F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP Access Policy Manager: Third-Party Integration
  3. configuring-aaa-servers-in-apm
  4. prerequisites-for-configuring-an-aaa-ad-server-object
  5. Configuring an Active Directory AAA server
Manual Chapter : Configuring an Active Directory AAA server

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 16.0.0, 15.1.0
Manual Chapter

Configuring an Active Directory AAA server

You configure an Active Directory AAA server in Access Policy Manager (APM) to specify domain controllers for APM to use for authenticating users.
  1. On the Main tab, click
    Access
    Authentication
    Active Directory
    .
    The Active Directory Servers list screen opens.
  2. Click
    Create
    .
    The New Server properties screen opens.
  3. In the
    Name
     field, type a unique name for the authentication server.
  4. In the
    Domain Name
     field, type the name of the Windows domain.
  5. For the
    Server Connection
     setting, select one of these options:
    When configuring an Active Directory AAA server that is located in a nondefault route domain, you must select
    Use Pool
    and specify the pool containing the Active Directory server.
    • Select
      Use Pool
       to set up high availability for the AAA server.
      The
      Timeout
       value does not apply if you select
      Use Pool
      .
    • Select
      Direct
       to set up the AAA server for standalone functionality.
  6. If you selected
    Direct
    , type a name in the
    Domain Controller
     field.
  7. If you selected
    Use Pool
    , configure the pool:
    1. Type a name in the
      Domain Controller Pool Name
       field.
    2. Specify the
      Domain Controllers
       in the pool by typing the IP address and host name for each, and clicking the
      Add
       button.
    3. To monitor the health of the AAA server, you have the option of selecting a health monitor: only the
      gateway_icmp
       monitor is appropriate in this case; you can select it from the
      Server Pool Monitor
       list.
  8. In the
    Admin Name
     field, type a case-sensitive name for an administrator who has Active Directory administrative permissions.
    An administrator name and password are required for an AD Query access policy item to succeed when it includes particular options. Credentials are required when a query includes an option to fetch a primary group (or nested groups), to prompt a user to change password, or to perform a complexity check for password reset.
  9. In the
    Admin Password
     field, type the administrator password associated with the Domain Name.
  10. In the
    Verify Admin Password
     field, retype the administrator password associated with the
    Domain Name
     setting.
  11. In the
    Group Cache Lifetime
     field, type the number of days.
    The default lifetime is 30 days.
  12. In the
    Password Security Object Cache Lifetime
     field, type the number of days.
    The default lifetime is 30 days.
  13. From the
    Kerberos Preauthentication Encryption Type
     list, select an encryption type.
    The default is 
    None
    . If you specify an encryption type, the BIG-IP system includes Kerberos preauthentication data within the first authentication service request (AS-REQ) packet.
  14. In the
    Timeout
     field, accept the default value or type a number of seconds.
    The
    Timeout
     value does not apply if you selected
    Use Pool
    .
    The timeout specifies the number of seconds to reach the AAA Active Directory server initially. After the connection is made, the timeout for subsequent operations against the AAA Active Directory server is 180 seconds and is not configurable.
  15. Click
    Finished
    .
    The new server displays on the list.
The new Active Directory server is added to the Active Directory Servers list.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information