Manual Chapter :
Authentication Concepts
Applies To:
Show VersionsBIG-IP APM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0
Authentication Concepts
About AAA server
support
Access Policy Manager(APM) interacts with authentication, authorization, and
accounting (AAA) servers that contain user information. APM supports these AAA servers: RADIUS
(authentication and accounting), Active Directory (authentication and query), LDAP
(authentication and query), CRLDP, OCSP Responder, TACACS+ (authentication and accounting),
SecurID, Kerberos, and HTTP.
A typical configuration includes:
- An APM AAA server configuration object that specifies information about the external AAA server.
- An access policy that includes a logon item to obtain credentials and an authentication item that uses the credentials to authenticate against a specific AAA server.
About AAA high
availability support
Using AAA high availability with Access
Policy Manager (APM), you can configure multiple
authentication servers to process requests, so that if one authentication server goes down or
loses connectivity, the others can resume authentication requests, and new sessions can be
established. APM supports these AAA servers for high availability: RADIUS, Active Directory,
LDAP, CRLDP, and TACACS+.
A typical configuration includes:
- An APM AAA server configuration object that specifies a pool of external AAA servers.
- An access policy that includes a logon item to obtain credentials and an authentication item that uses the credentials to authenticate against one of the servers in the pool.
About AAA and load balancing
When an AAA server supports high availability, you can configure a pool for it in the AAA
configuration itself. An AAA server does not load balance over a pool that is attached to a
virtual server.
About AAA traffic and
route domains
A non-default route domain cannot be used with AAA server
that does not offer the option of selecting a pool.
To use route domains for AAA authentication traffic, you must use the pool
option in the AAA server configuration. When ) format. The route
domain value is ignored when the AAA server is configured to connect directly to a single server.
Use
Pool
is the selected Server
Connection
option, the server address field can take an IP address with route domain
(IPAddress
%RouteDomain
About APM support for
multiple authentication types
You can add multiple authentication types to an access policy. For
example, a user who fails Active Directory authentication might then attempt RADIUS
authentication. Or, you might require authentication using a client certificate and then an
AAA server.
You can add an authentication item anywhere in the access policy.
Typically, you place authentication items somewhere after a logon item.
About APM certificate
authentication support
Access Policy Manager (APM®) supports these types of certificate
authentication.
- SSL handshake verification and certificate revocation status
- APM supports verifying the SSL handshake that occurs at the start of a session or renegotiating the SSL handshake and checking it on demand. A typical configuration includes:
- An access policy that includes a certificate-related access policy item, either Client Cert Inspection or On-Demand Cert Auth.
- A client SSL profile configured per the requirements of Client Cert Inspection or On-Demand Cert Auth.
If the client SSL profile specifies a certificate revocation list, the access policy item verifies against it. - Certificate revocation status with OCSP or CRLDP
- APM also supports verifying client certificate revocation status with an Online Certificate Status Protocol (OCSP) AAA server or with a Certificate Revocation List Distribution Point (CRLDP) AAA server. A typical configuration includes:
- An AAA server configured to point to an external server (OCSP Responder or CRLDP).
- An access policy that includes either a Client Cert Inspection or an On-Demand Cert Auth access policy item and the appropriate authentication item (OCSP Auth or CRLDP Auth).
- A client SSL profile configured per the requirements of Client Cert Inspection or an On-Demand Cert Auth.
About SSL certificates on the BIG-IP system
Before systems on a network can authenticate one another using SSL, you must install one or
more SSL certificates on the BIG-IP system. An
SSL certificate
is a certificate that a BIG-IP system device presents to another device on the network, for
authentication purposes. An SSL certificate can be either a self-signed certificate or a trusted
CA certificate.When you install BIG-IP software, the application includes a self-signed
SSL certificate named
Default
. A self-signed certificate
is
an authentication mechanism that is created and authenticated by the system on which it
resides.If your network includes one or more certificate authority (CA) servers, you can replace the
self-signed certificate on each BIG-IP system with a
trusted CA certificate
, that
is, a certificate that is signed by a third party. Authenticating BIG-IP systems using trusted CA
certificates is more secure than using self-signed certificates.To ease the task of creating certificate requests and sending them to certificate authorities
for signature, the BIG-IP system provides a set of certificate management screens within the
BIG-IP Configuration utility.
About local user
database support
Access Policy Manager (APM) supports authentication against a database that
you create on the BIG-IP system using the
Configuration utility. You can employ a local user database for on-box authentication or to
control access to external AAA servers.
A typical configuration includes:
- A local user database that you create and populate using the Configuration utility.
- An access policy that includes a local user database authentication item.
About guest access
(one-time password) support
Access Policy Manager (APM) supports guest access with one-time password
generation and verification. A typical configuration includes:
- An SMTP server for sending email or an HTTP AAA server for sending a text message.
- An access policy that includes items to generate a one-time password (OTP), send the generated password to a user, enable the user to log on, and verify the OTP that the user enters.
About authentication for Microsoft Exchange clients
Access Policy Manager (APM) supports NTLM and HTTP basic authentication
for Microsoft Exchange clients and for this support requires an Exchange profile, created in
the Configuration utility. Configuration requirements for NTLM and HTTP basic authentication
for Microsoft Exchange clients are otherwise distinct.
Additional resources and documentation for BIG-IP Access Policy Manager
You can access all of the BIG-IP system documentation from
the AskF5 Knowledge Base located at
https://support.f5.com/
.Document |
Description |
---|---|
BIG-IP
Access Policy Manager: Application Access |
This guide contains information for an administrator to configure application
tunnels for secure, application-level TCP/IP connections from the client to the
network. |
BIG-IP Access Policy Manager:
Authentication Essentials |
This guide contains information to help an administrator understand authentication concepts, such as AAA server, SSL certificate, local user database, and so on. |
BIG-IP Access Policy Manager:
Authentication Methods |
This guide contains information describes different types of authentication, including Active Directory, LDAP and LDAPS, RSA SecurID, RADIUS, OCSP, CRLDP, Certificate, TACACS+, and so on. |
BIG-IP Access Policy Manager:
OAuth Concepts and Configuration |
This guide describes OAuth concepts and explains how to configure the system to use OAuth authorization servers, resource servers, and other examples. |
BIG-IP Access Policy Manager:
SAML Configuration |
This guide introduces SAML concepts and provides several examples using APM as a SAML IdP, as a SAML service provider, and others. |
BIG-IP Access Policy Manager:
Single Sign-On Concepts and Configuration |
This guide describes how to configure different types of single sign-on methods, such as HTTP basic, HTTP forms-based, NTLMV1, NTLMV2, Kerberos, OAuth Bearer. |
BIG-IP
Access Policy Manager: Customization |
This guide provides information about using the APM customization tool to provide
users with a personalized experience for access policy screens, and errors. An
administrator can apply your organization's brand images and colors, change messages
and errors for local languages, and change the layout of user pages and screens.
|
BIG-IP
Access Policy Manager: Edge Client and Application
Configuration |
This guide contains information for an administrator to
configure the BIG-IP system for browser-based access with the web client as well as
for access using BIG-IP Edge Client and F5 Access Apps. It also includes information
about how to configure or obtain client packages and install them for BIG-IP Edge
Client for Windows, Mac, and Linux, and Edge Client command-line interface for Linux. |
BIG-IP
Access Policy Manager: Implementations |
This guide contains implementations for synchronizing access policies across
BIG-IP systems, hosting content on a BIG-IP system, maintaining OPSWAT libraries,
configuring dynamic ACLs, web access management, and configuring an access policy for
routing. |
BIG-IP
Access Policy Manager: Network Access |
This guide contains information for an administrator to configure APM Network
Access to provide secure access to corporate applications and data using a standard
web browser. |
BIG-IP
Access Policy Manager: Portal Access |
This guide contains information about how to configure APM Portal Access. In
Portal Access, APM communicates with back-end servers, rewrites links in application
web pages, and directs additional requests from clients back to APM. |
BIG-IP
Access Policy Manager: Secure Web Gateway |
This guide contains information to help an administrator configure Secure Web
Gateway (SWG) explicit or transparent forward proxy and apply URL categorization and
filtering to Internet traffic from your enterprise. |
BIG-IP
Access Policy Manager: Third-Party Integration |
This guide contains information about integrating third-party products with
Access Policy Manager (APM). It includes implementations for
integration with VMware Horizon View, Oracle Access Manager, Citrix Web Interface
site, and so on. |
BIG-IP
Access Policy Manager: Visual Policy Editor |
This guide contains information about how to use the visual policy editor to
configure access policies. |
Release notes |
Release notes contain information about the current software release, including a
list of associated documentation, a summary of new features, enhancements, fixes,
known issues, and available workarounds. |
KB articles |
Knowledge base articles are responses and resolutions to known issues, additional configuration instructions, and how-to information. |