APM - Two Factor Authentication

Question

Hi All,

i've setup the F5 for Citrix, which is working fine, but adding two factor authentication is proving to be quite difficult.

Basically i've added a 2nd password box with the variables "passcode" but i can't figure out how to get it to send the "passcode" as the password to the RADIUS server (the second auth box) without having two logon pages.

Any help would be amazing,
Cheers

minn_62043 · Answer

Can you please clarify the scenario for the authentication process? User will enter username, password1, and password2 from the login page. APM will verify password1 with one AAA server and password2 with another AAA server? 
&nbsp;  
&nbsp; Typically you should be able to pass the variables through VPE rules, when you define the Access Policy.

michael_koyfma1 · Answer

Andrew, 
&nbsp;  
&nbsp; It is not possible to pass more than just a username and password to the authentication server.  If you would like to do 2-factor auth, you would have to do the passcode auth first, and then I'd recommend going and doing auth using username and password once the passcode-based auth is successful.  
&nbsp;  
&nbsp; As a side note, please let us know what exactly you're doing for Citrix.  We have a new slick ICA proxy solution for XenApp/XenDesktop that is about to be published, and I'd love for you to give it a try.

andrew_husking · Answer

Hi All, 
&nbsp;  
&nbsp; It is working fine, basically the way we've done it, 
&nbsp;  
&nbsp; is have password and password1 fields on the logon page. 
&nbsp;  
&nbsp; run an Authentication item that will use the first password 
&nbsp;  
&nbsp; then have an assign variable that changes the password (   session.logon.last.password = expr {[mcget session.logon.last.password2]}     ) 
&nbsp;  
&nbsp; Then run the authentication item that uses the second Password. 
&nbsp;  
&nbsp; And that is working fine for us. 
&nbsp;  
&nbsp; Cheers

andrew_husking · Answer

Posted By Michael Koyfman on 08/24/2010 07:29 PM
&nbsp;
Andrew, 
&nbsp;  
&nbsp; It is not possible to pass more than just a username and password to the authentication server.  If you would like to do 2-factor auth, you would have to do the passcode auth first, and then I'd recommend going and doing auth using username and password once the passcode-based auth is successful.  
&nbsp;  
&nbsp; As a side note, please let us know what exactly you're doing for Citrix.  We have a new slick ICA proxy solution for XenApp/XenDesktop that is about to be published, and I'd love for you to give it a try.
&nbsp;&nbsp;

We've actually been working with F5 guys in getting that running, we've basically been setting up a POC to see what we can do, and we have it running successfully with 2 factor auth, and running the ICA proxy stuff.

tacobell_14395 · Answer

Hello- can you share code you are using to get 2 form factor working?  can you also let me know how you are designating what site would have 2 form factor authenication ??

Forum Discussion

APM - Two Factor Authentication

6 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

Two-Factor Authentication With Google Authenticator And APM

DevCentral to Require Multi-Factor Authentication for Account Login from September 26

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Application access using Multi-factor Authentication with APM and Okta

Two-Factor Authentication – Captive Portal