This task list includes all steps required to set up this configuration, and provides an example access policy that uses RSA SecurID authentication for F5 BIG-IP®Edge Client®. It is only an example. If you are adding RSA SecurID authentication to an existing access policy, you do not need to create another access profile.
Task list
Configuring a SecurID AAA server in APM Creating a virtual server
Configuring RSA SecurID authentication in an access policy Creating an access profile
Configuring a SecurID AAA server in APM
Before you configure a SecurID AAA server, you must create a configuration file on the RSA SecurID console side to connect a BIG-IP®system to an RSA server.
Configure a SecurID AAA server for Access Policy Manager®(APM®) to request RSA SecurID authentication from an RSA Manager authentication server.
1. On the Main tab, click Access Policy > AAA Servers. The AAA Servers list screen opens.
2. On the menu bar, click AAA Servers By Type, and select SecurID. The SecurID screen opens and displays the servers list.
3. Click Create.
The New Server properties screen opens.
4. In the Name field, type a unique name for the authentication server.
5. For the SecurID Configuration File setting, browse to upload the configuration file from the RSA SecurID console.
Consult your RSA Authentication Manager administrator to generate this file for you.
6. Click Finished.
The new server displays on the list.
This adds a new RSA SecurID server to the AAA Servers list.
Creating a virtual server
When creating a virtual server for an access policy, specify an IP address for a single host as the destination address.
1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
2. Click the Create button.
The New Virtual Server screen opens.
3. In the Name field, type a unique name for the virtual server.
4. In the Destination Address field, type the IP address for a host virtual server.
This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.
5. In the Service Port field, type a port number or select a service name from the Service Port list.
6. From the HTTP Profile list, select http.
7. If you use server SSL for this connection, from the SSL Profile (Server) list, select a server SSL profile.
8. If you use client SSL for this profile, from the SSL Profile (Client) list, select a client SSL profile.
9. In the Access Policy area, from the Access Profile list, select the access profile that you configured earlier.
71 BIG-IP®Access Policy Manager®: Authentication and Single Sign-On
10.From the Connectivity Profile list, select a connectivity profile.
You can select the default connectivity profile, connectivity if you have not defined a specific profile for the traffic that is directed to this virtual server.
11.Click Finished.
You have configured a host virtual server and associated an access profile with it.
Configuring RSA SecurID authentication in an access policy
Before you add RSA SecurID authentication to an access policy, you must have at least one AAA SecurID server configured in Access Policy Manager®(APM®). You must also create a configuration file on the RSA SecurID console side to connect a BIG-IP®system to an RSA server. You might need an AAA server configured for another type of authentication, depending on the number of authentication actions that you plan to add to this access policy.
You add RSA SecurID authentication to an access policy so that APM can request RSA SecurID authentication using the AAA SecurID server that you specify.
1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
2. In the Access Policy column, click the Edit link for the access profile you want to configure. The visual policy editor opens the access policy in a separate screen.
3. Click the (+) icon anywhere in the access policy to add a new action item.
Note: Only an applicable subset of access policy items is available for selection in the visual policy
editor for any access profile type.
A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
4. On the Logon tab, select Logon Page and click the Add Item button. The Logon Page Agent properties screen opens.
5. Click Save.
The properties screen closes and the visual policy editor displays.
6. Click the (+) icon anywhere in the access policy to add a new action item.
Note: Only an applicable subset of access policy items is available for selection in the visual policy
editor for any access profile type.
A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
7. On the Authentication tab, select RSA SecurID and click Add Item. A properties popup screen opens.
8. From the AAA Server list in the properties popup screen, select the SecurID AAA server that you want to associate to the agent.
9. Set Max Logon Attempts to a value from 1 to 5.
10.Click Save.
The properties screen closes and the visual policy editor displays.
11.Add a Variable Assign action before the Logon Page action.
After you add the Variable Assign action, a Properties popup screen opens.
a) Click Add new entry.
An empty entry appears in the Assignment table. b) Click the change link in the new entry.
A popup screen opens.
c) From the left-side list, select Custom Variable (the default), and type
session.logon.page.softToken.fieldId.
This contains the field name on the logon page, which accepts a PIN from the client user. d) From the right-side list, select Custom Expression (the default), and typeText: password.
Passwordis the name of the field that is used for RSA Software Token authentication. e) Click Finished.
The popup screen closes. f) Click Save.
The properties screen closes and the visual policy editor is displayed.
13.Click the (+) icon anywhere in the access policy to add a new action item.
Note: Only an applicable subset of access policy items is available for selection in the visual policy
editor for any access profile type.
A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
14.On the Assignment tab, select Resource Assign and click Add Item. A properties popup screen opens.
15.From the Network Access list in the properties popup screen, select the network connection for your remote connection.
16.Click Save.
The properties screen closes and the visual policy editor displays.
17.Add any other actions you require.
18.Click Apply Access Policy to save your configuration.
This adds RSA SecurID AAA authentication to the access policy.
Creating an access profile
You create an access profile to provide the access policy configuration for a virtual server that establishes a secured session.
1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
2. Click Create.
The New Profile screen opens.
3. Type a name for the access profile.
4. From the Profile Type list, select one:
• SSL-VPN - Select to configure network access, portal access, or application access. (Most access
policy items are available for this type.)
• ALL - Select to support LTM-APM and SSL-VPN access types.
Additional settings display.
5. In the Language Settings area, add and remove accepted languages, and set the default language.
73 BIG-IP®Access Policy Manager®: Authentication and Single Sign-On
A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
6. Click Finished.
This creates an access profile with a default access policy.