Manual Chapter : Example: Step-up auth on move from wired to wireless

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 16.0.1, 16.0.0
Manual Chapter

Example: Step-up auth on move from wired to wireless

This example shows using gating criteria to check whether a request in a subsession is coming from the same IP address. It uses two subroutines: AD Authentication and MFA. AD Authentication specifies
perflow.client.ip.address
as the gating criteria. The user must authenticate using first factor credentials if the IP address has changed, for example, if the user has switched from the wired network to using wireless.
In that case, if initial authentication is successful, request is routed to the MFA subroutine for step-up authentication. The gating criteria for MFA is
expr {[mcget {session.adStepUpAuth.gatingCounterPath}]}
, where the session variable
session.adStepUpAuth.gatingCounterPath
was populated in the AD Authentication subroutine. The example ties the two subroutines together: as soon as the first subroutine is reevaluated, the second must be reevaluated again.