Google Authenticator implementation
Hello, we want to configure MFA/2FA using Google Authenticator (or at least the underlying time-based one-time password (TOTP) solution). We found several articles and guides here on DevCentral, but as some of them are quite some years old and also referenced links seems to not working anymore, I have some questions: Is it really necessary to have the APM-module activated for this? Because based on one of the initial articles, it seems to be possible just with the LTM authentication profile? But when checking the options, I don't have the mentioned "LDAP"-type available. I see only "SSL client certificate LDAP" (and two others). What are pros and cons of an implementation with/without APM-module? Based on the preferred solution is there any current/up-to-date configuration guide available, how to configure this? Thank you! Ciao Stefan :)
Calling SAML Auth Macro for Portal Access Resource
Hello all. I would like to see if there is a way for us to call a "BIG-IP as SAML Service Provider" macro when a user attempts to access a Portal Access Resource assigned to their webtop. We would like to MFA this particular resource using OneLogin (IdP). I will try to provide an example as specific as I can below and hope it makes sense. Users currently log into APM (remoteurl.domain.com) and are redirected to a OneLogin page. After successful SAML auth, OneLogin redirects them to their F5 webtop. This webtop contains various Portal Access and RDP resources. Most of these resources do not contain sensitive data and do not require MFA. We would like the 1-2 "sensitive data" resources to require MFA, using OneLogin and physical YubiKeys. The only solution I've cobbled together so far is to create an entirely new APM profile (this would include OneLogin SSO with the required MFA), have a Portal Access resource point to said profile, and add the ACTUAL resource to the webtop there. I feel like there is probably an easier way to do this, but I've yet to find one. Why do it that way? I would love to just MFA them from the start, but I've been told I cannot MFA everyone from the get-go... only certain people and at the time of access. I hope this makes some semblance of sense. Thank you all in advance for any insight you can provide.
Implementing Azure MFA options into APM
We're testing out Azure MFA in our environment and would like to implement it into our F5 APM. After following the excellent documentation provided by Greg Coward here I have it up and running. The problem is that it will only use the default MFA method and we would like to have the ability to select which MFA type to use (call, text, app, Oauth). When we tested with DUO, they were able to accomplish this with a javascript call at the bottom of the header.inc page. Has anyone been able to successfully add this ability with Azure?
Imprivata Radius for MFA, enrollment issue
We are implementing an Imprivata based MFA solution that uses radius. All works well until I add more than one server to the AAA pool for APM after that I have issues with users who are trying to go through the enrollment process. The enrollment process works by using Radius-Challenge messages and appears to break if APM spans the process across multiple servers. Is there any kind of persistance I can set up so that a session for a user is restricted to a single radius server?Okta MFA response page (applies to Azure also)
How could I customize the MFA response page for Okta or set the response to always be 2, for Push Verify. The page that users see when responding to Okta or Azure MFA is pretty, well not a nice looking page. Users complain loudly about this. I would like to either make it much better looking and clear for what a user needs to do or simply do away with the page and always send a "2" response.
