release Notes:

    Enhanced system authentication methods for LTM BIG-IP

    Utilizing APM, this release provides enhanced LTM System Authentication for the different methods: LDAP, RADIUS, Local User, TACACS+ to deliver a richer set of options such as AAA, fail-back, and dual-authentication.

    System ›› Users : Authentication | User Directory | Remote - APM Based

    https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-local-traffic-manager-implementations/implementing-apm-system-authentication.html

    • liborj's avatar
      liborj
      Icon for Nimbostratus rankNimbostratus
      Nov 29, 2023

      This link does not actually address the complete solution for the MFA.

      I would like to see the complete guide and if someone actually completed the MFA successfully. It looks like there is lot of suggestions but no one really shared and definitely said what solution worked and how it needs to be configured.

      We would like to use our external SAML IdP but it seems that the policy in APM does not allow the SAML auth. In the Access Policy you have to set the Profile Type to system authentication, but when you do that it does not list the option to use SAML auth. You only see the options as are shown on the snapshot on the right. If you create a policy with the Profile Type - All then you see the option of the Saml Auth as you see it on the snapshot on the left.

      It would be good to hear if there is a POC with a complete solution.

  • cjunior's avatar
    cjunior
    Icon for Nacreous rankNacreous
    Jun 10, 2020

    Hi Tom,

    Curious to me, I pray for the security, but I never thought about MFA on GUI since BIG-IP is out-of-band traffic management and the access should be in a private and secure network.

     

    Kind regards

    • Tom_Schaefer's avatar
      Tom_Schaefer
      Icon for Cirrus rankCirrus
      Jun 10, 2020

      Our security requirements do not differentiate where the device resides in the network. If a sysadmin/netadmin accesses the system, it requires MFA to login.

      • liborj's avatar
        liborj
        Icon for Nimbostratus rankNimbostratus
        Nov 29, 2023

        we have the same requirements. Even though access to our BigIPs are on a protected and access restricted network we still need to implement MFA.