We currently have LTMs and GTMs which are authenticating via Cisco ISE. We wanted to use Cisco DUO to enable Multi-factor Authentication.
Do we have a way to do this without APM?
We specifically wanted to set a separate timeout for logins. (for example, I logged in and was not able to press accept on my DUO mobile, the cli/gui should close/disconnect automatically.) Do F5 BIG-IP have a separate timeout config aside from global-settings idle-timeout and sshd inactivity-timeout?
See diagram below
Hello, your request is old but I can answer you : yes you can use DUO to add an MFA layer to authenticate to bigip LTM management console, without the need to purchase the APM module.
The easiest way is to configure a DUO authentication proxy gateway within your network. The DUO gateway will be a proxy between the client (the bigip LTM) and the authentication provider (Active Directory / Radius server / openLDAP / whatever). The DUO gateway will simultaneously challenge your user+password toward the identity provider, and in parallel challenge your MFA through the DUO SaaS platform.
It means that the MFA challenge must succeed during the short timeframe of the LDAP/radius query => you'd better increase the LDAP timeout if you can, otherwise you have to be swift to manipulate your phone.
The question here is WHY F5 DON'T OFFER AN OUT OF THE BOX OTP (google auth) to secure access to bigip mgmt console ? It's not that complicated to implement, they even put it on myF5, but bigip console is still unsecured 20 years later. Is it a strategy to sell more APM modules ?