Two Factor Authentication

Question

Hi Guys,&nbsp;I'm trying to setup a logon page with 2 Factor Authentication where, the F5 Load Balancer will validate the Login / OTP Code against Radius and then forward an HTTP Basic Authentication with Username / Password to the Web Server.The First part (Radius Authentication) is working using an access policy. I'm stuck with the second as I don't know how to send the HTTP Basic Authentication request to the server. I was thinking to write an iRule that will be executed after the access policy is successfull (with HTTP_REQUEST &amp; HTTP_REQUEST_DATA) but it looks like it's not going throuhg the iRule.&nbsp;Can someone tell me how I can handle this 2FA ?&nbsp;Thanks &amp; Best Regards,Jean-Christophe

niels_van_sluis · Answer

You could try to build the Access Policy like you would with 2FA with RSA and AD Auth. Instead you will use Radius Auth and HTTP Basic Auth. But the flow would be more or less the same.

See: https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/6.html

jean-christoph4 · Answer

Hi Niels,&nbsp;Thanks for your answer. The thing is that, once the Radius has authenticated the OTP, the F5 has to send a GET Request to the Web Server with an "Authorization" Header. I'm not sure if I should use the HTTP Authentication (ie: Access =&gt; Authentication =&gt; HTTP) or the SSO HTTP (ie: Access =&gt; Single-Sign-On =&gt; HTTP Basic). I guess that the second one is the correct one.Right now I'm looking to add some debugging information into the Access Profile to understand where the process fails.&nbsp;Best Regards,Jean-Christophe Valiere

niels_van_sluis · Answer

Hi Jean-Christophe,&nbsp;HTTP Authentication will only validate credentials to an external web-based server. You can use this external web-based server to authenticate an user, but it will not necessarily be the service or application the user will be granted access to. With SSO HTTP, the authenticated credentials will be reused to login to the service or application.&nbsp;So you can have two (or maybe more) scenarios:&nbsp;1) Radius Auth performing 2FA (Username/Password auth and Token challenge) + HTTP SSO2) Radius Auth performing 1FA (token auth) + HTTP Auth 1FA (username/password auth) + HTTP SSO&nbsp;Kind regards,&nbsp;     --Niels

jean-christoph4 · Answer

Hi Niels,&nbsp;Thanks a lot for your support. I went throuhg option 2) and it's working fine.&nbsp;Best Regards,Jean-Christophe

Forum Discussion

Two Factor Authentication

4 Replies

Welcome! a la Communidad DevCentral LATAM de F5!

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

Recent Discussions

procedure power off viprion os 17.1.x

F5 Distributed Cloud Services Simulator Connect

Multiple Default Gateways

F5OS (r4800) web interface access issue

Delayed connection when traffic crosses router domains in F5 BIG-IP

Related Content

Two-Factor Authentication With Google Authenticator And APM

Two-Factor Authentication – Captive Portal

Two-Factor Authentication With Google Authenticator And LDAP

DevCentral to Require Multi-Factor Authentication for Account Login from September 26

Two-Factor Authentication – Remote Desktop Gateway

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS