Radius 2nd Factor for secure URI

Question

Hello,&nbsp;
we are in the process of deploying APM for our SAP implementation. The authentication logic is as below:&nbsp;
When a user logs in to the portal from the outside (internet) they are presented with the  F5 logon page for their AD first factor authentication. If their authentication is successful they are SSO'ed in to the portal.At this point the user is only able to access the unsecured portions of the portal.Now when the user attempts to access the secured portions of the portal, they need to present their 2nd factor (Radius based Symantec VIP token). The secured portions of the SAP portal are identified by requests made to specific host names (eg https://prderp.domain.com/* or https://prdep.domain.com/*"). These host names correspond to VIP's on the same F5 as the portal VIP.
We tried to get this logic to work, however as has been stated elsewhere once an access policy has completed evaluation, it will not be triggered again during that session which means that once the user is logged on and allowed access to the portal resource they will be able to get to the secured sections. We tried to use Landing URI's but that did not work as well  because a user may hit the secured sections any time they want. In the end we ended up using a decision box whereby a user is forced to make a decision on what they want to do i.e. Option 1 - Access to Secured Section or Option 2- Access to Unsecured section" and if they chose Option 1 they will be presented with the Radius challenge and for option 2 no further auth is required.&nbsp;
&nbsp;
During our demo with the CIO he did not like this method and wanted the second factor challenge to be presented only when the user hit the secured sections. I would appreciate any help from the experts on how I can get this done whereby the user is asked to present the Radius token when they attempt to access the secured sections for the first time during a session (the F5 should not ask for the second factor again during that sessions). I am pretty sure this needs to be done via iRules. We are running version 12.0 (build 2.0.644)&nbsp;
Any help is appreciated.&nbsp;
Thanks,&nbsp;
Karthik&nbsp;

seth_cooper · Answer

What you are asking for is referred as Step-Up Authentication which is currently being worked on in PD and will be available in a future release. It seems there might be a way to configure this type of behavior today. I would talk to your Sale Team and find out if they can help with the information they currently have.&nbsp;
You can definitely do this and the main thing to remember to get the access policy to fire again you have to have an expired session when accessing the VIP. This solution will require an iRule to remember a few things like path, etc and then expire the session prompting for authentication (now asking for the 2nd factor).&nbsp;
Seth&nbsp;

Forum Discussion

Radius 2nd Factor for secure URI

1 Reply

Recent Discussions

Citrix XenServer Big-IP Upgrade help

Hi All, We have viprion 4300 with 4450 blades with 6 blades all blades having same configuration

BWC iRule

Can iRule be used to perform exception of IPI category based on Geolocation

help irules for compatibilty

Related Content

Using ChatGPT for security and introduction of AI security

DevCentral to Require Multi-Factor Authentication for Account Login from September 26

Auditing Security Policy Updates

iRule based RADIUS Client Stack

HTTP Multipart and Security Implications