Forum Discussion

mengler_136249's avatar
mengler_136249
Icon for Nimbostratus rankNimbostratus
Aug 05, 2016

APM - RADIUS Variables

We have a APM profile that runs our VPN. Currently, the users input the SAMAccountName into the username field, and then in the password field, the combine their 2 factor token and their password. We then hand that off to our Active Directory Servers via RADIUS. The application then verifies both the token and the password.

 

What I would like to do is create a third field on the logon page that allows users to separate out password and token, and then in the background I would like to combine the token and password fields to send via RADIUS to the Active Directory servers.

 

Im having a hard time figuring out how to do this thought. I have attempted to do a variable assign within the VPE, in which I create a new session variable and concatenate the two fields, but I dont know how to get the next object (RADIUS Auth) to use my new session variable.

 

  • Unfortunately all authentication Policy items (AD auth, RADIUS auth, LDAP, securid auth) assume that:

     

    1. The source of the username is "session.logon.last.username"
    2. The source of the password is "session.logon.last.password"
    3. The source of the password is encrypted

    So in order to do any 2-factor authentication you have to:

     

    1. collect the token, username, and password together in the logon page
    2. make sure your token code is in session.logon.last.password (use a variable assign)
    3. do the token auth
    4. make sure your password is in session.logon.last.password (use a variable assign)
    5. do the password auth
    6. make sure the SSO variables are mapped to the password auth

    We do have an enhancement request ID400742 to allow for a user-defined tokencode source for RADIUS, which eliminates the variable assign step(s) (1-2 depending on how your access policy is set up). If you think this would be helpful, you can feel free to open a support ticket to request this functionality. Provide the ID number in the ticket.

     

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account

    Unfortunately all authentication Policy items (AD auth, RADIUS auth, LDAP, securid auth) assume that:

     

    1. The source of the username is "session.logon.last.username"
    2. The source of the password is "session.logon.last.password"
    3. The source of the password is encrypted

    So in order to do any 2-factor authentication you have to:

     

    1. collect the token, username, and password together in the logon page
    2. make sure your token code is in session.logon.last.password (use a variable assign)
    3. do the token auth
    4. make sure your password is in session.logon.last.password (use a variable assign)
    5. do the password auth
    6. make sure the SSO variables are mapped to the password auth

    We do have an enhancement request ID400742 to allow for a user-defined tokencode source for RADIUS, which eliminates the variable assign step(s) (1-2 depending on how your access policy is set up). If you think this would be helpful, you can feel free to open a support ticket to request this functionality. Provide the ID number in the ticket.