Implementation Guide F5 BIG-IP APM

F5 BIG-IP APM
Implementation Guide
(Version 5.7)

Copyright 2013
Deepnet Security Limited

Copyright © 2013, Deepnet Security. All Rights Reserved. Page 1

Implementation Guide F5 BIG-IP APM

Trademarks

Deepnet Unified Authentication, MobileID, QuickID, PocketID, SafeID, GridID, FlashID,

SmartID, TypeSense, VoiceSense, MobilePass, DevicePass, RemotePass and Site Stamp
are trademarks of Deepnet Security Limited. All other brand names and product names
are trademarks or registered trademarks of their respective owners.

Copyrights

Under the international copyright law, neither the Deepnet Security software or
documentation may be copied, reproduced, translated or reduced to any electronic
medium or machine readable form, in whole or in part, without the prior written consent
of Deepnet Security.

Licence Conditions

Please read your licence agreement with Deepnet carefully and make sure you
understand the exact terms of usage. In particular, for which projects, on which
platforms and at which sites, you are allowed to use the product. You are not allowed to
make any modifications to the product. If you feel the need for any modifications, please
contact Deepnet Security.

Disclaimer

This document is provided “as is” without warranty of any kind, either expressed or
implied, including, but not limited to, the implied warranties of merchantability, fitness
for a particular purpose, or non-infringement.

This document could include technical inaccuracies or typographical errors. Changes are
periodically made to the information herein; these changes will be incorporated in new
editions of the document. Deepnet Security may make improvements of and/or changes
to the product described in this document at any time.

Contact

If you wish to obtain further information on this product or any other Deepnet Security
products, you are always welcome to contact us.

Deepnet Security Limited

Comer Business Innovation Centre
North London Business Park
Oakleigh Road South
London N11 1GN, UK

Tel: +44(0)20 3668 1580

Fax: +44(0)20 8446 3182
Web: www.deepnetsecurity.com
Email: support@deepnetsecurity.com

Copyright © 2013, Deepnet Security. All Rights Reserved. Page 2

Implementation Guide F5 BIG-IP APM

Table of Contents
Overview ......................................................................................... 4
RADIUS ........................................................................................... 5
Create a RADIUS logon procedure ........................................................................ 5
Create a RADIUS application................................................................................ 6
Register the F5 BIG-IP as a Radius client .............................................................. 7
Register the DualShield RADIUS server ................................................................. 8
Test Authentication ............................................................................................ 9
Create Access Profile ..................................................................................................................... 9

Configure Access Policy ................................................................................................................11

Challenge & Response ..................................................................................................................12

SAML 2.0 ....................................................................................... 14

DualShield - Create a SSO logon procedure ......................................................... 14
DualShield - Create a SAML application ............................................................... 15
F5 - Create a new SP ........................................................................................ 16
F5 – Download Metadata ................................................................................... 18
DualShield - Register F5 BIG-IP as a SSO Service Provider .................................... 18
DualShield - Download IdP Metadata .................................................................. 19
F5 - Register DualShield as an IdP Connector ...................................................... 19
F5 - Bind the IdP Connector to the SP ................................................................. 21
F5 – Configure Access Policy .............................................................................. 22
Test Authentication .......................................................................................... 24

Copyright © 2013, Deepnet Security. All Rights Reserved. Page 3

Implementation Guide F5 BIG-IP APM

Overview
F5 BIG-IP Access Policy Manager (APM) is a flexible, high-performance access and
security solution that provides unified global access to your business-critical applications
and networks.

This implementation guide describes how to integrate F5 BIG-IP APM with the DualShield
unified authentication platform in order to add two-factor authentication into its login
process.

F5 BIG-IP supports external authentication servers including both RADIUS and SAML.
DualShield unified authentication platform includes a fully compliant RADIUS server as
well as a SAML 2.0 compliant Single Sign-On (SSO) server. Therefore, F5 BIG-IP can be
configured to work with the DualShield Radius server or DualShield SSO server,
depending on the customers’ requirements. If a customer requires only OTP and ODP
(One-Time Password and On-Demand Password) authentication, then RADIUS can
deliver those authentication methods. If a customer also requires other authentication
methods such as keystroke biometrics, device DNA or ODP with a more user-friendly
logon interface, then the customer must implement the SAML solution.

Copyright © 2013, Deepnet Security. All Rights Reserved. Page 4

Implementation Guide F5 BIG-IP APM

RADIUS
Prior to configuring F5 BIG-IP for two-factor authentication, you must have the
DualShield Authentication Server and DualShield Radius Server installed and operating.
For the installation, configuration and administration of DualShield Authentication and
Radius servers please refer to the following documents:

 DualShield Authentication Platform – Installation Guide

 DualShield Authentication Platform – Quick Start Guide
 DualShield Authentication Platform – Administration Guide
 DualShield Radius Server - Installation Guide

You also need to have a RADIUS application created in the DualShield authentication
server. The application will be used for the two-factor authentication in F5 BIG-IP. The
document below provides general instructions for RADIUS authentication with the
DualShield Radius Server:

VPN & RADIUS - Implementation Guide

Following outlines the key steps:

In DualShield

1. Create a logon procedure for RADIUS authentication

2. Create an RADIUS application for F5 BIG-IP
3. Register the F5 BIG-IP as a RADIUS client

In F5 BIG-IP

1. Register the DualShield RADIUS authentication server

You can use the Application Wizard in the DualShield Console to create an application
and all its dependencies including the logon procedure, or you can create application and
logon procedure individually as described below. The “DualShield Authentication Platform
– Quick Start Guide” document describes how to use the ApplicationWizard in details.

Create a RADIUS logon procedure

1. Login to the DualShield management console
2. In the main menu, select “Authentication | Logon Procedure”
3. Click the “Create” button on the toolbar
4. Enter “Name” and select “RADIUS” as the Type

Copyright © 2013, Deepnet Security. All Rights Reserved. Page 5

Implementation Guide F5 BIG-IP APM

5. Click “Save”
6. Click the Context Menu icon of the newly create logon procedure, select “Logon
Steps”
7. In the popup windows, click the “Create” button on the toolbar
8. Select the desired authentication method, e.g. “Static Password + One-Time
Password”

9. Click “Save”

Create a RADIUS application

1. In the main menu, select “Authentication | Applications”
2. Click the “Create” button on the toolbar
3. Enter “Name”
4. Select “Realm”
5. Select the logon procedure that was just created

6. Click “Save”
7. Click the context menu of the newly created application, select “Agent”

Copyright © 2013, Deepnet Security. All Rights Reserved. Page 6

Implementation Guide F5 BIG-IP APM

8. Select the DualShield Radius server, e.g. ”Local Radius Server”

9. Click “Save”
10. Click the context menu of the newly created application, select “Self Test”

Register the F5 BIG-IP as a Radius client

1. In the main menu, select “RADIUS | Clients”
2. Click the “Register” button on the toolbar

Copyright © 2013, Deepnet Security. All Rights Reserved. Page 7

Implementation Guide F5 BIG-IP APM

3. Select the application that was created in the previous steps

4. Enter F5 BIG-IP’s IP in the IP address, e.g. 192,168.111.200
5. Enter the Shared Secret which will be used in F5 BIG-IP.
6. Click “Save”

Register the DualShield RADIUS server

Log into the F5 BIG-IP Configuration Utility. Select “Access Policy | AAA Servers |
RADIUS”

1. Click the + button to add a new RADIUS server

2. Populate the fields. In this example, we have the DualShield RADIUS server
installed IP 192.168.124.171, port 1812

Enter the Shared Secret that was set up in the DualShield Radius client.

Copyright © 2013, Deepnet Security. All Rights Reserved. Page 8

Implementation Guide F5 BIG-IP APM

Test Authentication
To test the RADIUS authentication, we will use F5 BIG-IP Portal Access as an example.
We will configure a remote access connection to one or more internal web applications.
Create an access policy and local traffic virtual server so that end users can access
internal web applications through a single external virtual server. Use this if you need to
provide secure extranet access to internal web applications without creating a full VPN
connection.

Create Access Profile

Select “Device Wizards” in the Main tab:

then select “Portal Access Setup Wizard”:

Enter the Policy Name. Click “Next”

Select the “Use Existing” in the Authentication Option.

Select the DualShield RADIUS server registered in the previous step.

Click “Next”

Copyright © 2013, Deepnet Security. All Rights Reserved. Page 9

Implementation Guide F5 BIG-IP APM

On this page you need to enter the details of your web application and its URI.

Click “Next”

Enter the IP of a virtual server

Click “Next”

This is the final review page. Make sure all details are correct and click “Next” to finish
the wizard.

Copyright © 2013, Deepnet Security. All Rights Reserved. Page 10

Implementation Guide F5 BIG-IP APM

You can now view the Access Profile we just created in Access Profiles List:

Configure Access Policy

To edit the Access Policy, click ”Edit”

Finally, it is worthwhile pointing out that the IP of the Radius Client registered in
DualShield must be the BIG-IP’s Self IP, not the virtual server IP.

Copyright © 2013, Deepnet Security. All Rights Reserved. Page 11

Implementation Guide F5 BIG-IP APM

Now, we are ready to carry out the test.

Navigate to your BIG-IP’s virtual server address, e.g.

https://bigip-sp.deepnetsecurity.local,

The Logon Page is presented:

In the Password field, enter the user’s AD password followed by an OTP passcode, if the
logon procedure defined in the DualShield is “StaticPass + One-Time-Password:

Challenge & Response

If you are planning to deploy the On-Demand Password authentication solution using the
T-Pass authenticator, then the recommended implementation is to use Radius challenge
and response. The user experience in the login process is shown below:

1) Users will be first asked to enter their user name and AD password.

Copyright © 2013, Deepnet Security. All Rights Reserved. Page 12

Implementation Guide F5 BIG-IP APM

2) The user name and password will be submitted to the DualShield server to be
verified. When the DualShield has successfully verified the user and its password, it
will generate an one-time password and send it to the user by SMS or email.

3) The user will then be asked to enter an one-time password:

To implement Challenge & Response, all you have to do is to change the Logon
Procedure in DualShield and make it a two-step logon as below:

Copyright © 2013, Deepnet Security. All Rights Reserved. Page 13

Implementation Guide F5 BIG-IP APM

SAML 2.0
DualShield unified authentication platform includes a SAML 2.0 compliant Single Sign-On
(SSO) server which can be easily integrated with F5 BIG-IP to provide two-factor
authentication. Prior to configuring F5 BIG-IP, you must have the DualShield
Authentication Server and DualShield SSO Server installed and operating (both are
installed by default in the installation of the platform). For the installation, configuration
and administration of DualShield Authentication and SSO servers please refer to the
following documents:

 DualShield Authentication Platform – Installation Guide

 DualShield Authentication Platform – Quick Start Guide
 DualShield Authentication Platform – Administration Guide

Following outlines the key steps:

In DualShield

1. Create a logon procedure for SSO authentication

2. Create a SAML application for F5 BIG-IP

In F5 BIG-IP

1. Create a new SP
2. Download SP Metadata

In DualShield

3. Register F5 BIG-IP as a SSO Service Provider

4. Download IdP Metadata

In F5

3. Register DualShield as an IdP Connector

4. F5 - Bind the IdP Connector to the SP
5. F5 - Configure Access Policy

DualShield - Create a SSO logon procedure

1. Login to the DualShield management console
2. In the main menu, select “Authentication | Logon Procedure”
3. Click the “Create” button on the toolbar
4. Enter “Name” and select “Web SSO” as the Type

Copyright © 2013, Deepnet Security. All Rights Reserved. Page 14

Implementation Guide F5 BIG-IP APM

5. Click “Save”
6. Click the Context Menu icon of the newly create logon procedure, select “Logon
Steps”
7. In the popup windows, click the “Create” button on the toolbar
8. Select the desired authentication methods, e.g. “Static Password”
9. Click “Save”
10. Repeat step 7 - 9 to add more logon steps if desired, e.g. “One-Time Password”

11. Click “Close”

DualShield - Create a SAML application

1. In the main menu, select “Authentication | Applications”
2. Click the “Create” button on the toolbar
3. Enter “Name”
4. Select “Realm”
5. Select the logon procedure that was just created

6. Click “Save”
7. Click the context menu of the newly created application, select “Agent”

Copyright © 2013, Deepnet Security. All Rights Reserved. Page 15

Implementation Guide F5 BIG-IP APM

8. Select “ SSO Server”

9. Click “Save”
10. Click the context menu of the newly created application, select “Self Test”

F5 - Create a new SP
In the main tab, select “Access Policy | SAML | BIG-IP as SP”

Copyright © 2013, Deepnet Security. All Rights Reserved. Page 16

Implementation Guide F5 BIG-IP APM

Enter the Name: bigip_sp

In the Entity ID field, we just use the virtual server URL as its Entity ID

Select “Security Settings”:

Select “Want Signed Assertion”

Copyright © 2013, Deepnet Security. All Rights Reserved. Page 17

Implementation Guide F5 BIG-IP APM

F5 – Download Metadata
Once completed, we need to export its metadata which will be used later in DualShield to
create a SP.

DualShield - Register F5 BIG-IP as a SSO Service Provider

1. Select “SSO” in the main menu
2. Select “Service Providers”
3. Click “Create” on the toolbar

4. Enable “Sign on SAML assertion”

Copyright © 2013, Deepnet Security. All Rights Reserved. Page 18

Implementation Guide F5 BIG-IP APM

DualShield - Download IdP Metadata

1. Select “SSO | SSO Servers”
2. Click the context menu icon of the SSO server and select “Download IdP
Metadata”

3. Select the F5 BIG-IP application created in the previous step

4. Save the metadata file onto your hard disk

F5 - Register DualShield as an IdP Connector

In the Main tab, select “Access Policy | SAML | BIG-IP as SP”, you shall get a list of SPs
that have been created:

Copyright © 2013, Deepnet Security. All Rights Reserved. Page 19

Implementation Guide F5 BIG-IP APM

Select “External IdP Connectors”

Click the down arrow on the “Create” button to show the drop-down menu, then select
“From Metadata”

Select the DualShield IdP metadata downloaded in the previous step

Enter the Name: dualshield

Click “OK” to save it

Now, we need to edit the SAML IdP Connector settings:

Copyright © 2013, Deepnet Security. All Rights Reserved. Page 20

Implementation Guide F5 BIG-IP APM

Select “Endpoint Settings”, in the Single Sign On Service URL you should see the URL
similar to:

http://dualshield.deepnetsecurity.local:8074/appsso/login?DASApplicationName=F5%20
BIG-%20IP%20SAML

F5 Big-IP has a bug that it does not accept URLs containing question mark (?). We have
to replace it to:

http://dualshield.deepnetsecurity.local:8074/appsso/login/kvps/DASApplicationName=F
5%20BIG-%20IP%20SAML

F5 - Bind the IdP Connector to the SP

In the Main tab, select “Access Policy | SAML | BIG-IP as SP”, you shall get a list of SPs
that have been created:

Select the SP and click the “Bind/Unbind IdP Connectors” button

Click “Add New Row” button:

In the “SAML IdP Connectors” drop down list, select “dualshield”

Click “Update” to finish it.

Now you should see that the SP “bigip_sp” is bound to the IdP “dualshield”:

Copyright © 2013, Deepnet Security. All Rights Reserved. Page 21

Implementation Guide F5 BIG-IP APM

F5 – Configure Access Policy

We need to add a “SAML Auth” to replace the “RADIUS Auth” policy.

Click the plus mark before “RADIUS Auth”.

Enable the option: “SAML Auth”, then click “Add Item”:

In “AAA Server” field, select “bigip_sp” that we just created and configured, then click
“Save” to save it.

Copyright © 2013, Deepnet Security. All Rights Reserved. Page 22

Implementation Guide F5 BIG-IP APM

Click the cross icon (x) on “RADIUS Auth” to delete it. Now the access policy becomes:

With SAML authentication, the Logon Page provided by Big-IP is redundant. So, delete it
as well.

Finally, the access policy looks like:

Now, go back to Access Profiles List, notice the status flag is as of “Modified”

Click “Apply Access Policy” to save it.

Copyright © 2013, Deepnet Security. All Rights Reserved. Page 23

Implementation Guide F5 BIG-IP APM

Test Authentication
To test the SAML authentication, Navigate to the URL:

https://bigip-sp.deepnetsecurity.local

This time, it is redirected to the DualShiled SSO logon page:

Once the DualShield authentication is successful, the user will be redirected back to F5
application’s web page:

Copyright © 2013, Deepnet Security. All Rights Reserved. Page 24