Implementation Guide F5 BIG-IP APM F5 BIG-IP APM Implementation Guide (Version 5.7) Copyright 2013 Deepnet Security Limited Copyright © 2013, Deepnet Security. All Rights Reserved. Page 1 Implementation Guide F5 BIG-IP APM Trademarks Deepnet Unified Authentication, MobileID, QuickID, PocketID, SafeID, GridID, FlashID, SmartID, TypeSense, VoiceSense, MobilePass, DevicePass, RemotePass and Site Stamp are trademarks of Deepnet Security Limited. All other brand names and product names are trademarks or registered trademarks of their respective owners. Copyrights Under the international copyright law, neither the Deepnet Security software or documentation may be copied, reproduced, translated or reduced to any electronic medium or machine readable form, in whole or in part, without the prior written consent of Deepnet Security. Licence Conditions Please read your licence agreement with Deepnet carefully and make sure you understand the exact terms of usage. In particular, for which projects, on which platforms and at which sites, you are allowed to use the product. You are not allowed to make any modifications to the product. If you feel the need for any modifications, please contact Deepnet Security. Disclaimer This document is provided “as is” without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the document. Deepnet Security may make improvements of and/or changes to the product described in this document at any time. Contact If you wish to obtain further information on this product or any other Deepnet Security products, you are always welcome to contact us. Deepnet Security Limited Comer Business Innovation Centre North London Business Park Oakleigh Road South London N11 1GN, UK Tel: +44(0)20 3668 1580 Fax: +44(0)20 8446 3182 Web: www.deepnetsecurity.com Email: [email protected] Copyright © 2013, Deepnet Security. All Rights Reserved. Page 2 Implementation Guide F5 BIG-IP APM Table of Contents Overview ......................................................................................... 4 RADIUS ........................................................................................... 5 Create a RADIUS logon procedure ........................................................................ 5 Create a RADIUS application................................................................................ 6 Register the F5 BIG-IP as a Radius client .............................................................. 7 Register the DualShield RADIUS server ................................................................. 8 Test Authentication ............................................................................................ 9 Create Access Profile ..................................................................................................................... 9 Configure Access Policy ................................................................................................................11 Challenge & Response ..................................................................................................................12 SAML 2.0 ....................................................................................... 14 DualShield - Create a SSO logon procedure ......................................................... 14 DualShield - Create a SAML application ............................................................... 15 F5 - Create a new SP ........................................................................................ 16 F5 – Download Metadata ................................................................................... 18 DualShield - Register F5 BIG-IP as a SSO Service Provider .................................... 18 DualShield - Download IdP Metadata .................................................................. 19 F5 - Register DualShield as an IdP Connector ...................................................... 19 F5 - Bind the IdP Connector to the SP ................................................................. 21 F5 – Configure Access Policy .............................................................................. 22 Test Authentication .......................................................................................... 24 Copyright © 2013, Deepnet Security. All Rights Reserved. Page 3 Implementation Guide F5 BIG-IP APM Overview F5 BIG-IP Access Policy Manager (APM) is a flexible, high-performance access and security solution that provides unified global access to your business-critical applications and networks. This implementation guide describes how to integrate F5 BIG-IP APM with the DualShield unified authentication platform in order to add two-factor authentication into its login process. F5 BIG-IP supports external authentication servers including both RADIUS and SAML. DualShield unified authentication platform includes a fully compliant RADIUS server as well as a SAML 2.0 compliant Single Sign-On (SSO) server. Therefore, F5 BIG-IP can be configured to work with the DualShield Radius server or DualShield SSO server, depending on the customers’ requirements. If a customer requires only OTP and ODP (One-Time Password and On-Demand Password) authentication, then RADIUS can deliver those authentication methods. If a customer also requires other authentication methods such as keystroke biometrics, device DNA or ODP with a more user-friendly logon interface, then the customer must implement the SAML solution. Copyright © 2013, Deepnet Security. All Rights Reserved. Page 4 Implementation Guide F5 BIG-IP APM RADIUS Prior to configuring F5 BIG-IP for two-factor authentication, you must have the DualShield Authentication Server and DualShield Radius Server installed and operating. For the installation, configuration and administration of DualShield Authentication and Radius servers please refer to the following documents: DualShield Authentication Platform – Installation Guide DualShield Authentication Platform – Quick Start Guide DualShield Authentication Platform – Administration Guide DualShield Radius Server - Installation Guide You also need to have a RADIUS application created in the DualShield authentication server. The application will be used for the two-factor authentication in F5 BIG-IP. The document below provides general instructions for RADIUS authentication with the DualShield Radius Server: VPN & RADIUS - Implementation Guide Following outlines the key steps: In DualShield 1. Create a logon procedure for RADIUS authentication 2. Create an RADIUS application for F5 BIG-IP 3. Register the F5 BIG-IP as a RADIUS client In F5 BIG-IP 1. Register the DualShield RADIUS authentication server You can use the Application Wizard in the DualShield Console to create an application and all its dependencies including the logon procedure, or you can create application and logon procedure individually as described below. The “DualShield Authentication Platform – Quick Start Guide” document describes how to use the ApplicationWizard in details. Create a RADIUS logon procedure 1. Login to the DualShield management console 2. In the main menu, select “Authentication | Logon Procedure” 3. Click the “Create” button on the toolbar 4. Enter “Name” and select “RADIUS” as the Type Copyright © 2013, Deepnet Security. All Rights Reserved. Page 5 Implementation Guide F5 BIG-IP APM 5. Click “Save” 6. Click the Context Menu icon of the newly create logon procedure, select “Logon Steps” 7. In the popup windows, click the “Create” button on the toolbar 8. Select the desired authentication method, e.g. “Static Password + One-Time Password” 9. Click “Save” Create a RADIUS application 1. In the main menu, select “Authentication | Applications” 2. Click the “Create” button on the toolbar 3. Enter “Name” 4. Select “Realm” 5. Select the logon procedure that was just created 6. Click “Save” 7. Click the context menu of the newly created application, select “Agent” Copyright © 2013, Deepnet Security. All Rights Reserved. Page 6 Implementation Guide F5 BIG-IP APM 8. Select the DualShield Radius server, e.g. ”Local Radius Server” 9. Click “Save” 10. Click the context menu of the newly created application, select “Self Test” Register the F5 BIG-IP as a Radius client 1. In the main menu, select “RADIUS | Clients” 2. Click the “Register” button on the toolbar Copyright © 2013, Deepnet Security. All Rights Reserved. Page 7 Implementation Guide F5 BIG-IP APM 3. Select the application that was created in the previous steps 4. Enter F5 BIG-IP’s IP in the IP address, e.g. 192,168.111.200 5. Enter the Shared Secret which will be used in F5 BIG-IP. 6. Click “Save” Register the DualShield RADIUS server Log into the F5 BIG-IP Configuration Utility. Select “Access Policy | AAA Servers | RADIUS” 1. Click the + button to add a new RADIUS server 2. Populate the fields. In this example, we have the DualShield RADIUS server installed IP 192.168.124.171, port 1812 Enter the Shared Secret that was set up in the DualShield Radius client. Copyright © 2013, Deepnet Security. All Rights Reserved. Page 8 Implementation Guide F5 BIG-IP APM Test Authentication To test the RADIUS authentication, we will use F5 BIG-IP Portal Access as an example. We will configure a remote access connection to one or more internal web applications. Create an access policy and local traffic virtual server so that end users can access internal web applications through a single external virtual server. Use this if you need to provide secure extranet access to internal web applications without creating a full VPN connection. Create Access Profile Select “Device Wizards” in the Main tab: then select “Portal Access Setup Wizard”: Enter the Policy Name. Click “Next” Select the “Use Existing” in the Authentication Option. Select the DualShield RADIUS server registered in the previous step. Click “Next” Copyright © 2013, Deepnet Security. All Rights Reserved. Page 9 Implementation Guide F5 BIG-IP APM On this page you need to enter the details of your web application and its URI. Click “Next” Enter the IP of a virtual server Click “Next” This is the final review page. Make sure all details are correct and click “Next” to finish the wizard. Copyright © 2013, Deepnet Security. All Rights Reserved. Page 10
Description: