APM using Radius authentication with MFA breaks RDP/Citrix Single Sign-On

Question

Interesting issue discovered (v14).  We use Okta for MFA login on an APM policy.  Our Okta allows for answering a security question (yes, not TRUE MFA, working to fix that policy), but this also applies if you use a 6 digit code.  F5 is overwriting the session.logon.last.password variable with the last input on the Radius step, thus breaking the single-signon to RDP and Citrix.

jjarboe01 · Answer

So, the answer here is actually simple.  Right before the Radius authentication step, create a variable assign step, and set a variable called "session.original.last.password" to the value of the Session Variable "session.logon.last.password".  Then, after the Radius step in the policy, do the reverse of this to reset the session.logon.last.password value from session.original.last.password.  This way, you don't have to change every Citrix and RDP object in the policy to use another variable.

Forum Discussion

APM using Radius authentication with MFA breaks RDP/Citrix Single Sign-On

1 Reply

Recent Discussions

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Related Content

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Zero Trust building blocks - Leverage F5 NGINX Plus Single Sign-On (SSO) and F5 XC

APM Cookbook: Single Sign On (SSO) using Kerberos

Doing mTLS Authentication per URL

Distributed caching of authentication requests with NGINX Ingress Controller