Manual Chapter : Configuring Access Policy Manager for F5 Access

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 12.1.4, 12.1.3
Manual Chapter

Configuring Access Policy Manager for F5 Access

Prerequisites for configuring F5 Access

Before configuring F5 Access
for Android and Chrome OS
devices, you must complete the following requirements:
  • Set up BIG-IP® Access Policy Manager®.
  • Run the Network Access Setup Wizard.
Additional information about network access and connectivity profiles can be found in the
BIG-IP® Access Policy Manager®: Network Access Configuration
guide.

Access Policy Manager configuration for F5 Access

To configure F5 Access for
Android and Chrome OS
device support on BIG-IP Access Policy Manager, use the following configuration steps:
  • Run the Network Access Setup Wizard.
  • Optionally, set up
    SSO
    and
    ACLs
    for your network access. Refer to the
    BIG-IP Access Policy Manager Configuration Guide
    on the AskF5 Knowledge Base for instructions.
  • Customize an access policy to support F5 Access.

About access policy branches for F5 Access

You can configure separate access policy branches for F5 Access.
F5 Access does not support client-side checks; however, you can configure an access policy that provides network access for Chrome OS and Android clients by using any of these methods:
  • Create an access policy using
    Client-Side Capability
    . This provides a branch for clients that do not support client-side checks. Assign authentication and a network access resource to this branch.
  • Use an existing access policy with client-side checks. The Android and Chrome OS client will fail to the fallback branch of the first client-side check. Assign authentication and a network access resource to this branch.
  • Add a
    Client OS
    Access Policy item, and assign authentication and resources to the
    Android
    or
    Chrome OS
    branch.
F5 Access for Android or Chrome OS is detected with the following access policy items:
Access policy item
Value
Client Type
Edge Client
Client OS
Android (for Android devices)
Client OS
Chrome OS (for Chrome OS devices)

Example of basic access policy that supports F5 Access

You can configure an access policy branch to direct
Android and Chrome OS
device users to F5 Access, and direct non-F5 Access device users to a fallback branch.
These examples display a simple access policy.
F5 Access for Chrome OS access policy
F5 Access for Android access policy

Customizing an access policy to support F5 Access on Access Policy Manager

Create an access policy that supports F5 Access for
Android / Chrome OS
.
  1. On the Main tab, click
    Access Policy
    Access Profiles
    .
    The Access Profiles List screen opens.
  2. In the Access Policy column, click the
    Edit
    link for the profile you want to configure to launch the visual policy editor.
    The visual policy editor opens the access profile in a separate screen or tab.
  3. Click the plus
    (+)
    sign that appears after the
    Logon Page
    action.
  4. On the
    Endpoint Security (Server-Side)
    tab, select
    Client Type
    , and click
    Add Item
    .
  5. Click
    Save
    .
  6. Click the plus
    (+)
    sign that appears on the Edge Client branch of the
    Client Type
    action.
  7. On the
    Endpoint Security (Server-Side)
    tab, select
    Client OS
    , and click
    Add Item
    .
  8. On the
    Android / Chrome OS
    branch, assign a network access resource.
  9. On the
    Android / Chrome OS
    branch, click the ending, and on the
    Select Ending
    screen, select
    Allow
    .
  10. Click
    Save
    .
  11. Click
    Apply Access Policy
    .
    This access policy now supports F5 Access for
    Android and Chrome OS
    .

About RSA SecurID two-factor authentication with F5 Access for Android and Chrome OS

RSA SecurID two-factor authentication is configured in an access policy. For more information, see
Big-IP Access Policy Manager: Authentication Methods
for your Access Policy Manager version.
Android devices with F5 Access can generate software tokens using an imported token. You can import tokens from a URL or by scanning a QR code.
For Chrome OS, only URL token import is supported.
  • To import from a URL, the user must enter the URL in Compact Token Format (CTF) with one of 2 supported prefixes:
    http://127.0.0.1/securid/
    or
    f5access://securid/
    .
  • To import from a QR code, the user scans the QR code when the camera opens.
F5 Access asks for permission to take pictures and record video on your device. This permission is required to scan QR codes and import RSA token from the device. If you select Deny for this permission, you will not be able to use the Scan QR Code feature.
The URL and QR code images can be generated with the RSA TokenConverter tool. See your RSA documentation for detailed information on installing and using TokenConverter.
The following examples include URL and QR code generation commands.
URL import with default prefix http://127.0.0.1/securid/
>
java -jar TokenConverter.jar test.sdtid -android -p 123456 -o out.txt
URL import with custom prefix f5access://securid/
>
java -jar TokenConverter.jar test.sdtid -prefix f5access://securid/ctf?ctfData= -android -p 123456 -o out.txt
QR code import with default prefix http://127.0.0.1/securid/
>
java -jar TokenConverter.jar test.sdtid -qr -android -p 123456 -o qr.jpeg
QR code import with custom prefix f5access://securid/
>
java -jar TokenConverter.jar test.sdtid -qr -prefix f5access://securid/ctf?ctfData= -android -p 123456 -o qr.jpeg

Using CT-KIP to dynamically generate software tokens with F5 Access for
Android and Chrome OS

F5 Access can import tokens using the Cryptographic Token Key Initialization Protocol (CT-KIP). This eliminates the need to deliver a token in CTF format. F5 Access and the RSA authentication server (for example, RSA Authentication Manager) use a four-pass CT-KIP protocol to exchange information that dynamically establishes a shared seed on the mobile app and the server. In this way, the CT-KIP protocol protects against potential token seed interception.
CT-KIP exchanges require netrwork connectivity between the RSA Authentication Manager and the mobile device.
The following URL formats are supported:
RSA default CT-KIP URL
http://127.0.0.1/securid/ctkip?scheme=
<http or https>
&url=
<service_address>
&activationCode=
<activation_code*>
With custom f5access:// prefix
f5access://securid/ctkip?scheme
=<http or https>
&url=
<service_address>
&activationCode=
<activation_code*>
&name=
<optional_token_name>
The activation code is required, but you do not need to provide the activation code in the URL. If the activation code is not included in the URL, the user is prompted to enter the activation code.