ActivIdentity 4TRESS AAA Web Tokens and F5 BIG-IP Access Policy Manager. Integration Handbook

Similar documents
4TRESS AAA. Out-of-Band Authentication (SMS) and Juniper Secure Access Integration Handbook. Document Version 2.3 Released May hidglobal.

ActivIdentity ActivID Card Management System and Juniper Secure Access. Integration Handbook

ActivIdentity 4TRESS AAA and Splunk. Integration Handbook

4TRESS FT2011 Out-of-Band Authentication and Juniper Secure Access

VMware AirWatch Integration with F5 Guide Enabling secure connections between mobile applications and your backend resources

NetScaler Radius Authentication. Integration Guide

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

SafeNet Authentication Service

SafeNet Authentication Manager

Integration Guide. SafeNet Authentication Manager. Using RADIUS Protocol for Cisco ASA

SafeNet Authentication Manager

BIG-IP Access Policy Manager : Portal Access. Version 12.1

SafeNet Authentication Service

Integration Guide. SafeNet Authentication Service. Protecting Microsoft Internet Security and Acceleration (ISA) Server 2006 with SAS

Integration Guide. LoginTC

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

NETWRIX PASSWORD EXPIRATION NOTIFIER

RECOMMENDED DEPLOYMENT PRACTICES. The F5 and Okta Solution for High Security SSO

Intel Unite. Enterprise Test Environment Setup Guide

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with SonicWALL E-Class Secure Remote Access

Table of Contents. VMware AirWatch: Technology Partner Integration

SafeNet Authentication Manager

Table of Contents HOL-1757-MBL-6

Azure MFA Integration with NetScaler

Yubico with Centrify for Mac - Deployment Guide

SafeNet Authentication Service

Infoblox Authenticated DHCP

Centrify for Dropbox Deployment Guide

BIG-IP Access Policy Manager : Portal Access. Version 13.0

BIG-IP Access Policy Manager : Visual Policy Editor. Version 12.1

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Citrix NetScaler Gateway 12.0

Entrust PartnerLink Login Instructions

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

Configuring and Delivering Salesforce as a managed application to XenMobile Users with NetScaler as the SAML IDP (Identity Provider)

Integration Guide. SafeNet Authentication Manager. Using RADIUS Protocol for Citrix NetScaler 10.5

AppScaler SSO Active Directory Guide

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with Check Point Security Gateway

ISA 2006 and OWA 2003 Implementation Guide

CA Adapter. CA Adapter Installation Guide for Windows 8.0

SafeNet Authentication Manager

Entrust Cloud Enterprise. Enrollment Guide

FAQ. General Information: Online Support:

Implementation Guide for protecting Juniper SSL VPN with BlackShield ID

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

How to Configure Connection Fallback using Multiple VPN Gateways

Pulse Secure Client for Chrome OS

VMware Identity Manager Administration

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for Tableau Server

Authlogics Forefront TMG and UAG Agent Integration Guide

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for SonicWALL Secure Remote Access

CounterACT User Directory Plugin

Novell Access Manager

SafeNet Authentication Service

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

Cloud Access Manager Configuration Guide

DEPLOYMENT GUIDE DEPLOYING F5 WITH ORACLE ACCESS MANAGER

Integration Guide. SafeNet Authentication Service. Strong Authentication for Juniper Networks SSL VPN

VMware AirWatch Integration with RSA PKI Guide

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

Bomgar Vault Server Installation Guide

Oracle Hospitality Simphony Venue Management Installation Guide Release 3.10 E March 2018

Implementation Guide for protecting. CheckPoint Firewall-1 / VPN-1. with. BlackShield ID

How to Configure Authentication and Access Control (AAA)

McAfee Firewall Enterprise epolicy Orchestrator Extension

BIG-IP Access Policy Manager (APM) v11.2 Table of Contents

Deliver and manage customer VIP POCs. The lab will be directed and provide you with step-by-step walkthroughs of key features.

Enterprise Vault.cloud CloudLink Google Account Synchronization Guide. CloudLink to 4.0.3

BIG-IP Access Policy Manager : Authentication and Single Sign-On. Version 13.1

How to Import a Certificate When Using Microsoft Windows OS

Using ZENworks with Novell Service Desk

Barracuda Networks SSL VPN

Enhancing VMware Horizon View with F5 Solutions

SafeNet Authentication Client

Establishing two-factor authentication with Juniper SSL VPN and HOTPin authentication server from Celestix Networks

Adding Users and Enrolling Devices

SAML-Based SSO Configuration

ForeScout CounterACT. Configuration Guide. Version 6.3

Remote Support Security Provider Integration: RADIUS Server

Oracle Cloud Using the Google Calendar Adapter with Oracle Integration

RSA Ready Implementation Guide for. Checkpoint Mobile VPN for ios v1.458

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

Vodafone Secure Device Manager Administration User Guide

Five9 Plus Adapter for Agent Desktop Toolkit

Enforced Client Policy & Reporting Server (EPRS) 2.3. Administration Guide

Abila Nonprofit Online. Connection Guide

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for Okta

Protecting SugarCRM with SafeNet Authentication Manager

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

ACCESSING INVESCO WINDOWS CITRIX RECEIVER CONFIGURATION

IBM Security Access Manager Version January Federation Administration topics IBM

Intel Small Business Extended Access. Deployment Guide

SafeNet Authentication Manager

Mitel MiContact Center Enterprise WEB APPLICATIONS CONFIGURATION GUIDE. Release 9.2

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

Sophos Mobile Control Super administrator guide. Product version: 3.5

ForeScout CounterACT. Configuration Guide. Version 4.1

HYCU SCOM Management Pack for F5 BIG-IP

Pass Citrix 1Y0-306 Exam

SafeNet Authentication Service

Webthority can provide single sign-on to web applications using one of the following authentication methods:

Transcription:

ActivIdentity 4TRESS AAA Web Tokens and F5 BIG-IP Access Policy Manager Integration Handbook Document Version 1.1 Released July 11, 2012

ActivIdentity 4TRESS AAA Web Tokens and F5 APM Integration Handbook P 2 Table of Contents Table of Contents... 2 1.0 Introduction... 3 1.1 Scope of Document... 3 1.2 Prerequisites... 3 2.0 BIG-IP APM Configuration... 4 2.1 Procedure 1: Create New Radius Server Instance... 4 2.2 Procedure 2: Access Policy Manager Configuration... 6 2.3 Procedure 3: Customization... 12 2.3.1 Adding Images and the Web Token Applet with the Image Browser... 12 2.3.2 Personalizing Page Appearance... 16 3.0 ActivIdentity 4TRESS AAA Configuration... 19 3.1 Procedure 1: Configure F5 Gate... 19 3.2 Procedure 2: Assigning Group(s) to the F5 Gate... 21 4.0 Configure for Soft Token Activation... 22 4.1 Procedure 1: Enable Soft Token Activation... 22 4.2 Procedure 2: Configure Soft Token Activation Portal... 23 5.0 Sample Authentication Using Web Soft Token Authentication... 26 5.1 Prerequisite: User Enrolls Web Token and Computer... 26 5.2 Authenticating with Web Soft Token Launched in the Sign-In Page... 28

ActivIdentity 4TRESS AAA Web Tokens and F5 APM Integration Handbook P 3 1.0 Introduction The F5 Networks BIG-IP Access Policy Manager (APM) is a software component of the BIG-IP hardware platform that provides users with secured connections to specific Web applications or the entire corporate network. By leveraging standard Web browsers and security technology, the APM enables your corporation or organization to provide users access to various internal resources easily and cost-effectively, with no special software or configuration on user systems. The ActivIdentity solutions that work with F5 incorporate SSL VPN solutions with versatile, strong authentication that is flexible, scalable, and simple to manage. ActivIdentity offers two solutions: ActivIdentity 4TRESS AAA Server for Remote Access Addresses the security risks associated with a mobile workforce remotely accessing systems and data. ActivIdentity 4TRESS Authentication Server (AS) Offers support for multiple authentication methods that are useful for diverse audiences across a variety of service channels (SAML, Radius, etc.), including user name and password, mobile and PC soft tokens, one-time passwords, and transparent Web soft tokens. 1.1 Scope of Document This document explains how to set up ActivIdentity 4TRESS AAA Web token authentication with the F5 APM. Use this handbook to enable authentication via a Web soft token for use with an SSL-protected F5 VPN. 1.2 Prerequisites The ActivIdentity 4TRESS AAA Server is up-to-date (v6.7) with LDAP users and groups already configured. F5 BIG-IP APM version 11.1.x installed and configured. The Web soft token is configured to work with or without a PIN. Users have static LDAP passwords for access to the Self Help Desk to enroll Web tokens. The F5 login page has been customized (illustrated in this handbook). Note: Using F5 double authentication (an LDAP password plus a one-time password) is optional. You can configure the sign-in page so that users use a static LDAP passwords instead of the Web soft token PIN.

ActivIdentity 4TRESS AAA Web Tokens and F5 APM Integration Handbook P 4 2.0 BIG-IP APM Configuration This chapter describes how to manage F5 APM. When a user signs into an F5 APM appliance, The F5 appliance forwards the user s credentials to this authentication server to verify the user s identity. You will create an authentication server: An ActivIdentity 4TRESS AAA RADIUS Server to validate the user s one time password generated by a Web token. 2.1 Procedure 1: Create New Radius Server Instance When using an external RADIUS server to authenticate F5 users, you must configure the server to recognize the F5 as a client and specify a shared secret for the RADIUS server to use to authenticate the client request. To configure a connection to the RADIUS server on F5 APM appliance, perform the following steps. To define the RADIUS Server instance, perform the following steps. 1. On the main tab of the navigation pane, expand Access Policy, and then click AAA Servers. 2. Click the plus sign next to RADIUS. 3. Click Create.

ActivIdentity 4TRESS AAA Web Tokens and F5 APM Integration Handbook P 5 Specify the Name of your RADIUS server. Select the Mode Authentication Specify the Server Address (IP of your RADIUS server). Specify the Authentication Service Port (the port for your RADIUS server). Enter and confirm the shared-secret for your RADIUS server. Accept all other default settings. 4. Click Finished.

ActivIdentity 4TRESS AAA Web Tokens and F5 APM Integration Handbook P 6 2.2 Procedure 2: Access Policy Manager Configuration With the APM wizards, you can quickly configure any of the three access types with a simple working configuration. After you configure a connection with the wizard, you can go back and edit the configuration to further customize the access policy. 1. To access APM Wizards, in the navigation pane, expand Templates and Wizards, and then click Device Wizards. This wizard configures a working VPN connection. Typically, this allows users outside your network to connect to specified networks and use their applications and network sites as if they are physically on the network. 2. Select the Network Access Setup Wizard for Remote Access option, and then click Next.

ActivIdentity 4TRESS AAA Web Tokens and F5 APM Integration Handbook P 7 Specify the Policy Name for the access policy to be created. The Policy Name specifies the name of the access policy to be created, and is used as the naming prefix for other objects configured with the access policy. Later, when you look for items created with the wizard, they are named with this prefix. Accept the default language (English), or change it, if required. Select the Full Webtop Enabled option. Deselect the Client Side Checks Enable Antivirus Check in Access Policy option.(at a later time, you can refine this client-side check to verify a specific antivirus product.) 3. Click Next. 4. For Authentication Options, select Use Existing. 5. For Select AAA Server, specify the 4TRESS server that you previously created. 6. Click Next.

ActivIdentity 4TRESS AAA Web Tokens and F5 APM Integration Handbook P 8 Lease pools are a configuration requirement for network access connections. Each connection is assigned an IP address from the lease pool. You must configure a lease pool with as many IP addresses as required for the number of connected users you expect to host. From the drop-down list, specify the Supported IP Version IPv4. Specify your Member List (either IP Address or IP Address Range). Click Add one time to specify an IP range, and click Add any time you specify a different IP address. 7. Click Next.

ActivIdentity 4TRESS AAA Web Tokens and F5 APM Integration Handbook P 9 8. Specify the desired Traffic Options. (If you select the option to use split tunneling, then only network traffic that you specify will go through the network access connection. 9. Click Next.

ActivIdentity 4TRESS AAA Web Tokens and F5 APM Integration Handbook P 10 DNS hosts for network access are required for your users to have functioning name resolution and Windows networking on your internal network. 10. At a minimum, specify an IPV4 Primary Name Server. If you are using Microsoft networking features on your network, then specify a Primary WINS Server. 11. Click Next. 12. For Virtual Server IP Address, specify a host name. In most cases, you should not specify a network when creating this virtual server. Enable the Redirect Server to be created. This eliminates connection issues that users encounter when they do not type https before the virtual server host name.

ActivIdentity 4TRESS AAA Web Tokens and F5 APM Integration Handbook P 11 13. Click Next. When you review the configuration, if you need to, then use the Previous and Next buttons to edit the configuration before you click Finished.. 14. After reviewing and approving your settings, click Next. When you are finished, you can still edit any setting associated with the access profile from the Access Profile page (navigate to Access Policy > Access Profiles > name of access profile). Also, you can edit the virtual server on the Virtual Server page (navigate to Local Traffic > Virtual Servers > name of virtual server). 15. At the bottom of the page, click Finished. The system creates and applies network access objects.

ActivIdentity 4TRESS AAA Web Tokens and F5 APM Integration Handbook P 12 2.3 Procedure 3: Customization The APM provides a Web-based Configuration utility. The Configuration utility includes tools for managing the Access Policy Manager, configuring secure access, creating and assigning resources, certificate generation and installation, and customization of the remote client user interface. 2.3.1 Adding Images and the Web Token Applet with the Image Browser Reminder: You must have contacted your ActivIdentity representative to have appropriate images sent to you. First, you will add images and the Web token applet to the APM using the image browser. Then you can select and use these images using the Customization tool. 1. On the Main tab, navigate to Access Policy > Customization. The Customization tool appears, in the basic customization view.

ActivIdentity 4TRESS AAA Web Tokens and F5 APM Integration Handbook P 13 2. From the View drop-down list, click Advanced. The Customization tool switches to the Advanced (tree) view. 3. On the top pane of the Customization tool, click Image Browser. The image browser opens in a new window. 4. From the Filter Images drop-down list, select User Uploaded Images. 5. To add ActivIdentity images and the web token applet, click Add Image (located to the right of the page on the same line as the Filter Images drop-down list. 6. Select the image, and then double-click to open it. On the standard Windows pop-up dialog, click Open to load the image and save it.

ActivIdentity 4TRESS AAA Web Tokens and F5 APM Integration Handbook P 14 7. From the View drop-down list, click Advanced, and then expand Customization Settings. 8. Expand Access Profiles, and then navigate to access_profile_name > Access Policy > Logon Pages > Logon Page > Advanced Customization.

ActivIdentity 4TRESS AAA Web Tokens and F5 APM Integration Handbook P 15 9. For image00 (the webtoken.jar file), click the icon to the right. The Replace button appears. 10. Click Replace. The following dialog is displayed. 11. Select the Webtoken.jar file, and then click Change. 12. For Image01 (the Web token.gif file), repeat steps 9, 10, and 11. 13. For Image02 (the ailogo.png file), repeat steps 9, 10, and 11.

ActivIdentity 4TRESS AAA Web Tokens and F5 APM Integration Handbook P 16 When you have finished uploading the files, you will see them listed in the Value column, as illustrated above. 2.3.2 Personalizing Page Appearance 1. On the main tab, navigate to Access Policy > Customization. The Customization Tool appears. 2. From the View drop-down list, click Advanced, and then expand Customization Settings.

ActivIdentity 4TRESS AAA Web Tokens and F5 APM Integration Handbook P 17 3. From the Form Factor drop-down list at the top of the page, click Full/Mobile Browser. 4. Select the Branding tab. 5. Expand Customization Settings and navigate to Access Profiles > access_profile_name > Access Policy > Logon Pages > logon_page_name. 6. Customize the page with the sample obtained by your ActivIdentity technical representative.

ActivIdentity 4TRESS AAA Web Tokens and F5 APM Integration Handbook P 18 7. After you customize settings, click the Save icon at the top of the Customization Tool. The access policy login page will reflect your changes, as illustrated next. 8. When you are finished customizing your configuration, apply your access policy. Click Apply Access Policy near the top of the page.

ActivIdentity 4TRESS AAA Web Tokens and F5 APM Integration Handbook P 19 3.0 ActivIdentity 4TRESS AAA Configuration This chapter describes how to configure the ActivIdentity 4TRESS AAA Authentication Server. 3.1 Procedure 1: Configure F5 Gate A gate for the ActivIdentity 4TRESS AAA Server is a group of Network Access Servers (NAS) that is used to simplify administration. For configuration details, refer to ActivIdentity 4TRESS AAA Server technical documentation. 1. In the tree in the left pane of the Administration Console, expand the Servers line. 2. Right-click on the server to which you want to add a gate, and then click New Gate. 3. Enter a Gate name (can be any string). 4. Select the RADIUS option. 5. Use the Authorized IP addresses and host names section to specify filter(s) for the gate. 6. Click Add, and then click OK.

ActivIdentity 4TRESS AAA Web Tokens and F5 APM Integration Handbook P 20 7. The ActivIdentity 4TRESS AAA Server uses the RADIUS shared secret to encrypt data between F5 and the AAA authentication server. Click Shared Secret, and then modify the appropriate shared secret for your system. 8. Click OK.

ActivIdentity 4TRESS AAA Web Tokens and F5 APM Integration Handbook P 21 3.2 Procedure 2: Assigning Group(s) to the F5 Gate Remember that you must have user groups created and the corresponding LDAP configured. For details, refer to the ActivIdentity 4TRESS AAA Administration Guide. 1. To assign groups to the F5 Gate, in the tree in the left pane, select the group that you want to assign to the gate. 2. Use the Group / Gate Assignments section of the page to specify gate(s) for the group s users to utilize in order to access a protected resource. 3. Click Add. 4. Select the Gate, the AZ profile. and the AC profile. 5. Click OK.

ActivIdentity 4TRESS AAA Web Tokens and F5 APM Integration Handbook P 22 4.0 Configure for Soft Token Activation 4.1 Procedure 1: Enable Soft Token Activation 1. Launch the ActivIdentity 4TRESS AAA Server Administration Console and log in. 2. In the pane to the left, select Groups -> All Users. 3. Select the option, Allow Soft Token activation (for the corresponding group). 4. Click Save (not illustrated), and then export the changes to the AAA Server(s).

ActivIdentity 4TRESS AAA Web Tokens and F5 APM Integration Handbook P 23 4.2 Procedure 2: Configure Soft Token Activation Portal 1. Launch the Web Help Desk Portal. 2. Select the Login type option, static. 3. Enter your Login and Password, and then click Login.

ActivIdentity 4TRESS AAA Web Tokens and F5 APM Integration Handbook P 24 4. Select the Configuration tab. Initial PIN Set the PIN. In the User Search method policy section, select By Groups or queries. In the Device Management section, set the following options and parameters. To activate the device assignment and unassignment functions of the Web Help Desk, select the option, Enable device assignment functions. Select the option, Show initial PIN. To assign the same token to more than one user, select the option, Allow assign already assigned tokens. To assign soft tokens, enter the Engine Soft Token init String for each type of soft token required. Enter a string in the Engine Web Token init String field. Note: For more information about the init strings, refer to the ActivIdentity 4TRESS AAA Server Soft Token Solution Guide. For Max number of soft tokens per user, set the maximum number of soft tokens that each user can be assigned.

ActivIdentity 4TRESS AAA Web Tokens and F5 APM Integration Handbook P 25 For PIN options, apply the following: PIN = 1 (Enforced). Soft Token application PIN enforcement policy. PIN = 0 (No PIN) Note: Depending on the activation code, a soft token forces the PIN. It s important to select an authentication policy (LDAP password at a minimum). By default, none are selected. 5. In the Selfdesk portal self binding policy section, select the following options: To activate device self assignment functions, select Enable initial self binding. To activate additional device self assignment functions, select Enable self binding on additional device. For this setting to work, you must make sure that the LDAP attribute mapped to the device serial numbers is capable of storing multiple values.

ActivIdentity 4TRESS AAA Web Tokens and F5 APM Integration Handbook P 26 5.0 Sample Authentication Using Web Soft Token Authentication 5.1 Prerequisite: User Enrolls Web Token and Computer 1. The user launches the Self Help Desk to enroll a Web token and computer. 2. When prompted, the user selects the LDAP password option, and then enters a username. 3. The user clicks Activate an additional device.

ActivIdentity 4TRESS AAA Web Tokens and F5 APM Integration Handbook P 27 4. The user clicks Web Token. 5. The user enters and confirms a PIN and enters a Description (the use has to enter the PIN only if the system is configured to ask for it.) A confirmation is displayed. Now the user can use the Web token to access an F5 APM.

ActivIdentity 4TRESS AAA Web Tokens and F5 APM Integration Handbook P 28 5.2 Authenticating with Web Soft Token Launched in the Sign-In Page Important Notes: You must have customized the Sign-In Page to launch the Web token as an HTML page. To receive a sample page, please contact your ActivIdentity technical representative. A user must have activated a Web soft token on his/her computer. You can configure to use a Web token with a PIN or without a PIN. You can use an LDAP password to replace the PIN or to complement it (depending on F5 configuration). For details on how authenticating with a Web soft token works, please refer to 4TRESS AAA documentation.

ActivIdentity 4TRESS AAA Web Tokens and F5 APM Integration Handbook P 29 Legal Disclaimer Americas +1 510.574.0100 US Federal +1 571.522.1000 Europe +33 (0) 1.42.04.84.00 Asia Pacific +61 (0) 2.6208.4888 Email info@actividentity.com Web www.actividentity.com ActivIdentity, the ActivIdentity (logo), and/or other ActivIdentity products or marks referenced herein are either registered trademarks or trademarks of HID Global Corporation in the United States and/or other countries. The absence of a mark, product, service name or logo from this list does not constitute a waiver of the trademark or other intellectual property rights concerning that name or logo. F5 and the F5 logo are registered trademarks of F5, Inc. in the United States and other countries.the names of other third-party companies, trademarks, trade names, service marks, images and/or products that happened to be mentioned herein are trademarks of their respective owners. Any rights not expressly granted herein are reserved.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback