APM Configuration to Support Duo MFA using iRule

Overview BIG-IP APM has supported Duo as an MFA provider for a long time with RADIUS-based integration. Recently, Duo has added support for Universal Prompt that uses Open ID Connect (OIDC) protoco...
0151T0000040JicQAE.png
Updated Sep 19, 2024
Version 6.0
BIG-IP
BIG-IP Access Policy Manager (APM)
big-ip apm
duo
iRules
mfa
OAuth Client
security
JacobV's avatar
JacobV
Icon for Nimbostratus rankNimbostratus
Feb 07, 2023

Perhaps someone can figure out where this is failing. 

I've gone through this setup on several of our F5s and even have automation developed to do most of it.

Depsite this, one of the F5s seems to be failing to resolve its own URL:
https://{ VIP URL }/oauth/client/redirect

I'm getting this error message in the Access log:

Agent_Type=Client;
OAuth_Config_Type=server;
OAuth_Config_Object=/{ partition }/duo_server;
Grant_Type_Msg= using 'authorization_code' grant type;
Credential_Type=(client_id=;Credential_ID={ Duo application ID });
Error_Message=HTTP error 503, DNS lookup failed;"

This is occurring when the Duo site is attempting to redirect a user back to the F5 device after 2FA succeeds. 

The policy fails out after a few seconds since the page could not be loaded.

The DNS resolver setting is identical across all our F5s. 
All of the configurations look identical. 

Thanks in advance.