Log in Sign Up

Guides

VPN Clients 2FA

Deploying Two-Factor Authentication on F5 BIG-IP APM VPN

This guide shows how to enable multi-factor authentication (MFA / 2FA) for F5 BIG-IP APM VPN with the help of the Protectimus two-factor authentication system.

Protectimus two-factor authentication system integrates with F5 BIG-IP APM VPN via RADIUS authentication protocol. In this scenario, the Protectimus Cloud 2FA Service or On-Premise 2FA Platform takes the role of a RADIUS server, and the F5 BIG-IP VPN performs of a RADIUS client.

The scheme of work of the Protectimus solution for F5 BIG-IP APM VPN 2FA is presented below.

F5 BIG-IP APM VPN 2FA setup via RADIUS

1. How F5 BIG-IP APM VPN Two-Factor Authentication Works

Protectimus Two-Factor Authentication Solution for F5 BIG-IP APM VPN allows you to add an extra layer of security to your F5 BIG-IP VPN logins.

When you add 2FA/MFA for F5 VPN, your users will use two different authentication factors to get access to their accounts.

  1. The first factor is login and password (something the user knows);
  2. The second factor is a one-time password generated with the help of a hardware OTP token or an app on the smartphone (something the user owns).

To hack an F5 BIG-IP APM VPN protected with two-factor authentication, a hacker needs to get a standard password and a one-time password at once. And they only have 30 seconds to hack a one-time password. It is almost impossible, which makes two-factor authentication so effective against brute force, data spoofing, keyloggers, phishing, man-in-the-middle attacks, social engineering, and similar hacking attacks.

2. How to Enable 2FA for F5 BIG-IP APM VPN

You can set up multi-factor authentication (2FA) for F5 BIG-IP VPN with Protectimus using the RADIUS protocol:
  1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
  2. Install and configure Protectimus RADIUS Server.
  3. Add Protectimus as RADIUS Server for F5 BIG-IP APM VPN.

2.1. Get Registered and Configure Basic Protectimus Settings

  1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the Radius box during the installation).
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for F5 BIG-IP APM VPN two-factor authentication using RADIUS are available in our Protectimus RADIUS Server Installation Guide for F5 BIG-IP APM VPN 2FA.

2.3. Add Protectimus as RADIUS Server for F5 BIG-IP APM VPN 2FA

  1. Log into the F5 BIG-IP administrator dashboard.
  2. Navigate to Access –> Authentication –> RADIUS.
How to add two-factor authentication to F5 BIG-IP APM
  1. Click the Create… button to add a new RADIUS server.
  2. Then fill in the form referring to the table and image below, and click Finished to save your settings.
Name Type any name for your RADIUS server – enter Protectimus_RADIUS_Server or any other name you wish.
Mode Authentication
Server Connection Direct
Server Address Enter the IP of server where the Protectimus RADIUS Server component is installed.
Authentication Service Port Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Secret Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Confirm Secret Confirn the shared secret.
Timeout Set to 180 seconds.
Retries Set to 3.
Character Set Set to UTF-8.
Service Type Default.
How to add multi-factor authentication to F5 BIG-IP APM - step 2

2.4. Modify the F5 BIG-IP APM Access Policy

  1. Navigate to Access –> Profiles/Policies –> Access Profiles (Per-Session Policies).
How to set up F5 BIG-IP APM 2FA - step 3
  1. Click Edit… to modify your F5 BIG-IP APM access policy.
How to set up F5 BIG-IP APM MFA - step 4
  1. You will see the Access Policy editor. Click + (Plus) on the arrow to the right of the Logon Page.
How to set up F5 BIG-IP APM two-factor auth - step 5
  1. In a new window, select the Authentication tab. The select RADIUS Auth and click the Add Item button.
How to set up F5 BIG-IP APM two-factor authentication - step 6
  1. In the AAA Server dropdown, select Protectimus_RADIUS_Server – the server you have created previously. Then click Save to save the changes.
How to set up F5 BIG-IP APM 2FA - step 7
PLEASE NOTE!
If you have a former authentication method (e.g. Active Directory) you can either remove it or keep it.
You can keep your former authentication method and use Protectimus after or before that authentication method.
To remove it, click X, select Connect previous node to Successful branch, and click Delete.
  1. Click Close to return to the Access Profiles page. Check your profile and click Apply. The status flag next to your profile should change to green.

Integration of two-factor authentication (2FA/MFA) for your F5 BIG-IP APM VPN 2FA is now complete.

If you have other questions, contact Protectimus customer support service.

Protectimus Ltd

Carrick house, 49 Fitzwilliam Square,
Dublin D02 N578, Ireland

Ireland: +353 19 014 565
USA: +1 786 796 66 64

support@protectimus.com
sales@protectimus.com

© 2025 Protectimus Ltd
© 2025 Protectimus Ltd
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.
Table of Contents