I have read on DevCentral various mechanisms to implement 2FA (MFA) using APM and even some packages to change the PAM and implement this on the SSH shell.
Are there any supported mechanisms to protect the BIG-IP Web interface via multi-factor? Even if one had the APM, can it be turned around to control the BIG-IP GUI itself?
Also, what about SSH access?
I am curious if others have solved this issue. It is surprising to me that at least the GUI does not have a native MFA solution to basic administration.
Curious to me, I pray for the security, but I never thought about MFA on GUI since BIG-IP is out-of-band traffic management and the access should be in a private and secure network.
Our security requirements do not differentiate where the device resides in the network. If a sysadmin/netadmin accesses the system, it requires MFA to login.
From BIG-IP 11.6.0 LTM and TMOS Release Notes:
Enhanced system authentication methods for LTM BIG-IP
Utilizing APM, this release provides enhanced LTM System Authentication for the different methods: LDAP, RADIUS, Local User, TACACS+ to deliver a richer set of options such as AAA, fail-back, and dual-authentication.
System ›› Users : Authentication | User Directory | Remote - APM Based