We use the Big-IP Edge VPN Client and during authentication, we have the Duo MFA inline splash page come up but when selecting Yubikey devices, the message comes up "Requires Chrome, Firefox, Safari, or Edge to use Security Keys". I see that this is part of a rundll process and looks like it is using Internet Explorer. I am curious if there is a way to configure the Big-IP client to use Chrome or Edge instead so that I can use the Yubikey. Weirdly enough I have seen it work in an older or newer version of the Big-IP client but I cant remember how I made it work. Any help would be appreciated!
30-Dec-2022 22:47 - edited 31-Dec-2022 00:13
A little research suggests that there may be a version of the F5 Big-IP Edge Client that supports Chrome or Edge via Duo's Universal vs. Traditional prompt. See url below. Can anyone verify this? Or do we need to modify the policy somehow to use Universal vs Traditional? As it is, our only choice for getting connected to VPN securely is via the Duo app because we don't allow phone call or sms. @Chris_Zhang ?
The release notes from 7.2.1 suggest that it shold work?
Looks like I am using 7.2.2 yet it doesnt work...
I also tried modifying the IE compatibility keys for rundll32.exe and f5fpclientW.exe using 2af8 and 2af9 without any luck as referenced here and here:
Hi @nicholse - I think your post got caught in the holiday traffic slump... I've asked one of my teammates to come take a look.
I got this reply from Duo today. Can anyone coroborate? Is this the only way for us to get the Yubikeys working with F5 Edge Client?
From Duo Support:
"In terms of what F5 Edge Client versions support using those browsers, I am not sure. I will say, if you want to utilize this Universal Prompt with F5 as you mentioned, the best way to do this is F5 BIG-IP APM with OIDC Web Duo Prompt. Note: this does require Big-IP firmware version 13.1 or later."
Hi @nicholse , from what I'm reading, Duo Support is correct and you'll want to follow that link to get instructions on the configuration.