f5 big-ip apm - implementation guide - deepnet security big-ip apm... · implementation guide f5...

Implementation Guide F5 BIG-IP APM

Copyright © 2013, Deepnet Security. All Rights Reserved.

F5 BIG-IP APM

Implementation Guide

(Version 5.7)

Copyright 2013

Deepnet Security Limited



Trademarks

Deepnet Unified Authentication, MobileID, QuickID, PocketID, SafeID, GridID, FlashID,

SmartID, TypeSense, VoiceSense, MobilePass, DevicePass, RemotePass and Site Stamp

are trademarks of Deepnet Security Limited. All other brand names and product names

are trademarks or registered trademarks of their respective owners.

Copyrights

Under the international copyright law, neither the Deepnet Security software or

documentation may be copied, reproduced, translated or reduced to any electronic

medium or machine readable form, in whole or in part, without the prior written consent

of Deepnet Security.

Licence Conditions

Please read your licence agreement with Deepnet carefully and make sure you

understand the exact terms of usage. In particular, for which projects, on which

platforms and at which sites, you are allowed to use the product. You are not allowed to

make any modifications to the product. If you feel the need for any modifications, please

contact Deepnet Security.

Disclaimer

This document is provided “as is” without warranty of any kind, either expressed or

implied, including, but not limited to, the implied warranties of merchantability, fitness

for a particular purpose, or non-infringement.

This document could include technical inaccuracies or typographical errors. Changes are

periodically made to the information herein; these changes will be incorporated in new

editions of the document. Deepnet Security may make improvements of and/or changes

to the product described in this document at any time.

Contact

If you wish to obtain further information on this product or any other Deepnet Security

products, you are always welcome to contact us.

Deepnet Security Limited

Comer Business Innovation Centre

North London Business Park

Oakleigh Road South

London N11 1GN, UK

Tel: +44(0)20 3668 1580

Fax: +44(0)20 8446 3182

Web: www.deepnetsecurity.com

Email: [email protected]

http://www.deepnetsecurity.com/

mailto:[email protected]



Table of Contents

Overview ......................................................................................... 4

RADIUS ........................................................................................... 5

Create a RADIUS logon procedure ........................................................................ 5

Create a RADIUS application................................................................................ 6

Register the F5 BIG-IP as a Radius client .............................................................. 7

Register the DualShield RADIUS server ................................................................. 8

Test Authentication ............................................................................................ 9

Create Access Profile ..................................................................................................................... 9

Configure Access Policy ................................................................................................................11

Challenge & Response ..................................................................................................................12

SAML 2.0 ....................................................................................... 14

DualShield - Create a SSO logon procedure ......................................................... 14

DualShield - Create a SAML application ............................................................... 15

F5 - Create a new SP ........................................................................................ 16

F5 – Download Metadata ................................................................................... 18

DualShield - Register F5 BIG-IP as a SSO Service Provider .................................... 18

DualShield - Download IdP Metadata .................................................................. 19

F5 - Register DualShield as an IdP Connector ...................................................... 19

F5 - Bind the IdP Connector to the SP ................................................................. 21

F5 – Configure Access Policy .............................................................................. 22

Test Authentication .......................................................................................... 24



Overview

F5 BIG-IP Access Policy Manager (APM) is a flexible, high-performance access and

security solution that provides unified global access to your business-critical applications

and networks.

This implementation guide describes how to integrate F5 BIG-IP APM with the DualShield

unified authentication platform in order to add two-factor authentication into its login

process.

F5 BIG-IP supports external authentication servers including both RADIUS and SAML.

DualShield unified authentication platform includes a fully compliant RADIUS server as

well as a SAML 2.0 compliant Single Sign-On (SSO) server. Therefore, F5 BIG-IP can be

configured to work with the DualShield Radius server or DualShield SSO server,

depending on the customers’ requirements. If a customer requires only OTP and ODP

(One-Time Password and On-Demand Password) authentication, then RADIUS can

deliver those authentication methods. If a customer also requires other authentication

methods such as keystroke biometrics, device DNA or ODP with a more user-friendly

logon interface, then the customer must implement the SAML solution.



RADIUS

Prior to configuring F5 BIG-IP for two-factor authentication, you must have the

DualShield Authentication Server and DualShield Radius Server installed and operating.

For the installation, configuration and administration of DualShield Authentication and

Radius servers please refer to the following documents:

DualShield Authentication Platform – Installation Guide

DualShield Authentication Platform – Quick Start Guide

DualShield Authentication Platform – Administration Guide

DualShield Radius Server - Installation Guide

You also need to have a RADIUS application created in the DualShield authentication

server. The application will be used for the two-factor authentication in F5 BIG-IP. The

document below provides general instructions for RADIUS authentication with the

DualShield Radius Server:

VPN & RADIUS - Implementation Guide

Following outlines the key steps:

In DualShield

1. Create a logon procedure for RADIUS authentication

2. Create an RADIUS application for F5 BIG-IP

3. Register the F5 BIG-IP as a RADIUS client

In F5 BIG-IP

1. Register the DualShield RADIUS authentication server

You can use the Application Wizard in the DualShield Console to create an application

and all its dependencies including the logon procedure, or you can create application and

logon procedure individually as described below. The “DualShield Authentication Platform

– Quick Start Guide” document describes how to use the ApplicationWizard in details.

Create a RADIUS logon procedure

1. Login to the DualShield management console

2. In the main menu, select “Authentication | Logon Procedure”

3. Click the “Create” button on the toolbar

4. Enter “Name” and select “RADIUS” as the Type



5. Click “Save”

6. Click the Context Menu icon of the newly create logon procedure, select “Logon

Steps”

7. In the popup windows, click the “Create” button on the toolbar

8. Select the desired authentication method, e.g. “Static Password + One-Time

Password”

9. Click “Save”

Create a RADIUS application

1. In the main menu, select “Authentication | Applications”


3. Enter “Name”

4. Select “Realm”

5. Select the logon procedure that was just created

6. Click “Save”

7. Click the context menu of the newly created application, select “Agent”



8. Select the DualShield Radius server, e.g. ”Local Radius Server”

9. Click “Save”

10. Click the context menu of the newly created application, select “Self Test”

Register the F5 BIG-IP as a Radius client

1. In the main menu, select “RADIUS | Clients”

2. Click the “Register” button on the toolbar



3. Select the application that was created in the previous steps

4. Enter F5 BIG-IP’s IP in the IP address, e.g. 192,168.111.200

5. Enter the Shared Secret which will be used in F5 BIG-IP.

6. Click “Save”

Register the DualShield RADIUS server

Log into the F5 BIG-IP Configuration Utility. Select “Access Policy | AAA Servers |

RADIUS”

1. Click the + button to add a new RADIUS server

2. Populate the fields. In this example, we have the DualShield RADIUS server

installed IP 192.168.124.171, port 1812

Enter the Shared Secret that was set up in the DualShield Radius client.



Test Authentication

To test the RADIUS authentication, we will use F5 BIG-IP Portal Access as an example.

We will configure a remote access connection to one or more internal web applications.

Create an access policy and local traffic virtual server so that end users can access

internal web applications through a single external virtual server. Use this if you need to

provide secure extranet access to internal web applications without creating a full VPN

connection.

Create Access Profile

Select “Device Wizards” in the Main tab:

then select “Portal Access Setup Wizard”:

Enter the Policy Name. Click “Next”

Select the “Use Existing” in the Authentication Option.

Select the DualShield RADIUS server registered in the previous step.

Click “Next”



On this page you need to enter the details of your web application and its URI.

Click “Next”

Enter the IP of a virtual server

Click “Next”

This is the final review page. Make sure all details are correct and click “Next” to finish

the wizard.



You can now view the Access Profile we just created in Access Profiles List:

Configure Access Policy

To edit the Access Policy, click ”Edit”

Finally, it is worthwhile pointing out that the IP of the Radius Client registered in

DualShield must be the BIG-IP’s Self IP, not the virtual server IP.



Now, we are ready to carry out the test.

Navigate to your BIG-IP’s virtual server address, e.g.

https://bigip-sp.deepnetsecurity.local,

The Logon Page is presented:

In the Password field, enter the user’s AD password followed by an OTP passcode, if the

logon procedure defined in the DualShield is “StaticPass + One-Time-Password:

Challenge & Response

If you are planning to deploy the On-Demand Password authentication solution using the

T-Pass authenticator, then the recommended implementation is to use Radius challenge

and response. The user experience in the login process is shown below:

1) Users will be first asked to enter their user name and AD password.

https://bigip-sp.deepnetsecurity.local/



2) The user name and password will be submitted to the DualShield server to be

verified. When the DualShield has successfully verified the user and its password, it

will generate an one-time password and send it to the user by SMS or email.

3) The user will then be asked to enter an one-time password:

To implement Challenge & Response, all you have to do is to change the Logon

Procedure in DualShield and make it a two-step logon as below:



SAML 2.0

DualShield unified authentication platform includes a SAML 2.0 compliant Single Sign-On

(SSO) server which can be easily integrated with F5 BIG-IP to provide two-factor

authentication. Prior to configuring F5 BIG-IP, you must have the DualShield

Authentication Server and DualShield SSO Server installed and operating (both are

installed by default in the installation of the platform). For the installation, configuration

and administration of DualShield Authentication and SSO servers please refer to the

following documents:

DualShield Authentication Platform – Installation Guide

DualShield Authentication Platform – Quick Start Guide

DualShield Authentication Platform – Administration Guide

Following outlines the key steps:

In DualShield

1. Create a logon procedure for SSO authentication

2. Create a SAML application for F5 BIG-IP

In F5 BIG-IP

1. Create a new SP

2. Download SP Metadata

In DualShield

3. Register F5 BIG-IP as a SSO Service Provider

4. Download IdP Metadata

In F5

3. Register DualShield as an IdP Connector

4. F5 - Bind the IdP Connector to the SP

5. F5 - Configure Access Policy

DualShield - Create a SSO logon procedure

1. Login to the DualShield management console

2. In the main menu, select “Authentication | Logon Procedure”


4. Enter “Name” and select “Web SSO” as the Type



5. Click “Save”

6. Click the Context Menu icon of the newly create logon procedure, select “Logon

Steps”

7. In the popup windows, click the “Create” button on the toolbar

8. Select the desired authentication methods, e.g. “Static Password”

9. Click “Save”

10. Repeat step 7 - 9 to add more logon steps if desired, e.g. “One-Time Password”

11. Click “Close”

DualShield - Create a SAML application

1. In the main menu, select “Authentication | Applications”


3. Enter “Name”

4. Select “Realm”

5. Select the logon procedure that was just created

6. Click “Save”

7. Click the context menu of the newly created application, select “Agent”



8. Select “ SSO Server”

9. Click “Save”

10. Click the context menu of the newly created application, select “Self Test”

F5 - Create a new SP

In the main tab, select “Access Policy | SAML | BIG-IP as SP”



Enter the Name: bigip_sp

In the Entity ID field, we just use the virtual server URL as its Entity ID

Select “Security Settings”:

Select “Want Signed Assertion”



F5 – Download Metadata

Once completed, we need to export its metadata which will be used later in DualShield to

create a SP.

DualShield - Register F5 BIG-IP as a SSO Service Provider

1. Select “SSO” in the main menu

2. Select “Service Providers”

3. Click “Create” on the toolbar

4. Enable “Sign on SAML assertion”



DualShield - Download IdP Metadata

1. Select “SSO | SSO Servers”

2. Click the context menu icon of the SSO server and select “Download IdP

Metadata”

3. Select the F5 BIG-IP application created in the previous step

4. Save the metadata file onto your hard disk

F5 - Register DualShield as an IdP Connector

In the Main tab, select “Access Policy | SAML | BIG-IP as SP”, you shall get a list of SPs

that have been created:



Select “External IdP Connectors”

Click the down arrow on the “Create” button to show the drop-down menu, then select

“From Metadata”

Select the DualShield IdP metadata downloaded in the previous step

Enter the Name: dualshield

Click “OK” to save it

Now, we need to edit the SAML IdP Connector settings:



Select “Endpoint Settings”, in the Single Sign On Service URL you should see the URL

similar to:

http://dualshield.deepnetsecurity.local:8074/appsso/login?DASApplicationName=F5%20

BIG-%20IP%20SAML

F5 Big-IP has a bug that it does not accept URLs containing question mark (?). We have

to replace it to:

http://dualshield.deepnetsecurity.local:8074/appsso/login/kvps/DASApplicationName=F

5%20BIG-%20IP%20SAML

F5 - Bind the IdP Connector to the SP

In the Main tab, select “Access Policy | SAML | BIG-IP as SP”, you shall get a list of SPs

that have been created:

Select the SP and click the “Bind/Unbind IdP Connectors” button

Click “Add New Row” button:

In the “SAML IdP Connectors” drop down list, select “dualshield”

Click “Update” to finish it.

Now you should see that the SP “bigip_sp” is bound to the IdP “dualshield”:

http://dualshield.deepnetsecurity.local:8074/appsso/login?DASApplicationName=F5%20BIG-%20IP%20SAML

http://dualshield.deepnetsecurity.local:8074/appsso/login?DASApplicationName=F5%20BIG-%20IP%20SAML

http://dualshield.deepnetsecurity.local:8074/appsso/login/kvps/DASApplicationName=F5%20BIG-%20IP%20SAML

http://dualshield.deepnetsecurity.local:8074/appsso/login/kvps/DASApplicationName=F5%20BIG-%20IP%20SAML



F5 – Configure Access Policy

We need to add a “SAML Auth” to replace the “RADIUS Auth” policy.

Click the plus mark before “RADIUS Auth”.

Enable the option: “SAML Auth”, then click “Add Item”:

In “AAA Server” field, select “bigip_sp” that we just created and configured, then click

“Save” to save it.



Click the cross icon (x) on “RADIUS Auth” to delete it. Now the access policy becomes:

With SAML authentication, the Logon Page provided by Big-IP is redundant. So, delete it

as well.

Finally, the access policy looks like:

Now, go back to Access Profiles List, notice the status flag is as of “Modified”

Click “Apply Access Policy” to save it.



Test Authentication

To test the SAML authentication, Navigate to the URL:

https://bigip-sp.deepnetsecurity.local

This time, it is redirected to the DualShiled SSO logon page:

Once the DualShield authentication is successful, the user will be redirected back to F5

application’s web page:

https://bigip-sp.deepnetsecurity.local/

f5 big-ip apm - implementation guide - deepnet security big-ip apm... · implementation guide f5...

Documents