Professional Documents
Culture Documents
F5 BIG-IP APM - Implementation Guide PDF
F5 BIG-IP APM - Implementation Guide PDF
F5 BIG-IP APM
Implementation Guide
(Version 5.7)
Copyright 2013
Deepnet Security Limited
Trademarks
Copyrights
Under the international copyright law, neither the Deepnet Security software or
documentation may be copied, reproduced, translated or reduced to any electronic
medium or machine readable form, in whole or in part, without the prior written consent
of Deepnet Security.
Licence Conditions
Please read your licence agreement with Deepnet carefully and make sure you
understand the exact terms of usage. In particular, for which projects, on which
platforms and at which sites, you are allowed to use the product. You are not allowed to
make any modifications to the product. If you feel the need for any modifications, please
contact Deepnet Security.
Disclaimer
This document is provided “as is” without warranty of any kind, either expressed or
implied, including, but not limited to, the implied warranties of merchantability, fitness
for a particular purpose, or non-infringement.
This document could include technical inaccuracies or typographical errors. Changes are
periodically made to the information herein; these changes will be incorporated in new
editions of the document. Deepnet Security may make improvements of and/or changes
to the product described in this document at any time.
Contact
If you wish to obtain further information on this product or any other Deepnet Security
products, you are always welcome to contact us.
Table of Contents
Overview ......................................................................................... 4
RADIUS ........................................................................................... 5
Create a RADIUS logon procedure ........................................................................ 5
Create a RADIUS application................................................................................ 6
Register the F5 BIG-IP as a Radius client .............................................................. 7
Register the DualShield RADIUS server ................................................................. 8
Test Authentication ............................................................................................ 9
Create Access Profile ..................................................................................................................... 9
Overview
F5 BIG-IP Access Policy Manager (APM) is a flexible, high-performance access and
security solution that provides unified global access to your business-critical applications
and networks.
This implementation guide describes how to integrate F5 BIG-IP APM with the DualShield
unified authentication platform in order to add two-factor authentication into its login
process.
F5 BIG-IP supports external authentication servers including both RADIUS and SAML.
DualShield unified authentication platform includes a fully compliant RADIUS server as
well as a SAML 2.0 compliant Single Sign-On (SSO) server. Therefore, F5 BIG-IP can be
configured to work with the DualShield Radius server or DualShield SSO server,
depending on the customers’ requirements. If a customer requires only OTP and ODP
(One-Time Password and On-Demand Password) authentication, then RADIUS can
deliver those authentication methods. If a customer also requires other authentication
methods such as keystroke biometrics, device DNA or ODP with a more user-friendly
logon interface, then the customer must implement the SAML solution.
RADIUS
Prior to configuring F5 BIG-IP for two-factor authentication, you must have the
DualShield Authentication Server and DualShield Radius Server installed and operating.
For the installation, configuration and administration of DualShield Authentication and
Radius servers please refer to the following documents:
You also need to have a RADIUS application created in the DualShield authentication
server. The application will be used for the two-factor authentication in F5 BIG-IP. The
document below provides general instructions for RADIUS authentication with the
DualShield Radius Server:
In DualShield
In F5 BIG-IP
You can use the Application Wizard in the DualShield Console to create an application
and all its dependencies including the logon procedure, or you can create application and
logon procedure individually as described below. The “DualShield Authentication Platform
– Quick Start Guide” document describes how to use the ApplicationWizard in details.
5. Click “Save”
6. Click the Context Menu icon of the newly create logon procedure, select “Logon
Steps”
7. In the popup windows, click the “Create” button on the toolbar
8. Select the desired authentication method, e.g. “Static Password + One-Time
Password”
9. Click “Save”
6. Click “Save”
7. Click the context menu of the newly created application, select “Agent”
2. Populate the fields. In this example, we have the DualShield RADIUS server
installed IP 192.168.124.171, port 1812
Enter the Shared Secret that was set up in the DualShield Radius client.
Test Authentication
To test the RADIUS authentication, we will use F5 BIG-IP Portal Access as an example.
We will configure a remote access connection to one or more internal web applications.
Create an access policy and local traffic virtual server so that end users can access
internal web applications through a single external virtual server. Use this if you need to
provide secure extranet access to internal web applications without creating a full VPN
connection.
Click “Next”
On this page you need to enter the details of your web application and its URI.
Click “Next”
Click “Next”
This is the final review page. Make sure all details are correct and click “Next” to finish
the wizard.
You can now view the Access Profile we just created in Access Profiles List:
Finally, it is worthwhile pointing out that the IP of the Radius Client registered in
DualShield must be the BIG-IP’s Self IP, not the virtual server IP.
https://bigip-sp.deepnetsecurity.local,
In the Password field, enter the user’s AD password followed by an OTP passcode, if the
logon procedure defined in the DualShield is “StaticPass + One-Time-Password:
If you are planning to deploy the On-Demand Password authentication solution using the
T-Pass authenticator, then the recommended implementation is to use Radius challenge
and response. The user experience in the login process is shown below:
1) Users will be first asked to enter their user name and AD password.
2) The user name and password will be submitted to the DualShield server to be
verified. When the DualShield has successfully verified the user and its password, it
will generate an one-time password and send it to the user by SMS or email.
To implement Challenge & Response, all you have to do is to change the Logon
Procedure in DualShield and make it a two-step logon as below:
SAML 2.0
DualShield unified authentication platform includes a SAML 2.0 compliant Single Sign-On
(SSO) server which can be easily integrated with F5 BIG-IP to provide two-factor
authentication. Prior to configuring F5 BIG-IP, you must have the DualShield
Authentication Server and DualShield SSO Server installed and operating (both are
installed by default in the installation of the platform). For the installation, configuration
and administration of DualShield Authentication and SSO servers please refer to the
following documents:
In DualShield
In F5 BIG-IP
1. Create a new SP
2. Download SP Metadata
In DualShield
In F5
5. Click “Save”
6. Click the Context Menu icon of the newly create logon procedure, select “Logon
Steps”
7. In the popup windows, click the “Create” button on the toolbar
8. Select the desired authentication methods, e.g. “Static Password”
9. Click “Save”
10. Repeat step 7 - 9 to add more logon steps if desired, e.g. “One-Time Password”
6. Click “Save”
7. Click the context menu of the newly created application, select “Agent”
F5 - Create a new SP
In the main tab, select “Access Policy | SAML | BIG-IP as SP”
In the Entity ID field, we just use the virtual server URL as its Entity ID
F5 – Download Metadata
Once completed, we need to export its metadata which will be used later in DualShield to
create a SP.
Click the down arrow on the “Create” button to show the drop-down menu, then select
“From Metadata”
Select “Endpoint Settings”, in the Single Sign On Service URL you should see the URL
similar to:
http://dualshield.deepnetsecurity.local:8074/appsso/login?DASApplicationName=F5%20
BIG-%20IP%20SAML
F5 Big-IP has a bug that it does not accept URLs containing question mark (?). We have
to replace it to:
http://dualshield.deepnetsecurity.local:8074/appsso/login/kvps/DASApplicationName=F
5%20BIG-%20IP%20SAML
Now you should see that the SP “bigip_sp” is bound to the IdP “dualshield”:
In “AAA Server” field, select “bigip_sp” that we just created and configured, then click
“Save” to save it.
Click the cross icon (x) on “RADIUS Auth” to delete it. Now the access policy becomes:
With SAML authentication, the Logon Page provided by Big-IP is redundant. So, delete it
as well.
Now, go back to Access Profiles List, notice the status flag is as of “Modified”
Test Authentication
To test the SAML authentication, Navigate to the URL:
https://bigip-sp.deepnetsecurity.local
Once the DualShield authentication is successful, the user will be redirected back to F5
application’s web page: