Forum Discussion

Nimbostratus

Jan 10, 2017

Trouble implementing multi-stage authentication (AD + Duo)

I'm trying to implement an unusual multi-stage, multi-factor authentication process, and I'm getting hung up for reasons that aren't clear to me. Here's the existing, and working, system: The us...

application delivery

BIG-IP Access Policy Manager (APM)

Stanislas_Piro2

Cumulonimbus

Jan 11, 2017

Hi,

In your VPE, the AD Auth does not have any logon page before to get username and password.

Another point, why are you using irule events in VPE? it is better to use ACCESS_SESSION_STARTED event and write a session variable, then evaluate this variable in VPE.

when ACCESS_SESSION_STARTED {
    if { [class match [IP::client_addr] equals SINGLE_AUTH_DG] } {
        ACCESS::session data set session.custom.single_auth_allowed_ip 1 
    } else {
        ACCESS::session data set session.custom.single_auth_allowed_ip 0
    }
    if { [class match [IP::client_addr] equals DUO_AUTH_DG] } {
        ACCESS::session data set session.custom.duo_auth_allowed_ip 1 
    } else {
        ACCESS::session data set session.custom.duo_auth_allowed_ip 0
    }
}

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)