Forum Discussion

amolari's avatar
amolari
Icon for Cirrus rankCirrus
Jan 21, 2016

disable re-auth for NA accesses to internal resources protected by Access Policies (2FA)

Hi

 

I have this use-case: users connect to an APM (Network Access). No SNAT so the client virtual IP is then routed in the internal network. They must access some internal resources which are protected by the same APM (Access-Policy with authentication). Specifically for those VPN-SSL users we would like to avoid the authentication step. My idea was to check in the internal resource policy VPE if the user's source IP (the NA virtual IP) is from the LeasePool subnet and do not go through the standard authentication (2FA) for them. However, a session bound to a username is still required. Is there a way to check in the Access session table and perform a lookup based on the virtual client IP to get its SID, and from the the username bound to that SID?

 

Thanks

 

Alex

 

APM
security

3 Replies

Sort By
  • Evan_Champion_1's avatar
    Evan_Champion_1
    Icon for Cirrus rankCirrus
    Jan 21, 2016

    You could use APM's SAML for this. The user would get a SAML claim as part of their connection to the VPN and then the SAML claim would be used for single sign-on to your additional resources.

     

  • Evan_Champion_1's avatar
    Evan_Champion_1
    Icon for Cirrus rankCirrus
    Jan 21, 2016

    You could use APM's SAML for this. The user would get a SAML claim as part of their connection to the VPN and then the SAML claim would be used for single sign-on to your additional resources.

     

  • Josiah_39459's avatar
    Josiah_39459
    Historic F5 Account
    Jan 21, 2016

    Alex, is the VPN a full tunnel? Or a split tunnel and the APM resources are inside the VPN? If the traffic comes through the VPN it shouldn't have to reauthenticate for those other VIPs. The only reason it would have to reauthenticate is if it didn't go through the tunnel and went directly to them, because it wouldn't send the session cookie. In that case, you could share the session cookie between the vips using a domain cookie.