Forum Discussion

w-reseau_282897's avatar
w-reseau_282897
Icon for Nimbostratus rankNimbostratus
Aug 10, 2016
Solved

Two factor authentication with two different APM in the same SSL session of the first F5

Hi,   I want to dissociate authentication into two F5, one in front of internet and the other in a DMZ.   Actually, I've one F5 in DMZ internet and it make compliance, certificate check and AD ...
application delivery
BIG-IP Access Policy Manager (APM)
  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Aug 11, 2016

    Could you describe your issue more clearly? What problem are you trying to solve?

     

    APM tracks user sessions by "MRHSession" session cookie.

     

    APM is also aware that VPN (Network Access) traffic through it is always part of a already-existing user session. So it is impossible to create a VPN tunnel, then log in again to the same APM box with different user credentials.

     

Lucas_Thompson_'s avatar
Lucas_Thompson_
Historic F5 Account
Aug 11, 2016

Could you describe your issue more clearly? What problem are you trying to solve?

 

APM tracks user sessions by "MRHSession" session cookie.

 

APM is also aware that VPN (Network Access) traffic through it is always part of a already-existing user session. So it is impossible to create a VPN tunnel, then log in again to the same APM box with different user credentials.

 

  • w-reseau_282897's avatar
    w-reseau_282897
    Icon for Nimbostratus rankNimbostratus
    Aug 12, 2016

    Hi Lucas,

     

    I've one F5 in front of Internet with an APM to authenticate with compliance and third party code.

     

    Then I want to initiate a new ssl connection to a second F5 with an APM that it check AD account and then mount a network access tunnel.

     

    But we're always on the first F5 in front of internet in the same ssl session and i don't know that this F5 can decrypt or know the AD account of the user when the second F5 ask it.

     

    Regards Emmanuel

     

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Aug 13, 2016

    so are you ok with the second APM showing another login page, or do you expect it to know somehow?