Multi-Factor Authentication (2FA/MFA) for F5 BIG-IP APM VPN

Last updated on February 6, 2025

Overview of MFA for F5 BIG-IP APM VPN

Multi-Factor Authentication (MFA) for F5 BIG-IP APM VPN is an additional security measure that requires users to complete two forms of authentication in order to gain access to the F5 BIG-IP APM VPN. The initial step involves the user entering their Active Directory/RADIUS username and password. After completing the initial factor, the user then completes a secondary authentication process using one of the available options, such as Mobile Push or Email Link. Once both factors are verified, the user is granted access to the VPN. When Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) for F5 BIG-IP APM VPN is enabled, hackers are unable to gain access to the resource even if they possess the user’s login credentials.

Supported Authentication Methods

Authentication Method	Supported	Comments
Mobile Push	✔	N/A
WebAuthn/U2F Security Key	–	N/A
Passcode	✔	N/A
SMS Passcode	–	N/A
SMS Link	✔	N/A
Phone Call	✔	N/A
QR Code	–	N/A
Email Link	✔	N/A
YubiKey OTP Security Key	✔	N/A

Before you start

You need to install and configure Rublon Authentication Proxy before configuring F5 BIG-IP APM VPN to work with it. Read Rublon Authentication Proxy and follow the steps in the Installation and Configuration sections. Afterward, follow the Configuration section in this document.

Ensure that you have properly set up your authentication source, that is an external Identity Provider (IdP) like RADIUS, OpenLDAP, or Microsoft Active Directory.

Configuration of MFA for F5 BIG-IP APM VPN

Follow the steps in this section to enable Rublon 2FA for your F5 BIG-IP APM VPN.

Add your Rublon Authentication Proxy server

1. Log in to the F5 BIG-IP admin panel.

2. Go to Access → Authentication → RADIUS.

3. Click the Create… button to create a new server.

4. Enter a name for your new server.

5. Set Mode to Authentication.

6. Set Server Connection to Direct.

7. Set Server Address and Authentication Service Port. These are the IP address and port of your Rublon Authentication Proxy server.

8. Set your RADIUS Secret in Secret and Confirm Secret fields.

9. Set Timeout to 180.

10. Set Character Set to UTF-8.

11. Click Finished to save your changes.

Modify your Access Policy

1. Go to Access → Profiles/Policies → Access Profiles (Per-Session Policies).

2. Your goal is to make your profile use your Rublon Authentication Proxy server. Click Edit… to modify your policy.

3. The Access Policy editor will open. Click + (Plus) on the arrow to the right of the Logon Page.

4. A new window will appear. Select the Authentication tab.

5. Select RADIUS Auth and click Add Item.

6. Select the previously created Rublon Authentication Proxy server in the AAA server dropdown.

7. Click Save to save the changes.

Note

If you have a former method of authentication (e.g. Microsoft Active Directory) you can either remove it or keep it.

If you wish to remove it, click X, select Connect previous node to Successful branch and click Delete.

You can keep your former method of authentication and us

8. Click Close to return to the Access Profiles page. Note that the status flag next to your profile is yellow. Check your profile and click Apply. The status flag will change to green.

9. Your configuration is now complete. Your users have 2FA enabled when logging in to F5 BIG-IP APM VPN.

Log in to F5 BIG-IP APM using of MFA for F5 BIG-IP APM VPN

This example portrays logging in to F5 BIG-IP APM VPN via a web browser. Mobile Push has been set as the second factor in Rublon Authentication Proxy configuration (AUTH_METHOD was set to push).

1. Open the F5 BIG-IP login page in your browser.

2. Provide your username and password and click Logon.

3. You will be sent an automatic push notification on your phone.

4. Tap APPROVE.

5. You will be logged in to F5 BIG-IP.

Troubleshooting

Blast-RADIUS Vulnerability Protection

RADIUS integrations may enforce the validation of the Message-Authenticator RADIUS attribute as part of their mitigations for the Blast-RADIUS vulnerability.

The Rublon Authentication Proxy supports the Message-Authenticator attribute starting from version 3.5.3. The Rublon Auth Proxy uses the force_message_authenticator option in the configuration file (set to true by default) to safeguard against Blast-RADIUS attacks.

If you are experiencing issues with your RADIUS integration, ensure that the force_message_authenticator is set to true.

If you are using Rublon Authentication Proxy 3.5.2 or older, update to the newest available version.

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Rublon Authentication Proxy

Rublon Authentication Proxy – Integrations