Manual Chapter : Configuring AAA Servers in APM

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.0.0, 16.1.0, 16.0.1, 16.0.0, 15.1.0
Manual Chapter

Configuring AAA Servers in APM

About VMware View and APM authentication types

You can authenticate View Clients in Access Policy Manager (APM) using the types of authentication that View Clients support: Active Directory authentication (required) and RSA SecurID authentication (optional). APM supports these authentication types with AAA servers that you configure in APM.
For more information, refer to
BIG-IP Access Policy Manager: Authentication and Single-Sign On
at
http://support.f5.com
.

Prerequisites for configuring a AAA Active Directory server object in APM

You need at least one AAA Active Directory server object in APM to support AD authentication for VMware View. If you also want to collect RSA PINs, you need at least one AAA SecurID server object in APM.

Configuring an Active Directory AAA server

You configure an Active Directory AAA server in Access Policy Manager (APM) to specify domain controllers for APM to use for authenticating users.
  1. On the Main tab, click
    Access
    Authentication
    Active Directory
    .
    The Active Directory Servers list screen opens.
  2. Click
    Create
    .
    The New Server properties screen opens.
  3. In the
    Name
    field, type a unique name for the authentication server.
  4. In the
    Domain Name
    field, type the name of the Windows domain.
  5. For the
    Server Connection
    setting, select one of these options:
    When configuring an Active Directory AAA server that is located in a nondefault route domain, you must select
    Use Pool
    and specify the pool containing the Active Directory server.
    • Select
      Use Pool
      to set up high availability for the AAA server.
      The
      Timeout
      value does not apply if you select
      Use Pool
      .
    • Select
      Direct
      to set up the AAA server for standalone functionality.
  6. If you selected
    Direct
    , type a name in the
    Domain Controller
    field.
  7. If you selected
    Use Pool
    , configure the pool:
    1. Type a name in the
      Domain Controller Pool Name
      field.
    2. Specify the
      Domain Controllers
      in the pool by typing the IP address and host name for each, and clicking the
      Add
      button.
    3. To monitor the health of the AAA server, you have the option of selecting a health monitor: only the
      gateway_icmp
      monitor is appropriate in this case; you can select it from the
      Server Pool Monitor
      list.
  8. In the
    Admin Name
    field, type a case-sensitive name for an administrator who has Active Directory administrative permissions.
    An administrator name and password are required for an AD Query access policy item to succeed when it includes particular options. Credentials are required when a query includes an option to fetch a primary group (or nested groups), to prompt a user to change password, or to perform a complexity check for password reset.
  9. In the
    Admin Password
    field, type the administrator password associated with the Domain Name.
  10. In the
    Verify Admin Password
    field, retype the administrator password associated with the
    Domain Name
    setting.
  11. In the
    Group Cache Lifetime
    field, type the number of days.
    The default lifetime is 30 days.
  12. In the
    Password Security Object Cache Lifetime
    field, type the number of days.
    The default lifetime is 30 days.
  13. From the
    Kerberos Preauthentication Encryption Type
    list, select an encryption type.
    The default is 
    None
    . If you specify an encryption type, the BIG-IP system includes Kerberos preauthentication data within the first authentication service request (AS-REQ) packet.
  14. In the
    Timeout
    field, accept the default value or type a number of seconds.
    The
    Timeout
    value does not apply if you selected
    Use Pool
    .
    The timeout specifies the number of seconds to reach the AAA Active Directory server initially. After the connection is made, the timeout for subsequent operations against the AAA Active Directory server is 180 seconds and is not configurable.
  15. Click
    Finished
    .
    The new server displays on the list.
The new Active Directory server is added to the Active Directory Servers list.

Configuring a SecurID AAA server in APM

Configure a SecurID AAA server for Access Policy Manager (APM) to request RSA SecurID authentication from an RSA Manager authentication server.
  1. On the Main tab, click
    Access
    Authentication
    .
    The Authentication screen opens.
  2. On the menu bar, click
    AAA Servers By Type
    , and select
    SecurID
    .
    The SecurID screen opens and displays the servers list.
  3. Click
    Create
    .
    The New Server properties screen opens.
  4. In the
    Name
    field, type a unique name for the authentication server.
  5. In the Configuration area, for the
    Agent Host IP Address (must match the IP address in SecurID Configuration File)
    setting, select an option as appropriate:
    • Select from Self IP List
      : Choose this when there is no NAT device between APM and the RSA Authentication Manager. Select an IP from the list of those configured on the BIG-IP system (in the Network area of the Configuration utility).
    • Other
      : Choose this when there is a NAT device in the network path between Access Policy Manager and the RSA Authentication Manager server. If selected, type the address as translated by the NAT device.
    This setting does not change the source IP address of the packets that are sent to the RSA SecurID server. (Layer 3 source addresses remain unchanged.) The agent host IP address is used only in Layer 7 (application layer) information that is sent to the RSA SecurID server.
  6. For the
    SecurID Configuration File
    setting, browse to upload the
    sdconf.rec
    file.
    Consult your RSA Authentication Manager administrator to generate this file for you.
  7. Click
    Finished
    .
    The new server displays on the list.
This adds a new RSA SecurID server to the AAA Servers list.