Skip navigation
Duo Blog
Admin Login
Documentation

F5 BIG-IP APM with RADIUS and Duo Prompt

Last Updated: April 2nd, 2025

Contents

Related

End of Support Information

The iframe-based traditional Duo Prompt in F5 BIG-IP RADIUS configurations reached its end of support on March 30, 2024. Customers must migrate to a supported Duo Single Sign-On application with Universal Prompt or a RADIUS configuration without the iframe for continued support from Duo.

We recommend you deploy F5 BIG-IP APM OIDC, which features Duo Universal Prompt support. Another option is to use Duo Single Sign-On with a generic SAML application to protect F5 BIG-IP with Duo Single Sign-On, our cloud-hosted identity provider featuring Duo Central and the Duo Universal Prompt.

Another alternative is to reconfigure your existing radius_server_iframe Duo Authentication Proxy application so that it does not use the iframe, for example, BIG-IP RADIUS with Auto Push Instructions.

Learn more about options for out-of-scope applications in the Universal Prompt update guide, and review the Duo End of Sale, Last Date of Support, and End of Life Policy.

The instructions for this solution were removed on April 2, 2025. Customers who had this configuration deployed before then and need to refer to the original instructions may contact Duo Support.

If you have Big-IP firmware 13.1 or later, try the F5 BIG-IP APM OIDC solution with Duo Universal Prompt support today!

Troubleshooting

Need some help? Review troubleshooting tips for the Authentication Proxy and try the connectivity tool included with Duo Authentication Proxy 2.9.0 and later to discover and troubleshoot general connectivity issues.

Also take a look at the F5 BIG-IP Frequently Asked Questions (FAQ) page or try searching our F5 BIG-IP Knowledge Base articles or Community discussions. For further assistance, contact Support.

Network Diagram

F5 BIG-IP Network Diagram
  1. Primary authentication initiated to F5 BIG-IP APM
  2. F5 BIG-IP APM verifies primary logon credentials with external directory using Active Directory or RADIUS
  3. F5 BIG-IP APN sends authentication request to Duo Security’s authentication proxy
  4. Duo authentication proxy connection established to Duo Security over TCP port 443
  5. User completes Duo two-factor authentication via the interactive web prompt served from Duo's service and their selected authentication factor.
  6. Duo Authentication Proxy receives authentication response
  7. F5 BIG-IP APM access granted