APM Configuration to Support Duo MFA using iRule

Overview BIG-IP APM has supported Duo as an MFA provider for a long time with RADIUS-based integration. Recently, Duo has added support for Universal Prompt that uses Open ID Connect (OIDC) protoco...
0151T0000040JicQAE.png
Updated Sep 19, 2024
Version 6.0
BIG-IP
BIG-IP Access Policy Manager (APM)
big-ip apm
duo
iRules
mfa
OAuth Client
security
JoshBecigneul's avatar
JoshBecigneul
Icon for MVP rankMVP
Dec 17, 2021

 Several tools that I found helpful were browser developer tools as well as https://jwt.io/ for decoding the JWT tokens to ensure their data was correct. Other tools include dig (to verify good DNS lookups to get the Duo address), curl (to verify connectivity), and tcpdump (to verify connectivity). One way to validate connection would be to build a simple vip and pool with the Duo server in the pool, then see if you can make connections to that VIP. I would probably keep a basic pool with a health check handy to be able to log if there is a connection issue to the Duo cloud.