Manual Chapter : Example: Step-up auth on move from wired to wireless

Applies To:

  • BIG-IP APM

    21.0.0, 17.5.1, 17.5.0, 17.1.3, 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.6, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 15.1.10, 15.1.9

back-action Example: Step-up authentication for an IP address change

Updated Date: 04/30/2026

Example: Step-up auth on move from wired to wireless

This example shows using gating criteria to check whether a request in a subsession is coming from the same IP address. It uses two subroutines: AD Authentication and MFA. AD Authentication specifies perflow.client.ip.address as the gating criteria. The user must authenticate using first factor credentials if the IP address has changed, for example, if the user has switched from the wired network to using wireless.

In that case, if initial authentication is successful, request is routed to the MFA subroutine for step-up authentication. The gating criteria for MFA is expr {[mcget {session.adStepUpAuth.gatingCounterPath}]}, where the session variable session.adStepUpAuth.gatingCounterPath was populated in the AD Authentication subroutine. The example ties the two subroutines together: as soon as the first subroutine is reevaluated, the second must be reevaluated again.