I am trying to achieve the following flow:
- A first F5 (external) showing an Logon page with radius authentication (OTP behind) which redirect to the second F5
- A second F5 (internal) showing a logon page with radius authentication (internal logon and password) to access resources
On the first F5 I just put in the VPE a single "Logon Page" and "Radius Auth"
My issue is when I authenticate on the first F5, the second F5 doesn't display the logon form. It says "invalid session ID" (redirect "my.logout.php3?errorcode20").
I guess somewhere the second F5 detect the session from the first F5 and don't find any reference on itself.
Note: I use the same cookie domain on both F5. I also try a blank one but with no luck
Any idea how to fix it ?
Check out this post:
Seems to be a similar issue. Turned out at some point you'll need to rename the MRHSession cookie, so the sessions from both the external and internal APM will not interfere with each other. This needs to done with the use of custom iRules.
in your case, your problem is the architecture deployed to reach your service.there are indeed solutions to overcome your problem but why do complicated when you can do simple.
First, avoid cascading APM policies.
So for your External Services (External Users) implements this policy:
External F5 : create a basic VS without APM policy just forward flow to internal VS.
Internal F5: create a policy with radius auth + AD auth.
This internal VS can be reach only from outside (External F5)
So fo your Internal Services (Internal Users) implements this policy:
Hope it's clear for you.
Keep me in touch