Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Using Cisco DUO as the MFA for LTM Logins

teemo_13
Cirrus
Cirrus

‎31-Jan-2023 01:02

Hi DevC,

We currently have LTMs and GTMs which are authenticating via Cisco ISE. We wanted to use Cisco DUO to enable Multi-factor Authentication.

Do we have a way to do this without APM?

We specifically wanted to set a separate timeout for logins. (for example, I logged in and was not able to press accept on my DUO mobile, the cli/gui should close/disconnect automatically.) Do F5 BIG-IP have a separate timeout config aside from global-settings idle-timeout and sshd inactivity-timeout?


See diagram below

Joven_0-1675155547739.png

 

Labels:
0 Kudos
3 REPLIES 3

Leslie_Hubertus
Community Manager
Community Manager

‎02-Feb-2023 12:09

Hi @teemo_13, I see nobody has replied yet, so I'm going to see if I can find a colleague who can answer this for you. 

0 Kudos

AubreyKingF5
Community Manager
Community Manager

‎02-Mar-2023 12:08

Here is a sample video on youtube:
https://www.youtube.com/watch?v=0IMcX58XHQ8

CyrilMjt
Nimbostratus
Nimbostratus

‎28-Jul-2023 03:14

Hello, your request is old but I can answer you : yes you can use DUO to add an MFA layer to authenticate to bigip LTM management console, without the need to purchase the APM module.

The easiest way is to configure a DUO authentication proxy gateway within your network. The DUO gateway will be a proxy between the client (the bigip LTM) and the authentication provider (Active Directory / Radius server / openLDAP / whatever). The DUO gateway will simultaneously challenge your user+password toward the identity provider, and in parallel challenge your MFA through the DUO SaaS platform.

It means that the MFA challenge must succeed during the short timeframe of the LDAP/radius query => you'd better increase the LDAP timeout if you can, otherwise you have to be swift to manipulate your phone.

 

 

The question here is WHY F5 DON'T OFFER AN OUT OF THE BOX OTP (google auth) to secure access to bigip mgmt console ? It's not that complicated to implement, they even put it on myF5, but bigip console is still unsecured 20 years later. Is it a strategy to sell more APM modules ? 

0 Kudos
Copyright © 2023 Khoros, LLC