Manual Chapter : Assigning push and OTP variables for MFA in a subroutine

Applies To:

  • BIG-IP APM

    21.0.0, 17.5.1, 17.5.0, 17.1.3, 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.6, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 15.1.10, 15.1.9

back-action Adding a Variable Assign agent to collect the username in an OAuth MFA subroutine

Updated Date: 04/30/2026

Assigning push and OTP variables for MFA in a subroutine

You should have created the subroutine for MFA with a variable assign agent and logon page item as previously described. This task begins in the subroutine.

Assign the variables for the push and one time passcode to provide successful MFA in the per-request policy.

  1. On the Push branch following the logon page items, click plus.

  2. Click the Assignment tab, select Variable Assign, and click Add Item.

  3. Click Add new entry.

  4. On the left, select Custom Variable and type subsession.logon.last.password.

  5. On the right, select Text and type push.

  6. Click Finished.

  7. On the OTP branch, following the logon page items, click plus.

  8. Click the Assignment tab, select Variable Assign, and click Add Item.

  9. Click Add new entry.

  10. On the left, select Custom Variable and type subsession.logon.last.password.

  11. On the right, select Session Variable and type subsession.logon.last.mfaToken.

  12. Click Finished.

  13. Click Save.

  14. On both branches, add a RADIUS Auth item, and specify the RADIUS server.

  15. Add terminals for the branches.

    This example shows a completed subroutine for MFA with a one time passcode and push options.

The subroutine for MFA is created.

Add the subroutine to the per-request policy.