F5Remote AccessMFA

Securing Remote Access with F5 APM and Multi-Factor Authentication

December 10, 2023
7 min read
Securing Remote Access with F5 APM and Multi-Factor Authentication

Securing Remote Access with F5 APM and Multi-Factor Authentication

The shift to remote work has made secure remote access more critical than ever. F5's Access Policy Manager (APM) provides a comprehensive solution for securing remote access with advanced authentication and authorization capabilities.

Why F5 APM?

F5 APM offers several advantages over traditional VPN solutions:

  • Unified Access: Single solution for VPN, web application access, and API protection
  • Flexible Authentication: Support for multiple authentication methods and MFA
  • Granular Access Control: Context-aware policies based on device posture, location, and user identity
  • SSL VPN: Clientless and full tunnel VPN options

Architecture Overview

A typical F5 APM deployment includes:

  1. Virtual Server: Entry point for remote access
  2. Access Policy: Defines authentication and authorization flow
  3. Network Access Resource: Configures VPN tunnel settings
  4. Webtop: Portal for accessing resources

Implementing Multi-Factor Authentication

RADIUS Integration

Integrate with existing RADIUS servers (RSA, Duo, etc.):

# Create RADIUS AAA Server
create aaa radius system-auth radius_server {
    server 192.168.1.100
    secret "shared_secret"
}

# Create RADIUS Authentication
create aaa radius-server radius_auth {
    server 192.168.1.100
    secret "shared_secret"
}

Access Policy Configuration

Build an access policy with MFA:

  1. StartLogon Page (collect username/password)
  2. AD Auth (validate credentials against Active Directory)
  3. RADIUS Auth (second factor via RADIUS)
  4. Device Posture Check (verify endpoint compliance)
  5. Variable Assign (set session variables)
  6. Advanced Resource Assign (grant access to resources)
  7. Allow (establish session)

Visual Policy Editor Example

Start
  ↓
Logon Page (username, password)
  ↓
AD Authentication
  ↓ (successful)
RADIUS Challenge (MFA token)
  ↓ (successful)
Endpoint Security Check
  ↓ (compliant)
Assign Resources
  ↓
Allow Access

Device Posture Assessment

Ensure connecting devices meet security requirements:

Windows Endpoint Check

javascript
// Check for antivirus
expr {[mcget {session.client.av.status}] == "up-to-date"}

// Verify Windows updates
expr {[mcget {session.client.os.patch_level}] >= "required_level"}

// Check for disk encryption
expr {[mcget {session.client.disk.encrypted}] == "true"}

macOS Endpoint Check

javascript
// Verify FileVault encryption
expr {[mcget {session.client.disk.encrypted}] == "true"}

// Check for firewall
expr {[mcget {session.client.firewall.enabled}] == "true"}

Network Access Configuration

Full Tunnel VPN

Configure network access for full tunnel:

create apm resource network-access full_tunnel {
    ip-version ipv4
    split-tunneling false
    dns-address-space {
        { 10.0.0.0/8 }
        { 172.16.0.0/12 }
        { 192.168.0.0/16 }
    }
    ipv4-lease-pool vpn_pool
}

Split Tunnel VPN

For better performance, use split tunneling:

create apm resource network-access split_tunnel {
    ip-version ipv4
    split-tunneling true
    ipv4-address-space include {
        { 10.0.0.0/8 }
        { 192.168.1.0/24 }
    }
    ipv4-lease-pool vpn_pool
}

Advanced Features

Per-Request Policy

Implement step-up authentication for sensitive resources:

# Require additional authentication for admin access
if { [HTTP::uri] starts_with "/admin" } {
    # Trigger additional MFA challenge
    ACCESS::policy evaluate per_request_admin
}

Session Management

Configure session timeouts and limits:

create apm profile access access_profile {
    max-concurrent-sessions 2
    max-session-timeout 28800
    inactivity-timeout 1800
}

Monitoring and Troubleshooting

Key Logs to Monitor

  1. Access Policy Logs: /var/log/apm
  2. Session Reports: APM → Reports → Sessions
  3. Authentication Logs: Check AD and RADIUS server logs

Common Issues

Issue: Users can't connect after MFA Solution: Check RADIUS server connectivity and shared secret

Issue: Slow VPN performance Solution: Enable split tunneling and optimize compression settings

Issue: Endpoint checks failing Solution: Review endpoint security requirements and update client software

Best Practices

  1. Implement Least Privilege: Grant minimum necessary access
  2. Use Context-Aware Policies: Consider device posture, location, and time
  3. Enable Logging: Comprehensive logging for security and compliance
  4. Regular Updates: Keep F5 APM and client software updated
  5. Test Failover: Ensure high availability configuration works
  6. User Training: Educate users on MFA and security best practices

Conclusion

F5 APM with MFA provides enterprise-grade remote access security. By implementing proper authentication, authorization, and device posture checks, organizations can enable secure remote work without compromising security.

The key is balancing security with user experience—strong authentication shouldn't mean frustrated users. With proper configuration and monitoring, F5 APM delivers both security and usability.