Table of Contents ....................................................................................................................................................... 2
Note: Using F5 double authentication (an LDAP password plus a one-time password) is optional. You
1.0 Introduction
The F5® NetworksBIG-IP
®
Access Policy Manager (APM) is a software component of the BIG-IP hardware
platform that provides users with secured connections to specific Web applications or the entire corporate
network. By leveraging standard Web browsers and security technology, the APM enables your corporation or
organization to provide users access to various internal resources easily and cost-effectively, with no special
software or configuration on user systems.
The ActivIdentity solutions that work with F5 incorporate SSL VPN solutions with versatile, strong authentication
that is flexible, scalable, and simple to manage. ActivIdentity offers two solutions:
•ActivIdentity® 4TRESS AAA Server for Remote Access—Addresses the security risks associated
with a mobile workforce remotely accessing systems and data.
•ActivIdentity 4TRESS Authentication Server (AS)—Offers support for multiple authentication methods
that are useful for diverse audiences across a variety of service channels (SAML, Radius, etc.),
including user name and password, mobile and PC soft tokens, one-time passwords, and transparent
Web soft tokens.
1.1 Scope of Document
This document explains how to set up ActivIdentity 4TRESS AAA Web token authentication with the F5 APM. Use
this handbook to enable authentication via a Web soft token for use with an SSL-protected F5 VPN.
1.2 Prerequisites
•The ActivIdentity 4TRESS AAA Server is up-to-date (v6.7) with LDAP users and groups already
configured.
• F5 BIG-IP APM version 11.1.x installed and configured.
• The Web soft token is configured to work with or without a PIN.
• Users have static LDAP passwords for access to the Self Help Desk to enroll Web tokens.
• The F5 login page has been customized (illustrated in this handbook).
can configure the sign-in page so that users use a static LDAP passwords instead of the Web soft
token PIN.
Page 4
ActivIdentity 4TRESS AAA Web Tokens and F5 APM | Integration Handbook
This chapter describes how to manage F5 APM. When a user signs into an F5 APM appliance, The F5 appliance
forwards the user’s credentials to this authentication server to verify the user’s identity. You will create an
authentication server:
An ActivIdentity 4TRESS AAA RADIUS Server to validate the user’s one time password generated by a Web
token.
2.1 Procedure 1: Create New Radius Server Instance
When using an external RADIUS server to authenticate F5 users, you must configure the server to recognize the
F5 as a client and specify a shared secret for the RADIUS server to use to authenticate the client request. To
configure a connection to the RADIUS server on F5 APM appliance, perform the following steps.
To define the RADIUS Server instance, perform the following steps.
1. On the main tab of the navigation pane, expand Access Policy, and then click AAA Servers.
2. Click the plus sign next to RADIUS.
3. Click Create.
Page 5
ActivIdentity 4TRESS AAA Web Tokens and F5 APM | Integration Handbook
With the APM wizards, you can quickly configure any of the three access types with a simple working
configuration. After you configure a connection with the wizard, you can go back and edit the configuration to
further customize the access policy.
1. To access APM Wizards, in the navigation pane, expand Templates and Wizards, and then click Device
Wizards.
This wizard configures a working VPN connection. Typically, this allows users outside your network to
connect to specified networks and use their applications and network sites as if they are physically on the
network.
2. Select the Network Access Setup Wizard for Remote Access option, and then click Next.
Page 7
ActivIdentity 4TRESS AAA Web Tokens and F5 APM | Integration Handbook
•Specify the Policy Name for the access policy to be created.
The Policy Name specifies the name of the access policy to be created, and is used as the naming
prefix for other objects configured with the access policy. Later, when you look for items created with
the wizard, they are named with this prefix.
• Accept the default language (English), or change it, if required.
• Select the Full Webtop ‘Enabled’ option.
• Deselect the Client Side Checks ‘Enable Antivirus Check in Access Policy option.(At a later
time, you can refine this client-side check to verify a specific antivirus product.)
3. Click Next.
4. For Authentication Options, select Use Existing.
5. For Select AAA Server, specify the 4TRESS server that you previously created.
6. Click Next.
Page 8
ActivIdentity 4TRESS AAA Web Tokens and F5 APM | Integration Handbook
Lease pools are a configuration requirement for network access connections. Each connection is assigned an
IP address from the lease pool. You must configure a lease pool with as many IP addresses as required for
the number of connected users you expect to host.
• From the drop-down list, specify the Supported IP Version IPv4.
• Specify your Member List (either IP Address or IP Address Range).
• Click Add one time to specify an IP range, and click Add any time you specify a different IP
address.
7. Click Next.
Page 9
ActivIdentity 4TRESS AAA Web Tokens and F5 APM | Integration Handbook
DNS hosts for network access are required for your users to have functioning name resolution and Windows®
networking on your internal network.
10. At a minimum, specify an IPV4 Primary Name Server. If you are using Microsoft® networking features on
your network, then specify a Primary WINS Server.
11. Click Next.
12. For Virtual Server IP Address, specify a host name.
In most cases, you should not specify a network when creating this virtual server. Enable the Redirect Server
to be created. This eliminates connection issues that users encounter when they do not type https before the
virtual server host name.
Page 11
ActivIdentity 4TRESS AAA Web Tokens and F5 APM | Integration Handbook
When you review the configuration, if you need to, then use the Previous and Next buttons to edit the
configuration before you click Finished. .
14. After reviewing and approving your settings, click Next.
When you are finished, you can still edit any setting associated with the access profile from the Access Profile
page (navigate to Access Policy > Access Profiles > name of access profile). Also, you can edit the
virtual server on the Virtual Server page (navigate to Local Traffic > Virtual Servers > name of virtual server).
15. At the bottom of the page, click Finished.
The system creates and applies network access objects.
Page 12
ActivIdentity 4TRESS AAA Web Tokens and F5 APM | Integration Handbook
The APM provides a Web-based Configuration utility. The Configuration utility includes tools for managing the
Access Policy Manager, configuring secure access, creating and assigning resources, certificate generation and
installation, and customization of the remote client user interface.
2.3.1 Adding Images and the Web Token Applet with the Image Browser
Reminder: You must have contacted your ActivIdentity representative to have appropriate images sent to you.
First, you will add images and the Web token applet to the APM using the image browser. Then you can select
and use these images using the Customization tool.
1. On the Main tab, navigate to Access Policy > Customization. The Customization tool appears, in the basic
customization view.
Page 13
ActivIdentity 4TRESS AAA Web Tokens and F5 APM | Integration Handbook
This chapter describes how to configure the ActivIdentity 4TRESS AAA Authentication Server.
3.1 Procedure 1: Configure F5 Gate
A gate for the ActivIdentity 4TRESS AAA Server is a group of Network Access Servers (NAS) that is used to
simplify administration. For configuration details, refer to ActivIdentity 4TRESS AAA Server technical
documentation.
1. In the tree in the left pane of the Administration Console, expand the Servers line.
2. Right-click on the server to which you want to add a gate, and then click New Gate.
3. Enter a Gate name (can be any string).
4. Select the RADIUS option.
5. Use the Authorized IP addresses and host names section to specify filter(s) for the gate.
6. Click Add, and then click OK.
Page 20
ActivIdentity 4TRESS AAA Web Tokens and F5 APM | Integration Handbook
3.2 Procedure 2: Assigning Group(s) to the F5 Gate
Remember that you must have user groups created and the corresponding LDAP configured. For details, refer to
the ActivIdentity 4TRESS AAA Administration Guide.
1. To assign groups to the F5 Gate, in the tree in the left pane, select the group that you want to assign to the
gate.
2. Use the Group / Gate Assignments section of the page to specify gate(s) for the group’s users to utilize in
order to access a protected resource.
3. Click Add.
4. Select the Gate, the AZ profile. and the AC profile.
5. Click OK.
Page 22
ActivIdentity 4TRESS AAA Web Tokens and F5 APM | Integration Handbook
• To activate additional device self assignment functions, select Enable self binding on
additional device. For this setting to work, you must make sure that the LDAP attribute mapped
to the device serial numbers is capable of storing multiple values.
Page 26
ActivIdentity 4TRESS AAA Web Tokens and F5 APM | Integration Handbook
5. The user enters and confirms a PIN and enters a Description (the use has to enter the PIN only if the system
is configured to ask for it.) A confirmation is displayed.
Now the user can use the Web token to access an F5 APM.
Page 28
ActivIdentity 4TRESS AAA Web Tokens and F5 APM | Integration Handbook
5.2 Authenticating with Web Soft Token Launched in the Sign-In Page
Important Notes:
•You must have customized the Sign-In Page to launch the Web token as an HTML page. To receive
a sample page, please contact your ActivIdentity technical representative.
• A user must have activated a Web soft token on his/her computer.
• You can configure to use a Web token with a PIN or without a PIN.
• You can use an LDAP password to replace the PIN or to complement it (depending on F5
configuration).
For details on how authenticating with a Web soft token works, please refer to 4TRESS AAA documentation.
Page 29
ActivIdentity 4TRESS AAA Web Tokens and F5 APM | Integration Handbook
Americas +1 510.574.0100
US Federal +1 571.522.1000
Europe +33 (0) 1.42.04.84.00
Asia Pacific +61 (0) 2.6208.4888
Email info@actividentity.com
Web www.actividentity.com
ActivIdentity, the ActivIdentity (logo), and/or other ActivIdentity products or marks referenced
herein are either registered trademarks or trademarks of HID Global Corporation in the United
States and/or other countries. The absence of a mark, product, service name or logo from this
list does not constitute a waiver of the trademark or other intellectual property rights concerning
that name or logo. F5 and the F5 logo are registered trademarks of F5, Inc. in the United States
and other countries.The names of other third-party companies, trademarks, trade names,
service marks, images and/or products that happened to be mentioned herein are trademarks
of their respective owners. Any rights not expressly granted herein are reserved.
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.