Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

F5 APM logon page redirecting to a second F5 APM

Hello all,

I am trying to achieve the following flow: - A first F5 (external) showing an Logon page with radius authentication (OTP behind) which redirect to the second F5 - A second F5 (internal) showing a logon page with radius authentication (internal logon and password) to access resources

On the first F5 I just put in the VPE a single "Logon Page" and "Radius Auth"

My issue is when I authenticate on the first F5, the second F5 doesn't display the logon form. It says "invalid session ID" (redirect "my.logout.php3?errorcode20").

I guess somewhere the second F5 detect the session from the first F5 and don't find any reference on itself.

Note: I use the same cookie domain on both F5. I also try a blank one but with no luck

Any idea how to fix it ?

Thanks

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Check out this post:

https://devcentral.f5.com/questions/rename-default-mrhsession-cookie

Seems to be a similar issue. Turned out at some point you'll need to rename the MRHSession cookie, so the sessions from both the external and internal APM will not interfere with each other. This needs to done with the use of custom iRules.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

in your case, your problem is the architecture deployed to reach your service.there are indeed solutions to overcome your problem but why do complicated when you can do simple.

First, avoid cascading APM policies.

So for your External Services (External Users) implements this policy:

  • External F5 : create a basic VS without APM policy just forward flow to internal VS.

  • Internal F5: create a policy with radius auth + AD auth. This internal VS can be reach only from outside (External F5)

So fo your Internal Services (Internal Users) implements this policy:

  • Internal F5: create a policy with AD auth. Internal DNS will fw user on this VS instead external VS.

Hope it's clear for you. Keep me in touch

0