You are on page 1of 24

Implementation Guide F5 BIG-IP APM

F5 BIG-IP APM
Implementation Guide
(Version 5.7)

Copyright 2013
Deepnet Security Limited

Copyright 2013, Deepnet Security. All Rights Reserved. Page 1


Implementation Guide F5 BIG-IP APM

Trademarks

Deepnet Unified Authentication, MobileID, QuickID, PocketID, SafeID, GridID, FlashID,


SmartID, TypeSense, VoiceSense, MobilePass, DevicePass, RemotePass and Site Stamp
are trademarks of Deepnet Security Limited. All other brand names and product names
are trademarks or registered trademarks of their respective owners.

Copyrights

Under the international copyright law, neither the Deepnet Security software or
documentation may be copied, reproduced, translated or reduced to any electronic
medium or machine readable form, in whole or in part, without the prior written consent
of Deepnet Security.

Licence Conditions

Please read your licence agreement with Deepnet carefully and make sure you
understand the exact terms of usage. In particular, for which projects, on which
platforms and at which sites, you are allowed to use the product. You are not allowed to
make any modifications to the product. If you feel the need for any modifications, please
contact Deepnet Security.

Disclaimer

This document is provided as is without warranty of any kind, either expressed or


implied, including, but not limited to, the implied warranties of merchantability, fitness
for a particular purpose, or non-infringement.

This document could include technical inaccuracies or typographical errors. Changes are
periodically made to the information herein; these changes will be incorporated in new
editions of the document. Deepnet Security may make improvements of and/or changes
to the product described in this document at any time.

Contact

If you wish to obtain further information on this product or any other Deepnet Security
products, you are always welcome to contact us.

Deepnet Security Limited


Comer Business Innovation Centre
North London Business Park
Oakleigh Road South
London N11 1GN, UK

Tel: +44(0)20 3668 1580


Fax: +44(0)20 8446 3182
Web: www.deepnetsecurity.com
Email: support@deepnetsecurity.com

Copyright 2013, Deepnet Security. All Rights Reserved. Page 2


Implementation Guide F5 BIG-IP APM

Table of Contents
Overview ......................................................................................... 4
RADIUS ........................................................................................... 5
Create a RADIUS logon procedure ........................................................................ 5
Create a RADIUS application................................................................................ 6
Register the F5 BIG-IP as a Radius client .............................................................. 7
Register the DualShield RADIUS server ................................................................. 8
Test Authentication ............................................................................................ 9
Create Access Profile ..................................................................................................................... 9

Configure Access Policy ................................................................................................................11

Challenge & Response ..................................................................................................................12

SAML 2.0 ....................................................................................... 14


DualShield - Create a SSO logon procedure ......................................................... 14
DualShield - Create a SAML application ............................................................... 15
F5 - Create a new SP ........................................................................................ 16
F5 Download Metadata ................................................................................... 18
DualShield - Register F5 BIG-IP as a SSO Service Provider .................................... 18
DualShield - Download IdP Metadata .................................................................. 19
F5 - Register DualShield as an IdP Connector ...................................................... 19
F5 - Bind the IdP Connector to the SP ................................................................. 21
F5 Configure Access Policy .............................................................................. 22
Test Authentication .......................................................................................... 24

Copyright 2013, Deepnet Security. All Rights Reserved. Page 3


Implementation Guide F5 BIG-IP APM

Overview
F5 BIG-IP Access Policy Manager (APM) is a flexible, high-performance access and
security solution that provides unified global access to your business-critical applications
and networks.

This implementation guide describes how to integrate F5 BIG-IP APM with the DualShield
unified authentication platform in order to add two-factor authentication into its login
process.

F5 BIG-IP supports external authentication servers including both RADIUS and SAML.
DualShield unified authentication platform includes a fully compliant RADIUS server as
well as a SAML 2.0 compliant Single Sign-On (SSO) server. Therefore, F5 BIG-IP can be
configured to work with the DualShield Radius server or DualShield SSO server,
depending on the customers requirements. If a customer requires only OTP and ODP
(One-Time Password and On-Demand Password) authentication, then RADIUS can
deliver those authentication methods. If a customer also requires other authentication
methods such as keystroke biometrics, device DNA or ODP with a more user-friendly
logon interface, then the customer must implement the SAML solution.

Copyright 2013, Deepnet Security. All Rights Reserved. Page 4


Implementation Guide F5 BIG-IP APM

RADIUS
Prior to configuring F5 BIG-IP for two-factor authentication, you must have the
DualShield Authentication Server and DualShield Radius Server installed and operating.
For the installation, configuration and administration of DualShield Authentication and
Radius servers please refer to the following documents:

DualShield Authentication Platform Installation Guide


DualShield Authentication Platform Quick Start Guide
DualShield Authentication Platform Administration Guide
DualShield Radius Server - Installation Guide

You also need to have a RADIUS application created in the DualShield authentication
server. The application will be used for the two-factor authentication in F5 BIG-IP. The
document below provides general instructions for RADIUS authentication with the
DualShield Radius Server:

VPN & RADIUS - Implementation Guide

Following outlines the key steps:

In DualShield

1. Create a logon procedure for RADIUS authentication


2. Create an RADIUS application for F5 BIG-IP
3. Register the F5 BIG-IP as a RADIUS client

In F5 BIG-IP

1. Register the DualShield RADIUS authentication server

You can use the Application Wizard in the DualShield Console to create an application
and all its dependencies including the logon procedure, or you can create application and
logon procedure individually as described below. The DualShield Authentication Platform
Quick Start Guide document describes how to use the ApplicationWizard in details.

Create a RADIUS logon procedure


1. Login to the DualShield management console
2. In the main menu, select Authentication | Logon Procedure
3. Click the Create button on the toolbar
4. Enter Name and select RADIUS as the Type

Copyright 2013, Deepnet Security. All Rights Reserved. Page 5


Implementation Guide F5 BIG-IP APM

5. Click Save
6. Click the Context Menu icon of the newly create logon procedure, select Logon
Steps
7. In the popup windows, click the Create button on the toolbar
8. Select the desired authentication method, e.g. Static Password + One-Time
Password

9. Click Save

Create a RADIUS application


1. In the main menu, select Authentication | Applications
2. Click the Create button on the toolbar
3. Enter Name
4. Select Realm
5. Select the logon procedure that was just created

6. Click Save
7. Click the context menu of the newly created application, select Agent

Copyright 2013, Deepnet Security. All Rights Reserved. Page 6


Implementation Guide F5 BIG-IP APM

8. Select the DualShield Radius server, e.g. Local Radius Server


9. Click Save
10. Click the context menu of the newly created application, select Self Test

Register the F5 BIG-IP as a Radius client


1. In the main menu, select RADIUS | Clients
2. Click the Register button on the toolbar

Copyright 2013, Deepnet Security. All Rights Reserved. Page 7


Implementation Guide F5 BIG-IP APM

3. Select the application that was created in the previous steps


4. Enter F5 BIG-IPs IP in the IP address, e.g. 192,168.111.200
5. Enter the Shared Secret which will be used in F5 BIG-IP.
6. Click Save

Register the DualShield RADIUS server


Log into the F5 BIG-IP Configuration Utility. Select Access Policy | AAA Servers |
RADIUS

1. Click the + button to add a new RADIUS server

2. Populate the fields. In this example, we have the DualShield RADIUS server
installed IP 192.168.124.171, port 1812

Enter the Shared Secret that was set up in the DualShield Radius client.

Copyright 2013, Deepnet Security. All Rights Reserved. Page 8


Implementation Guide F5 BIG-IP APM

Test Authentication
To test the RADIUS authentication, we will use F5 BIG-IP Portal Access as an example.
We will configure a remote access connection to one or more internal web applications.
Create an access policy and local traffic virtual server so that end users can access
internal web applications through a single external virtual server. Use this if you need to
provide secure extranet access to internal web applications without creating a full VPN
connection.

Create Access Profile

Select Device Wizards in the Main tab:

then select Portal Access Setup Wizard:

Enter the Policy Name. Click Next

Select the Use Existing in the Authentication Option.

Select the DualShield RADIUS server registered in the previous step.

Click Next

Copyright 2013, Deepnet Security. All Rights Reserved. Page 9


Implementation Guide F5 BIG-IP APM

On this page you need to enter the details of your web application and its URI.

Click Next

Enter the IP of a virtual server

Click Next

This is the final review page. Make sure all details are correct and click Next to finish
the wizard.

Copyright 2013, Deepnet Security. All Rights Reserved. Page 10


Implementation Guide F5 BIG-IP APM

You can now view the Access Profile we just created in Access Profiles List:

Configure Access Policy

To edit the Access Policy, click Edit

Finally, it is worthwhile pointing out that the IP of the Radius Client registered in
DualShield must be the BIG-IPs Self IP, not the virtual server IP.

Copyright 2013, Deepnet Security. All Rights Reserved. Page 11


Implementation Guide F5 BIG-IP APM

Now, we are ready to carry out the test.

Navigate to your BIG-IPs virtual server address, e.g.

https://bigip-sp.deepnetsecurity.local,

The Logon Page is presented:

In the Password field, enter the users AD password followed by an OTP passcode, if the
logon procedure defined in the DualShield is StaticPass + One-Time-Password:

Challenge & Response

If you are planning to deploy the On-Demand Password authentication solution using the
T-Pass authenticator, then the recommended implementation is to use Radius challenge
and response. The user experience in the login process is shown below:

1) Users will be first asked to enter their user name and AD password.

Copyright 2013, Deepnet Security. All Rights Reserved. Page 12


Implementation Guide F5 BIG-IP APM

2) The user name and password will be submitted to the DualShield server to be
verified. When the DualShield has successfully verified the user and its password, it
will generate an one-time password and send it to the user by SMS or email.

3) The user will then be asked to enter an one-time password:

To implement Challenge & Response, all you have to do is to change the Logon
Procedure in DualShield and make it a two-step logon as below:

Copyright 2013, Deepnet Security. All Rights Reserved. Page 13


Implementation Guide F5 BIG-IP APM

SAML 2.0
DualShield unified authentication platform includes a SAML 2.0 compliant Single Sign-On
(SSO) server which can be easily integrated with F5 BIG-IP to provide two-factor
authentication. Prior to configuring F5 BIG-IP, you must have the DualShield
Authentication Server and DualShield SSO Server installed and operating (both are
installed by default in the installation of the platform). For the installation, configuration
and administration of DualShield Authentication and SSO servers please refer to the
following documents:

DualShield Authentication Platform Installation Guide


DualShield Authentication Platform Quick Start Guide
DualShield Authentication Platform Administration Guide

Following outlines the key steps:

In DualShield

1. Create a logon procedure for SSO authentication


2. Create a SAML application for F5 BIG-IP

In F5 BIG-IP

1. Create a new SP
2. Download SP Metadata

In DualShield

3. Register F5 BIG-IP as a SSO Service Provider


4. Download IdP Metadata

In F5

3. Register DualShield as an IdP Connector


4. F5 - Bind the IdP Connector to the SP
5. F5 - Configure Access Policy

DualShield - Create a SSO logon procedure


1. Login to the DualShield management console
2. In the main menu, select Authentication | Logon Procedure
3. Click the Create button on the toolbar
4. Enter Name and select Web SSO as the Type

Copyright 2013, Deepnet Security. All Rights Reserved. Page 14


Implementation Guide F5 BIG-IP APM

5. Click Save
6. Click the Context Menu icon of the newly create logon procedure, select Logon
Steps
7. In the popup windows, click the Create button on the toolbar
8. Select the desired authentication methods, e.g. Static Password
9. Click Save
10. Repeat step 7 - 9 to add more logon steps if desired, e.g. One-Time Password

11. Click Close

DualShield - Create a SAML application


1. In the main menu, select Authentication | Applications
2. Click the Create button on the toolbar
3. Enter Name
4. Select Realm
5. Select the logon procedure that was just created

6. Click Save
7. Click the context menu of the newly created application, select Agent

Copyright 2013, Deepnet Security. All Rights Reserved. Page 15


Implementation Guide F5 BIG-IP APM

8. Select SSO Server


9. Click Save
10. Click the context menu of the newly created application, select Self Test

F5 - Create a new SP
In the main tab, select Access Policy | SAML | BIG-IP as SP

Copyright 2013, Deepnet Security. All Rights Reserved. Page 16


Implementation Guide F5 BIG-IP APM

Enter the Name: bigip_sp

In the Entity ID field, we just use the virtual server URL as its Entity ID

Select Security Settings:

Select Want Signed Assertion

Copyright 2013, Deepnet Security. All Rights Reserved. Page 17


Implementation Guide F5 BIG-IP APM

F5 Download Metadata
Once completed, we need to export its metadata which will be used later in DualShield to
create a SP.

DualShield - Register F5 BIG-IP as a SSO Service Provider


1. Select SSO in the main menu
2. Select Service Providers
3. Click Create on the toolbar

4. Enable Sign on SAML assertion

Copyright 2013, Deepnet Security. All Rights Reserved. Page 18


Implementation Guide F5 BIG-IP APM

DualShield - Download IdP Metadata


1. Select SSO | SSO Servers
2. Click the context menu icon of the SSO server and select Download IdP
Metadata

3. Select the F5 BIG-IP application created in the previous step


4. Save the metadata file onto your hard disk

F5 - Register DualShield as an IdP Connector


In the Main tab, select Access Policy | SAML | BIG-IP as SP, you shall get a list of SPs
that have been created:

Copyright 2013, Deepnet Security. All Rights Reserved. Page 19


Implementation Guide F5 BIG-IP APM

Select External IdP Connectors

Click the down arrow on the Create button to show the drop-down menu, then select
From Metadata

Select the DualShield IdP metadata downloaded in the previous step

Enter the Name: dualshield

Click OK to save it

Now, we need to edit the SAML IdP Connector settings:

Copyright 2013, Deepnet Security. All Rights Reserved. Page 20


Implementation Guide F5 BIG-IP APM

Select Endpoint Settings, in the Single Sign On Service URL you should see the URL
similar to:

http://dualshield.deepnetsecurity.local:8074/appsso/login?DASApplicationName=F5%20
BIG-%20IP%20SAML

F5 Big-IP has a bug that it does not accept URLs containing question mark (?). We have
to replace it to:

http://dualshield.deepnetsecurity.local:8074/appsso/login/kvps/DASApplicationName=F
5%20BIG-%20IP%20SAML

F5 - Bind the IdP Connector to the SP


In the Main tab, select Access Policy | SAML | BIG-IP as SP, you shall get a list of SPs
that have been created:

Select the SP and click the Bind/Unbind IdP Connectors button

Click Add New Row button:

In the SAML IdP Connectors drop down list, select dualshield

Click Update to finish it.

Now you should see that the SP bigip_sp is bound to the IdP dualshield:

Copyright 2013, Deepnet Security. All Rights Reserved. Page 21


Implementation Guide F5 BIG-IP APM

F5 Configure Access Policy

We need to add a SAML Auth to replace the RADIUS Auth policy.

Click the plus mark before RADIUS Auth.

Enable the option: SAML Auth, then click Add Item:

In AAA Server field, select bigip_sp that we just created and configured, then click
Save to save it.

Copyright 2013, Deepnet Security. All Rights Reserved. Page 22


Implementation Guide F5 BIG-IP APM

Click the cross icon (x) on RADIUS Auth to delete it. Now the access policy becomes:

With SAML authentication, the Logon Page provided by Big-IP is redundant. So, delete it
as well.

Finally, the access policy looks like:

Now, go back to Access Profiles List, notice the status flag is as of Modified

Click Apply Access Policy to save it.

Copyright 2013, Deepnet Security. All Rights Reserved. Page 23


Implementation Guide F5 BIG-IP APM

Test Authentication
To test the SAML authentication, Navigate to the URL:

https://bigip-sp.deepnetsecurity.local

This time, it is redirected to the DualShiled SSO logon page:

Once the DualShield authentication is successful, the user will be redirected back to F5
applications web page:

Copyright 2013, Deepnet Security. All Rights Reserved. Page 24