Cirrus
NimbostratusHello, your request is old but I can answer you : yes you can use DUO to add an MFA layer to authenticate to bigip LTM management console, without the need to purchase the APM module.
The easiest way is to configure a DUO authentication proxy gateway within your network. The DUO gateway will be a proxy between the client (the bigip LTM) and the authentication provider (Active Directory / Radius server / openLDAP / whatever). The DUO gateway will simultaneously challenge your user+password toward the identity provider, and in parallel challenge your MFA through the DUO SaaS platform.
It means that the MFA challenge must succeed during the short timeframe of the LDAP/radius query => you'd better increase the LDAP timeout if you can, otherwise you have to be swift to manipulate your phone.
The question here is WHY F5 DON'T OFFER AN OUT OF THE BOX OTP (google auth) to secure access to bigip mgmt console ? It's not that complicated to implement, they even put it on myF5, but bigip console is still unsecured 20 years later. Is it a strategy to sell more APM modules ?