APM Configuration to Support Duo MFA using iRule
Overview
BIG-IP APM has supported Duo as an MFA provider for a long time with RADIUS-based integration. Recently, Duo has added support for Universal Prompt that uses Open ID Connect (OIDC) protoco...
Updated Mar 01, 2025
Version 8.0
delv3chio
Employee
Employee
Jerrod_KimblerEmployee
Employee
ScottE
MVP
MVPI was with JoshBecigneul in wondering if we could change the iRule so that it didn't demote the VS from CMP.
I came up with the following change to the last two sections:
when ACCESS_POLICY_AGENT_EVENT {
set irname [ACCESS::policy agent_id]
if { $irname eq "JWT_CREATE" } {
table set duo_uname [ACCESS::session data get "session.logon.last.username"] 604800
ACCESS::session data set session.custom.jwt_duo [call createJwt [table lookup duo_uname] ]
ACCESS::session data set session.custom.jwt_duo_token [call createJwtToken]
}
}
when ACCESS_PER_REQUEST_AGENT_EVENT {
set irname [ACCESS::perflow get perflow.irule_agent_id]
if { $irname eq "JWT_CREATE" } {
table set duo_uname [ACCESS::session data get "session.logon.last.username"] 604800
ACCESS::perflow set perflow.custom [call createJwt [table lookup duo_uname] ]
ACCESS::perflow set perflow.scratchpad [call createJwtToken]
}
}
It seems to be working as expected for me and I no longer receive the CMP warnings. I have not done a lot of work with the table command or global tables in iRules so if someone with more knowledge sees a flaw in this code please let me know.
I did not want the records left in the table forever so I chose a timeout (604800) that works for me and my usual session lengths.
Thanks
Scott