Manual Chapter : Authentication

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.3.0, 8.2.0, 8.1.0, 8.0.0
Manual Chapter

Authentication

What authentication services are supported ?

BIG-IQ Centralized Management supports Single Sign-On (SSO) for the following authentication methods.
Authentication method
Description
RADIUS
BIG-IQ Access Policy Manager © (APM) supports authenticating and authorizing the client against external RADIUS servers. When a client connects with the user name and password, BIG-IQ Access authenticates against the external server on behalf of the client, and authorizes the client to access resources if the credentials are valid.
LDAP
You may use BIG-IQ Access to configure an LDAP AAA server. You can use LDAPS in place of LDAP when the authentication messages between BIG-IP APM and the LDAP server must be secured with encryption. However, there are instances where you will not need LDAPS and the security it provides.
LDAPS is achieved by directing LDAP traffic over a virtual server that uses server side SSL to communicate with the LDAP server. Essentially, the system creates an LDAP AAA object that has the address of the virtual server. That virtual server (with server SSL) directs its traffic to a pool, which has as a member that has the address of the LDAP server.
Active Directory
Use BIG-IQ Access to configure an Active Directory AAA server. You can authenticate using Active Directory authentication with BIG-IQ Access, which supports using Kerberos-based authentication through Active Directory.
SecurID
RSA SecurID is a two-factor authentication mechanism based on a one-time passcode (OTP) that is generated by using a token code provided by a software or hardware authenticator. A token is a one-time authentication code generated every 60 seconds by an authenticator (hardware or software) assigned to the user.
HTTP
An HTTP AAA server directs users to an external web-based server to validate credentials. BIG-IQ Access supports these HTTP authentication types:
  • HTTP form-based authentication - Directs users to a form action URL and provides the specified form parameters
  • HTTP basic authentication - Directs users to a URI
  • HTTP NTLM authentication - Directs users to a URI
  • HTTP custom post - Directs users to a POST URL, a submit URL, or a relative URL and provides the specified content
Oracle Access Manager (OAM)
You can configure only one AAA Oracle Access Manager (OAM) server, but it can support multiple AccessGates from the same Access server. When you create a AAA OAM server, its transport security mode must match the setting in the OAM access server.
Online Certificate Status Protocol (OCSP)
BIG-IQ Centralized Management supports authenticating a client using Online Certificate Status Protocol (OCSP). OCSP is a mechanism used to retrieve the revocation status of an X.509 certificate by sending machine or user certificate information to a remote OCSP responder. This responder maintains up-to-date information about the certificate's revocation status. OCSP ensures that the BIG-IQ system always obtains real-time revocation status during the certificate verification process.
Certificate Revocation List Distribution Point (CRLDP)
BIG-IQ supports retrieving Certificate Revocation Lists (CRLs) from network locations (distribution points). A Certificate Revocation List Distribution Point (CRLDP) AAA server defines how to access a CRL file from a distribution point. A distribution point is either an LDAP Uniform Resource Identifier (URI), a directory path that identifies the location where the CRLs are published, or a fully qualified HTTP URL.
TACACS+
BIG-IQ Centralized Management supports authenticating and authorizing the client against Terminal Access Controller Access Control System (TACACS+) servers. TACACS+ is a mechanism used to encrypt the entire body of the authentication packet. If you use TACACS+ authentication, user credentials are authenticated on a remote TACACS+ server. If you use the TACACS+ Accounting feature, the accounting service sends start and stop accounting records to the remote server.
Kerberos
BIG-IQ Centralized Management provides an alternative to the form-based login authentication method. Instead, an HTTP 401 (unauthorized) or HTTP 407 (proxy authentication required) response triggers a browser login screen to collect credentials. This option is useful when a user is already logged in to the local domain and you want to avoid submitting an HTTP form for collecting user credentials. The browser automatically submits credentials to the server and bypasses the login box to collect the credentials again.
SPNEGO/Kerberos authentication can occur at any time during the session since it is a request-based authentication.
The benefits of this feature include:
  • Provides flexible login mechanism instead of restricting you to use only the form-based login method.
  • Eliminates the need for domain users to explicitly type login information again to log in to BIG-IQ.
  • Eliminates the need for user password transmission with Kerberos method.
Local User Database
You can create multiple local user databases to provide on-box authentication, to control user access, to segment your users, and to store user information.
During access policy operation, you can read from and write to a local user database.
F5 adaptive authentication
If you purchased F5 Adaptive Authentication (MFA), you can configure APM so your users can register and use devices for multi-factor authentication.
This authentication service is supported for Access Groups containing devices running BIG-IP version 14.1 and earlier.
Endpoint Management Systems
BIG-IQ Access allows users to configure server properties for your Endpoint Management Systems. Supported Endpoint Management Systems include Microsoft Intune, AirWatch, and IBM Mass360. You may set up API credentials for any of these endpoint management systems.
CAPTCHA configurations
Access supports CAPTCHA authentication for end-users.
APM CAPTCHA support is based on the API that the Google reCAPTCHA service provides. You can use any CAPTCHA service that is compatible with Google reCAPTCHA API version 2.0.
NTLM
Microsoft software systems use NTLM as an integrated single sign-on (SSO) mechanism. NTLM is used when a domain controller is not available or is unreachable, such as when the client is not Kerberos-capable, the server is not joined to a domain, or the user authenticates remotely over the web.
APM supports Microsoft Exchange clients that are configured to use NTLM, by checking NTLM outside of the APM session as needed. APM requires a machine account and an NTLM Auth configuration to perform these checks. APM requires an Exchange profile to support Microsoft Exchange clients, regardless of the authentication they are configured to use.
HTTP Connector
You can use the HTTP Connector to post an HTTP request to an external HTTP server. This enables APM to make HTTP calls from a per-request policy without the need for an iRule, for example. The typical use for an HTTP Connector is to provide access to an external API or service. For example, you can use HTTP Connector to check a server against an external blocklist, or an external reputation engine, and then use the results in an APM per-request policy.

Configuring RADIUS server properties

BIG-IQ Access supports authenticating and authorizing the client against external RADIUS servers. Follow this procedure configure Remote Authentication Dial-In User Service (RADIUS) Authentication, Authorization, and Accounting (AAA) server properties.
  1. Navigate to
    Configuration
    ACCESS
    Access Groups
    , and create or select an Access group, and under
    AUTHENTICATION
    , select
    RADIUS.
  2. The screen displays the RADIUS AAA servers (either the shared or the device-specific) in the working configuration for this Access group.
    • To configure the properties of a resource, click its name in the table.
    • To locate a resource, click the search button and search for it by name.
    • To make the properties of a shared resource configurable for each device in the Access group, select the resource and then click
      Make Device-Specific
      .
    • To make a device-specific resource into a shared resource, select the resource and click
      Mark Shared
      .
    • To convert a shared resource into a device-specific resource, select the resource and click
      Mark Device Specific
      .
    • To revert the configuration of the non-source BIG-IP device to match that of the source BIG-IP device at the time of the initial import, select the resource and click
      Revert to Original
      .
    • To delete a resource, select
      Delete
      .
  3. Select an existing RADIUS AAA server in a working configuration for the Access group or click
    Create
    from under either RADIUS (Shared) or RADIUS (Device-specific).
    To create a shared object for all devices in an Access group, create or edit a RADIUS AAA server by selecting an existing server under RADIUS (Shared). You may also create a RADIUS server for a single device or a subset of devices managed by an Access group.
    You will be directed to a page where you may configure the server's properties.
  4. Enter a
    Name
    for this RADIUS sever. Avoid using global reserved words such as all, delete, disable, enable, help, list, show, or None. You cannot change the name if you are editing an existing configuration.
  5. Enter a
    Partition
    . The default is
    Common
    . You can also enter a custom path to a partition you have created. Only users with access to a partition can view the objects that the partition contains. If the object resides in the
    Common
    partition, all users can access it.
  6. If you are creating a device-specific configuration, select a BIG-IP device from the
    Device
    drop-down menu. This option is only available for device-specific RADIUS AAA servers.
  7. Select a mode of configuration for your server.
    Authentication
    specifies that the system performs only RADIUS authentication. Select this mode to authenticate your users through a RADIUS server.
    Accounting
    specifies that the system performs only RADIUS accounting. Select this mode to pass accounting information about your users to the external RADIUS accounting server.
    Authentication and Accounting
    specifies that the system performs both RADIUS authentication and RADIUS accounting simultaneously.
  8. Enter an
    Accounting Service Port
    (default value
    1812
    ) and/or an
    Authentication Service Port
    (default value
    1813
    ) depending on what mode of configuration you selected in the previous step.
  9. For
    Server Connection
    , specify the RADIUS servers for BIG-IQ® to use to authenticate users.
    • Use Pool
      - Select to create a high availability configuration. In the
      Server Pool Name
      field type a name and, in
      Server Addresses
      , add RADIUS server IP addresses. To monitor the health of the RADIUS servers, select a monitor from the
      Server Pool Monitor
      list.
    • Direct
      - Select to specify one RADIUS server for BIG-IQ to use to authenticate users. In the
      Server Address
      field, type an IP address.
  10. For
    Server Pool Name
    , type the name of the server pool.
    This option only displays if you selected the
    Use Pool
    option.
  11. For
    Server Addresses
    , type the IP address of your RADIUS authorization or accounting server.
  12. For
    Server Pool Monitor
    , select a monitor to track the health of your RADIUS AAA server.
  13. In the
    Secret
    and
    Confirm Secret
    fields, type the shared secret password of your RADIUS AAA server.
  14. In the
    NAS IP Address
    or
    NAS IPV6 Address
    field, you can specify an arbitrary IP or IPv6 address as RADIUS attribute 4, NAS-IP-Address, without changing the source IP address in the IP header of the RADIUS packets.
    This property is useful when you use a cluster of NAS to be recognized as a single RADIUS client.
  15. In the
    NAS Identifier
    field, you can specify a string to identify the NAS that originates the Access-Request.
  16. In the
    Timeout
    field, type the number of seconds to wait for a response from the RADIUS AAA server before timing out.
    The default value is
    5
    .
  17. In the
    Retries
    field, specify the number of times the BIG-IP system tries to make a connection to the RADIUS AAA server after the first attempt fails.
    The default value is
    3
    .
  18. From the Character Set list, select the character encoding to use for the username and password.
    • Windows-1252
      BIG-IQ RADIUS Auth agent decodes the username and password into CP-1252 before sending it to the RADIUS server. This is the default setting.
    • UTF-8
      BIG-IQ RADIUS Auth agent sends the username and password to the RADIUS server unmodified.
  19. From the
    Service Type
    list, select the type of service you use on the RADIUS server.
    Service types are specific to your RADIUS implementation. If you select
    Default
    , the service type is set to
    Authenticate Only
    .
  20. To save your changes, click the
    Save & Close
    button at the bottom of the screen.
The new or edited RADIUS server will be displayed in the RADIUS server list page.

Configure LDAP properties

You may use BIG-IQ Access to configure an Lightweight Directory Access Protocol (LDAP) Authentication, Authorization, and Accounting (AAA) server. Follow the following procedure to configure LDAP AAA server properties.
  1. Navigate to
    Configuration
    ACCESS
    Access Groups
    , and create or select an Access group, and under
    AUTHENTICATION
    , select
    LDAP.
  2. The screen displays the LDAP AAA servers (either the shared or the device-specific) in the working configuration for the Access group.
    • To configure the properties of a resource, click its name in the table.
    • To locate a resource, click the search button and search for it by name.
    • To make the properties of a shared resource configurable for each device in the Access group, select the resource and then click
      Make Device-Specific
      .
    • To make a device-specific resource into a shared resource, select the resource and click
      Mark Shared
      .
    • To convert a shared resource into a device-specific resource, select the resource and click
      Mark Device Specific
      .
    • To revert the configuration of the non-source BIG-IP device to match that of the source BIG-IP device at the time of the initial import, select the resource and click
      Revert to Original
      .
    • To delete a resource, select
      Delete
      .
  3. Select an existing LDAP AAA server in a working configuration for the Access group or click
    Create
    from under either LDAP (Shared) or LDAP (Device-specific).
    To create a shared object for all devices in an Access group, create or edit a LDAP AAA server by selecting an existing server under LDAP (Shared). You may also create a LDAP server for a single device or a subset of devices managed by an Access group.
    You will be directed to a page where you may configure the server's properties.
  4. Enter a
    Name
    for this LDAP server. Avoid using global reserved words such as all, delete, disable, enable, help, list, show, or None. You cannot change the name if you are editing an existing configuration.
  5. Enter a
    Partition
    . The default is
    Common
    . You can also enter a custom path to a partition you have created. Only users with access to a partition can view the objects that the partition contains. If the object resides in the
    Common
    partition, all users can access it.
  6. For
    Server Connection
    , select
    Direct
    to specify one LDAP server for Access Policy Manager to use for authenticating users or select
    Use Pool
    to create a high availability configuration.
  7. If you selected
    Direct
    , type an IP address in the
    Server Address
    field.
  8. If you selected
    Use Pool
    , configure the pool:
    1. In the
      Server Pool Name
      field, type a name.
    2. Specify the
      Server Addresses
      in the pool. To add a server, click the plus
      +
      button and type the IP address. To delete a server, drag it to the trash icon.
    3. To monitor the health of the LDAP server, select a monitor from the
      Server Pool Monitor
      list.
  9. If you selected
    Use Pool
    , for
    Mode
    select one:
    • LDAPS
      Select if there is a requirement to securely encrypt authentication messages between Access Policy manager and the LDAP server.
    • LDAP
      .
  10. For
    Service Port
    , accept the default value or type the port number of your AAA server.
    The default port is 389 for LDAP and 636 for LDAPS.
  11. In the
    Base Search DN
    field, type the base distinguished name (DN) from which to search. The search DN is used to search groups across a whole directory.
  12. In the
    Admin DN
    field, type the distinguished name of the user with administrator rights and, in the password fields, type the administrator password for your LDAP AAAserver.
  13. In the
    Group Cache Lifetime
    field, type the number of days for the BIG-IQ system to cache groups.
    When the lifetime elapses, BIG-IQ clears the cache. Periodically clearing the cache prevents invalid groups from being retained. The default lifetime is 30 days.
  14. From the
    SSL Profile (Server)
    list, select an SSL server profile. (Displays if
    Mode
    is
    LDAPS
    .)
  15. In the
    Timeout
    field, type a timeout interval (in seconds) for connecting to the AAA server.
  16. In the LDAP Schema Attributes area in the
    User resource Class
    field, specify the value of the resourceClass attribute for a user resource. Defaults to
    user
    .
    Access Policy Manager provides Active Directory-specific default values for the LDAP schema-specific attribute names. You can change them to reflect your schema.
  17. In the
    User Membership
    field, if the user resource maintains a group membership, specify the value of the membership attribute. Defaults to
    memberOf
    .
  18. In the
    Group resource Class
    field, specify the value of the resourceClass attribute for a group resource. Defaults to
    Group
    .
  19. In the
    Group Membership
    field, if the group resource maintains membership in other groups, specify the value of the membership attribute. Defaults to
    memberOf
    .
  20. In the
    Group Member
    field, if the group resource maintains a list of users that belong to it, specify the value of the attribute that indicates this. Defaults to
    member
    .
  21. In the
    Group Member Value
    field, if the group Member attribute is specified, specify the attribute that is used to add users to a group. Defaults to
    dn
    .
  22. Click
    Save & Close
    .
The new or edited LDAP server will be displayed in the LDAP server list page.

Configure an Active Directory server

You can use BIG-IQ Access to configure an Active Directory (AD) AAA server. Follow this procedure to configure Authentication, Authorization, and Accounting (AAA) AD server properties.
  1. Navigate to
    Configuration
    ACCESS
    Access Groups
    , and create or select an Access group. Under
    AUTHENTICATION
    , select
    Active Directory.
  2. The screen displays the Active Directory AAA servers (either the shared or the device-specific) in the working configuration for the Access group.
    • To configure the properties of a resource, click its name in the table.
    • To locate a resource, click the search button and search for it by name.
    • To make the properties of a shared resource configurable for each device in the Access group, select the resource and then click
      Make Device-Specific
      .
    • To make a device-specific resource into a shared resource, select the resource and click
      Mark Shared
      .
    • To convert a shared resource into a device-specific resource, select the resource and click
      Mark Device Specific
      .
    • To revert the configuration of the non-source BIG-IP device to match that of the source BIG-IP device at the time of the initial import, select the resource and click
      Revert to Original
      .
    • To delete a resource, select
      Delete
      .
  3. Select an existing Active Directory AAA server in a working configuration for the Access group or click
    Create
    from under either Active Directory (Shared) or Active Directory (Device-specific).
    To create a shared object for all devices in an Access group, create or edit a Active Directory AAA server by selecting an existing server under Active Directory (Shared). You may also create a Active Directory server for a single device or a subset of devices managed by an Access group.
    You will be directed to a page where you may configure the server's properties
  4. Type the name of the Windows domain.
  5. Enter a
    Partition
    . The default is
    Common
    . You can also enter a custom path to a partition you have created. Only users with access to a partition can view the objects that the partition contains. If the object resides in the
    Common
    partition, all users can access it.
  6. For
    Server Connection
    , specify the connections to domain controllers that you want to provide for BIG-IQ:
    • Select
      Direct
      to specify one domain controller for BIG-IQ to use for authenticating users,
    • Select
      Use Pool
      to create a high availability configuration.
  7. If you selected
    Direct
    , type an IP address for
    Domain Controller
    .
  8. If you selected
    Use Pool
    , configure the pool:
    1. For
      Domain Controller Pool Name
      , type a name.
    2. Specify the
      Domain Controllers
    3. To monitor the health of the AAA server, for
      Server Pool Monitor
      select
      gateway_icmp
      .
  9. For
    Admin Name
    , type a case-sensitive name for an administrator who has Active Directory administrative permissions and, for password fields, type an administrator password that is associated with the
    Domain Name
    .
    An administrator name and password are required for an AD Query access policy item to succeed in some cases. Credentials are required when a query includes an option to fetch a primary group (or nested groups), to prompt a user to change password, or to perform a complexity check for password reset.
  10. For
    Group Cache Lifetime
    , type the number of days for which the BIG-IQ system should cache groups.
    When the lifetime elapses, BIG-IQ clears the cache. Periodically clearing the cache prevents invalid groups from being retained. The default lifetime is 30 days.
  11. For
    Password Security Object Cache Lifetime
    , type the number of days to cache password security resources.
    The default lifetime is 30 days.
  12. From the
    Kerberos Preauthentication Encryption Type
    list, select an encryption type.
    The default is 
    None
    . If you specify an encryption type, the BIG-IQ system includes Kerberos pre-authentication data with the first authentication service request (AS-REQ) packet.
  13. For
    Timeout
    , type a timeout interval (in seconds) for connecting to the AAA server.
  14. Click
    Save & Close
    .
The new or edited AD server will be displayed in the Active Directory server list page.

Configure SecurID server properties

You can use BIG-IQ to configure or edit an existing SecurID server. Follow these procedures to configure Authentication, Authorization, and Accounting (AAA) SecurID server properties.
  1. Navigate to
    Configuration
    ACCESS
    Access Groups
    , and create or select an Access group. Under
    AUTHENTICATION
    , select
    SecurID.
  2. The screen displays the SecurID AAA servers (either the shared or the device-specific) in the working configuration for the Access group.
    • To configure the properties of a resource, click its name in the table.
    • To locate a resource, click the search button and search for it by name.
    • To make the properties of a shared resource configurable for each device in the Access group, select the resource and then click
      Make Device-Specific
      .
    • To make a device-specific resource into a shared resource, select the resource and click
      Mark Shared
      .
    • To convert a shared resource into a device-specific resource, select the resource and click
      Mark Device Specific
      .
    • To revert the configuration of the non-source BIG-IP device to match that of the source BIG-IP device at the time of the initial import, select the resource and click
      Revert to Original
      .
    • To delete a resource, select
      Delete
      .
  3. Select an existing SecurID AAA server in a working configuration for the Access group or click
    Create
    from under SecurID (Device-specific).
    To create a shared object for all devices in an Access group, create or edit a SecurID server by selecting an existing server under SecurID (Shared). You may also create a SecurID server for a single device or a subset of devices managed by an Access group.
    You will be directed to a page where you may configure the server's properties.
  4. Enter a
    Name
    for this OCSP server. Avoid using global reserved words such as all, delete, disable, enable, help, list, show, or None. You cannot change the name if you are editing an existing configuration.
  5. Enter a
    Partition
    . The default is
    Common
    . You can also enter a custom path to a partition you have created. Only users with access to a partition can view the objects that the partition contains. If the object resides in the
    Common
    partition, all users can access it.
  6. For the
    Agent Host IP Address (must match the IP address in SecurID Configuration File)
    setting, select an option:
    • Self IP List Member
      - Choose this when there is no NAT device between Access Policy Manager (APM) and the RSA Authentication Manager. Select an IP from the list of those configured on the BIG-IP system (in the Network area of the Configuration utility).
    • Other
      - Choose this when there is a NAT device in the network path between APM and the RSA Authentication Manager server. If selected, type the address as translated by the NAT device.
  7. In the
    SecurID Configuration File Properties
    area, for
    SecurID Configuration File
    select an option:
    • Use Stored File
      . Continue to use a previously uploaded file.
    • Upload New File
      . Click
      Choose File
      and browse to upload the
      sdconf.rec
      file. (Consult your RSA Authentication Manager administrator to generate this file for you.)
  8. Click
    Save & Close
    .
The new or edited SecurID server will be displayed in the SecurID server list page.

Configure HTTP server properties

Follow this procedures to change HTTP Authentication, Authorization, and Accounting (AAA) server properties. Settings on this screen vary depending on which authentication type you select.
  1. Navigate to
    Configuration
    ACCESS
    Access Groups
    , and create or select an Access group. create or select an Access group, and under
    AUTHENTICATION
    , select
    HTTP.
  2. The screen displays the HTTP AAA servers (either the shared or the device-specific) in the working configuration for the Access group.
    • To configure the properties of a resource, click its name in the table.
    • To locate a resource, click the search button and search for it by name.
    • To make the properties of a shared resource configurable for each device in the Access group, select the resource and then click
      Make Device-Specific
      .
    • To make a device-specific resource into a shared resource, select the resource and click
      Mark Shared
      .
    • To convert a shared resource into a device-specific resource, select the resource and click
      Mark Device Specific
      .
    • To revert the configuration of the non-source BIG-IP device to match that of the source BIG-IP device at the time of the initial import, select the resource and click
      Revert to Original
      .
    • To delete a resource, select
      Delete
      .
  3. Select an existing HTTP AAA server in a working configuration for the Access group or click
    Create
    from under either HTTP (Shared) or HTTP (Device-specific).
    To create a shared object for all devices in an Access group, create or edit a HTTP server by selecting an existing server under HTTP (Shared). You may also create a HTTP server for a single device or a subset of devices managed by an Access group.
    You will be directed to a page where you may configure the server's properties.
  4. Enter a
    Name
    for this HTTP server. Avoid using global reserved words such as all, delete, disable, enable, help, list, show, or None. You cannot change the name if you are editing an existing configuration.
  5. Enter a
    Partition
    . The default is
    Common
    . You can also enter a custom path to a partition you have created. Only users with access to a partition can view the objects that the partition contains. If the object resides in the
    Common
    partition, all users can access it.
  6. For
    Authentication Type
    , select a radio button:
    • Select
      Form Based
      to direct users to a form action URL and to provide the specified form parameters.
    • Select
      Basic/NTLM
      to direct users to a URI.
    • Select
      Custom Post
      to direct users to either a POST URL, a submit URL, or a relative URL and to provide the specified content.
  7. To change settings for the
    Basic/NTLM
    authentication type:
  8. For
    Start URI
    field, type a URL resource. Specify a resource that responds with a challenge to a non-authenticated request.
  9. Click the
    Save
    button.
  10. To change settings for the
    Form Based
    authentication type:
  11. For
    Start URI
    field, type a URL resource. Specify a resource that responds with a challenge to a non-authenticated request.
    A
    Start URI
    entry is optional, because you must specify either an absolute or a relative URL resource in the
    Form Action
    field. If you specify both parameters, BIG-IQ uses both of them as the final URL for HTTP POST. If you specify the
    Form Action
    parameter only, BIG-IQ is likely to detect that the absolute URI based on it should be used for HTTP POST.
  12. From the
    Form Method
    list, select either
    GET
    or
    POST
    . If you select
    GET
    , the authentication request converts as HTTP GET.
  13. For
    Form Action
    , type the complete destination URL for processing the form. The form action URL specifies where HTTP form-based authentication occurs. If you do not specify a form action, BIG-IQ uses the URI from the request to perform HTTP form-based authentication.
  14. In the
    Form Parameter For User Name
    and
    Form Parameter For Password
    fields, type the parameter name and password that the form, to which you are sending the POST request, uses.
  15. For
    Hidden Form Parameters/Values
    , if the authentication server logon form at your location requires hidden form parameters and values, you must provide them.
  16. In the
    Number Of Redirects To Follow field
    , type a number that indicates how many pages away from the landing page the request can travel before it fails.
  17. For
    Successful Logon Detection Match Type
    , select the method that your authentication server uses.
  18. If you selected the
    By Resulting Direct URL
    match type, type a URL in the
    Successful Logon Detection Match Value
    field.
  19. If you selected the
    By Specific String in Response
    match type, type a string in the
    Successful Logon Detection Match Value
    field.
  20. If you selected the
    By Presence of Specific String in Cookie
    match type, type a single string in the
    Successful Logon Detection Match Value
    field.
    : With this match type, when APM receives a duplicate cookie, APM adds it to the existing cookie list. As a result, multiple cookies with the same name, domain, and path can exist. See the following example in which there are two cookies, and APM searches them both.
    issosession=first; path=/; domain=mycompany.com issosession=second; path=/; domain= mycompany.com
  21. If you selected the
    By Presence of Cookie That Exactly Matches
    match type, type the exact key fields (name, path, and domain) that are present in the HTTP response cookie in the Successful Logon Detection Match Value field. To match an HTTP response cookie that contains three key fields, specify all three in the Successful Logon Detection Match Value field, as shown as follows:
    issosession=value;path=/;domain=mycompanynet.com;
    . To match an HTTP response cookie that contains a subset of the key fields, such as name and path, specify those keys only, as follows:
    issosession=any;path=/;
    . This match type supports cookie merge functionality.
    Failure to supply the exact number of keys and exact values for the HTTP response cookie results in a
    No matching cookie found
    error message.
  22. When APM receives a cookie with the same name, domain, and path as an existing cookie, APM merges it into the existing cookie. See an exmaple with two cookies, each with the same name, domain, and path:
    issosession=first; path=/; domain=mycompany.com issosession=second; path=/; domain= mycompany.com
    . In this case, the second cookie replaces the first cookie.
  23. Click the
    Save
    button.
  24. To change settings for the
    Custom Post
    authentication type:
  25. In the
    Start URI
    field, type a URL resource. Specify a resource that responds with a challenge to a non-authenticated request.
    If you do not specify a
    Start URI
    , BIG-IQ will likely detect that the absolute URI based on the
    Form Action
    parameter should be used for HTTP POST. If you specify a
    Start URI
    , BIG-IQ uses both the
    Start URI
    and the
    Form Action
    parameters as the final URL for HTTP POST.
  26. In the
    Form Action
    field, type either the POST URL, the submit URL, or a relative URL.
  27. For
    Successful Logon Detection Match Type
    , select the method that your authentication server uses.
  28. If you selected the
    By Resulting Direct URL
    match type, type a URL in the
    Successful Logon Detection Match Value
    field.
  29. If you selected the
    By Specific String in Response
    match type, type a string in the
    Successful Logon Detection Match Value
    field.
  30. If you selected the
    By Presence of Specific String in Cookie
    match type, type a single string in the
    Successful Logon Detection Match Value
    field.
    With this match type, when APM receives a duplicate cookie, APM adds it to the existing cookie list. As a result, multiple cookies with the same name, domain, and path can exist. See the following example in which there are two cookies, and APM searches them both.
    issosession=first; path=/; domain=mycompany.com issosession=second; path=/; domain= mycompany.com
  31. If you selected the
    By Presence of Cookie That Exactly Matches
    match type, type the exact key fields (name, path, and domain) that are present in the HTTP response cookie in the
    Successful Logon Detection Match Value
    field. To match an HTTP response cookie that contains three key fields, specify all three in the
    Successful Logon Detection Match Value
    field, as shown in the following example.
    issosession=value;path=/;domain=mycompanynet.com;
    . To match an HTTP response cookie that contains a subset of the key fields, such as name and path, specify those keys only, as shown in this example.
    issosession=any;path=/;
    . This match type supports cookie merge functionality.
    Failure to supply the exact number of keys and exact values for the HTTP response cookie results in a
    No matching cookie found
    error message.
    When APM receives a cookie with the same name, domain, and path as an existing cookie, APM merges it into the existing cookie. Here are two cookies each with the same name, domain, and path:
    issosession=first; path=/; domain=mycompany.com issosession=second; path=/; domain= mycompany.com
    . In this case, the second cookie replaces the first cookie.
  32. In the
    Number Of Redirects To Follow
    field, type a number that indicates how many pages away from the landing page the request can travel before it fails.
  33. From the
    Content Type
    list, select an encoding for the HTTP custom post. The default setting is
    XML UTF-8
    .
    If you select
    None
    , you must add a header in the
    Custom Headers
    field and you must apply your own encoding through an iRule.
  34. In the
    Custom Body
    field, type the body of the HTTP custom post.
  35. In the
    Custom Headers
    field, type the names and values for header content to insert in the HTTP custom post.
  36. Click
    Save & Close
    .
The new or edited HTTP server will be displayed in the HTTP server list page.

Configure Oracle Access Manager server properties

You can configure or make edits to an AAA Oracle Access Manager (OAM) server using BIG-IQ. Follow the procedure below to make changes to OAM AAA server properties.
  1. Navigate to
    Configuration
    ACCESS
    Access Groups
    , and create or select an Access group. Under
    AUTHENTICATION
    , select
    Oracle Access Manager.
  2. The screen displays the OAM AAA servers (either the shared or the device-specific) in the working configuration for this Access group.
    • To configure the properties of a resource, click its name in the table.
    • To locate a resource, click the search button and search for it by name.
    • To make the properties of a shared resource configurable for each device in the Access group, select the resource and then click
      Make Device-Specific
      .
    • To make a device-specific resource into a shared resource, select the resource and click
      Mark Shared
      .
    • To convert a shared resource into a device-specific resource, select the resource and click
      Mark Device Specific
      .
    • To revert the configuration of the non-source BIG-IP device to match that of the source BIG-IP device at the time of the initial import, select the resource and click
      Revert to Original
      .
    • To delete a resource, select
      Delete
      .
  3. Select an existing OAM AAA server in a working configuration for the Access group or click
    Create
    from under either OAM (Shared) or OAM (Device-specific).
    To create a shared object for all devices in an Access group, create or edit an OAM AAA server by selecting an existing server under OAM (Shared). You may also create a OAM server for a single device or a subset of devices managed by an Access group.
    You will be directed to a page where you may configure the server's properties.
  4. Enter a
    Name
    for this OAM server. Avoid using global reserved words such as all, delete, disable, enable, help, list, show, or None. You cannot change the name if you are editing an existing configuration.
  5. Enter a
    Partition
    . The default is
    Common
    . You can also enter a custom path to a partition you have created. Only users with access to a partition can view the objects that the partition contains. If the object resides in the
    Common
    partition, all users can access it.
  6. For
    Admin ID
    and
    Admin Password
    , type the credentials that are required to retrieve host identifier information from Oracle Access Manager. Usually, these are the credentials for the administrator account of both Oracle Access Manager and Oracle Identity Manager.
  7. For
    Retry Count
    , type the number of times an AccessGate should attempt to contact the access server. The default is 0.
  8. For
    Transport Security Mode
    , select the mode (
    open
    ,
    simple
    , or
    cert
    ) that is configured for the access server in Oracle Access System. If the mode is
    simple
    , type and re-type the
    Global Access Protocol Passphrase
    to exactly match the global passphrase that is configured for the access server in OAM.
  9. For
    AccessGate Name
    , type the name of an AccessGate to exactly match the name of an AccessGate that is configured on the OAM access server.
  10. For
    AccessGate Password
    and
    Verify Password
    , type the password to exactly match the password that is configured for it on the OAM access server.
  11. If
    Transport Security Mode
    is
    cert
    , select the
    Certificate
    ,
    Key
    , and
    CA Certificate
    that you imported for this particular AccessGate.
  12. If the AccessGate is configured with a sign key passphrase, type it in the
    Sign Key Passphrase
    field and re-type it to verify it
  13. Click
    Save & Close
    .
The new or edited OAM server will be displayed in the Oracle Access Manager server list page.

Configure OCSP server properties

BIG-IQ Centralized Management supports authenticating a client using Online Certificate Status Protocol (OCSP). Follow the subsequent procedure to create or change OCSP AAA server properties.
  1. Navigate to
    Configuration
    ACCESS
    Access Groups
    , and create or select an Access group. Under
    AUTHENTICATION
    , select
    OCSP Responder.
  2. The screen displays the OCSP AAA servers (either the shared or the device-specific) in the working configuration for the Access group.
    • To configure the properties of a resource, click its name in the table.
    • To locate a resource, click the search button and search for it by name.
    • To make the properties of a shared resource configurable for each device in the Access group, select the resource and then click
      Make Device-Specific
      .
    • To make a device-specific resource into a shared resource, select the resource and click
      Mark Shared
      .
    • To convert a shared resource into a device-specific resource, select the resource and click
      Mark Device Specific
      .
    • To revert the configuration of the non-source BIG-IP device to match that of the source BIG-IP device at the time of the initial import, select the resource and click
      Revert to Original
      .
    • To delete a resource, select
      Delete
      .
  3. Select an existing OCSP Responder AAA server in a working configuration for the Access group or click
    Create
    from under either OCSP Responder (Shared) or OCSP Responder (Device-specific).
    To create a shared object for all devices in an Access group, create or edit a OCSP Responder AAA server by selecting an existing server under OCSP Responder (Shared). You may also create a OCSP Responder server for a single device or a subset of devices managed by an Access group.
    You will be directed to a page where you may configure the server's properties.
  4. Enter a
    Name
    for this OCSP server. Avoid using global reserved words such as all, delete, disable, enable, help, list, show, or None. You cannot change the name if you are editing an existing configuration.
  5. Enter a
    Partition
    . The default is
    Common
    . You can also enter a custom path to a partition you have created. Only users with access to a partition can view the objects that the partition contains. If the object resides in the
    Common
    partition, all users can access it.
  6. In
    URL
    , type the URL that BIG-IQ can use to contact the OCSP service on the OCSP responder. You can skip this step if you did not select the
    Ignore AIA
    check box and all users have certificates with the correct AIA structure.
  7. From the
    Certificate Authority File
    list, select the name of the file that contains the trusted CA certificates used to verify the signature on the OCSP response.
  8. In the
    Certificate Authority Path
    field type the name of the path to the trusted CA used to verify the signature on the OCSP response.
  9. From the
    Verify Other
    list, select the name of the file to use to search for an OCSP response signing certificate when the certificate has been omitted from the response.
  10. From the
    VA File
    list, select the name of the file that contains explicitly-trusted responder certificates.
    This parameter is required in the event that the responder is not covered by the certificates already loaded into the responder's CA store.
  11. From the
    Signer
    list, select the name of the certificate used to sign an OCSP request and then from the
    Sign Key
    list, select the key used to sign an OCSP request, and, in the
    Sign Key Pass Phrase
    and
    Verify Sign Key Pass Phrase
    fields, type the key used to sign an OCSP request.
    If you specify a certificate, but not a key, the system reads the private key from the same file as the certificate. However, if you specify neither the certificate nor the key, then the request is not signed. Lastly, if you do not specify the certificate and you specify the key, then the configuration is considered to be invalid.
  12. To add additional certificates to an OCSP request, from
    Sign Other
    list select the name of a certificate file.
  13. From the
    Sign Digest
    list, select the algorithm to use for signing the request with the signing certificate and key.
    This parameter is applicable only when request signing is in effect.
  14. From the
    CertID Digest
    list select an algorithm to use to convert the client certificate and its issuer certificate to an OCSP cert ID. The cert ID is added to the OCSP request.
  15. In the
    Validity Period
    , type the number of seconds for the BIG-IQ system to use in specifying an acceptable error range.
  16. The BIG-IQ system uses this setting when the OCSP responder clock and a client clock are not synchronized to prevent a certificate status check from failing.
  17. In the
    Status Age
    field, type the number of seconds to compare to the
    notBefore
    field of a status response.
    The system uses this parameter when the status response does not include the
    notAfter
    field.
  18. Click
    Save & Close
    .
The new or edited OCSP server will be displayed in the OCSP server list page.

Configure CRLDP server properties

BIG-IQ supports retrieving Certificate Revocation Lists (CRLs) from network locations (distribution points). Use this screen to change Certificate Revocation List Distribution Point (CRLDP) AAA server properties.
  1. Navigate to
    Configuration
    ACCESS
    Access Groups
    , and create or select an Access group. Under
    AUTHENTICATION
    , select
    CRLDP.
  2. The screen displays the CRLDP AAA servers (either the shared or the device-specific) in the working configuration for the Access group.
    • To configure the properties of a resource, click its name in the table.
    • To locate a resource, click the search button and search for it by name.
    • To make the properties of a shared resource configurable for each device in the Access group, select the resource and then click
      Make Device-Specific
      .
    • To make a device-specific resource into a shared resource, select the resource and click
      Mark Shared
      .
    • To convert a shared resource into a device-specific resource, select the resource and click
      Mark Device Specific
      .
    • To revert the configuration of the non-source BIG-IP device to match that of the source BIG-IP device at the time of the initial import, select the resource and click
      Revert to Original
      .
    • To delete a resource, select
      Delete
      .
  3. Select an existing CRLDP AAA server in a working configuration for the Access group or click
    Create
    from under either CRLDP (Shared) or CRLDP (Device-specific).
    To create a shared object for all devices in an Access group, create or edit a CRLDP AAA server by selecting an existing server under CRLDP (Shared). You may also create a CRLDP server for a single device or a subset of devices managed by an Access group.
    You will be directed to a page where you may configure the server's properties.
  4. Enter a
    Partition
    . The default is
    Common
    . You can also enter a custom path to a partition you have created. Only users with access to a partition can view the objects that the partition contains. If the object resides in the
    Common
    partition, all users can access it.
  5. Select a managed BIG-IP device to deploy this configuration to.
  6. For
    Server Connection
    , select a method for accessing Certificate Revocation List (CRL) file from distribution points:
    • Select
      Use Pool
      to set up high availability for the AAA server.
    • Select
      Direct
      to set up the AAA server for standalone functionality.
    • Select
      No Server
      to use a fully qualified HTTP URL as the CRL location.
      For
      No Server
      , the BIG-IP system uses the URI from the user's certificate.
  7. If you selected
    Use Pool
    , be sure you've got a name in the
    Server Pool Name
    field, and optionally select a
    Server Pool Monitor
    to track the health of the server pool.
  8. Specify the addresses of AAA servers to which APM can connect to authenticate users:
    • If you selected
      Direct
      , type an IP address in the
      Server Address
      field.
    • If you selected
      Use Pool
      , for each pool member you want to add, type an IP address and click
      Add
      .
      For a pool, you have the option to type the server address in route domain format: IPAddress%RouteDomain.
  9. If you selected
    Use Pool
    , you have the option to select a
    Server Pool Monitor
    to track the health of the server pool.
  10. If you specified
    Use Pool
    or
    Direct
    for the server connection, in the
    Base DN
    field type a CRLDP base distinguished name.
    This setting applies for certificates that specify the CRL distribution point in directory name (dirName) format. Access Policy Manager uses the Base DN when the value of the X509v3 attribute,
    crlDistributionPoints
    , is of type
    dirName
    . In this case, Access Policy Manager tries to match the value of the crlDistributionPoints attribute to the Base DN value. An example of a Base DN value is
    cn=lxxx,dc=f5,dc=com
    .
    If the client certificate includes the distribution point extension in LDAP URI format, the IP address, Base DN, and Reverse DN settings configured on the agent are ignored; they are specific to directory-based CRLDP. All other settings are applicable to both LDAP URI and directory-based CRL DPs.
  11. Click
    Save & Close
    .
The new or edited CRLDP server will be displayed in the CRLDP server list page.

Configure TACACS+ server properties

BIG-IQ Centralized Management supports authenticating and authorizing the client against Terminal Access Controller Access Control System (TACACS+) servers. It is important to note that the BIG-IQ system must include a TACACS+ server configuration for every TACACS+ server that exists. To change TACACS+ AAA server properties, follow the procedure below.
  1. Navigate to
    Configuration
    ACCESS
    Access Groups
    , and create or select an Access group. Under
    AUTHENTICATION
    , select
    TACACS+.
  2. The screen displays the TACACS+ AAA servers (either the shared or the device-specific) in the working configuration for the Access group.
    • To configure the properties of a resource, click its name in the table.
    • To locate a resource, click the search button and search for it by name.
    • To make the properties of a shared resource configurable for each device in the Access group, select the resource and then click
      Make Device-Specific
      .
    • To make a device-specific resource into a shared resource, select the resource and click
      Mark Shared
      .
    • To convert a shared resource into a device-specific resource, select the resource and click
      Mark Device Specific
      .
    • To revert the configuration of the non-source BIG-IP device to match that of the source BIG-IP device at the time of the initial import, select the resource and click
      Revert to Original
      .
  3. Select an existing TACACS+ AAA server in a working configuration for the Access group or click
    Create
    from under either TACAC+ (Shared) or TACACS+ (Device-specific).
    To create a shared object for all devices in an Access group, create or edit a TACACS+ AAA server by selecting an existing server under TACACS+ (Shared). You may also create a TACACS+ server for a single device or a subset of devices managed by an Access group.
    You will be directed to a page where you may configure the server's properties.
  4. Enter a
    Name
    for this TACACS+ server. Avoid using global reserved words such as all, delete, disable, enable, help, list, show, or None. You cannot change the name if you are editing an existing configuration.
  5. Enter a
    Partition
    . The default is
    Common
    . You can also enter a custom path to a partition you have created. Only users with access to a partition can view the objects that the partition contains. If the object resides in the
    Common
    partition, all users can access it.
  6. For Server Connection, specify the kind of configuration you want:
    • Select
      Direct
      to specify one server to which APM can connect for AAA services.
    • Select
      Use Pool
      to create a high availability configuration.
  7. If you selected
    Use Pool
    , be sure you've got a name in the
    Server Pool Name
    field, and optionally select a
    Server Pool Monitor
    to track the health of the server pool.
  8. In the
    Server Address
    , or
    Server Addresses
    , field specify IP addresses of the TACACS+ servers to which APM can connect for AAA services.
  9. To change the
    Service Port
    , select a service from the list or type another number. (
    49
    is the default value.)
  10. To encrypt and decrypt packets that are sent to or received from the server, from the
    Encryption
    list select
    Enabled
    , and type the secret key in the
    Secret
    and
    Confirm Secret
    fields.
    Do not use the number sign (#) in your secret.
  11. From the
    Service
    list, select the type of service you want to provide.
    Selecting a service enables the TACACS+ server to respond differently for different types of authentication requests.
  12. From the
    Protocol
    list, select the protocol associated with the value in the
    Service
    setting.
  13. From the
    Privilege Level
    list, select the level of privilege to request.
  14. From the
    Authentication Type
    and
    Authentication Service
    lists, select from the provided values.
  15. Click
    Save & Close
    .
The new or edited TACACS+ server will be displayed in the TACACS+ server list page.

Configure Kerberos server properties

BIG-IQ Centralized Management provides an alternative to the form-based login authentication method by means of request-based Kerberos authentication. Follow the subsequent procedure to make changes to Kerberos AAA server properties.
  1. Navigate to
    Configuration
    ACCESS
    Access Groups
    , and create or select an Access group. Under
    AUTHENTICATION
    , select
    Kerberos.
  2. The screen displays the Kerberos AAA servers (either the shared or the device-specific) in the working configuration for the Access group.
    • To configure the properties of a resource, click its name in the table.
    • To locate a resource, click the search button and search for it by name.
    • To make the properties of a shared resource configurable for each device in the Access group, select the resource and then click
      Make Device-Specific
      .
    • To make a device-specific resource into a shared resource, select the resource and click
      Mark Shared
      .
    • To convert a shared resource into a device-specific resource, select the resource and click
      Mark Device Specific
      .
    • To revert the configuration of the non-source BIG-IP device to match that of the source BIG-IP device at the time of the initial import, select the resource and click
      Revert to Original
      .
  3. To begin configuration, select
    Create
    from either
    Kerberos (Shared)
    or
    Kerberos (Device-Specific)
    . This will direct you to a page where you may configure the server.
  4. Enter a
    Name
    for this Kerberos server. Avoid using global reserved words such as all, delete, disable, enable, help, list, show, or None. You cannot change the name if you are editing an existing configuration.
  5. Enter a
    Partition
    . The default is
    Common
    . You can also enter a custom path to a partition you have created. Only users with access to a partition can view the objects that the partition contains. If the object resides in the
    Common
    partition, all users can access it.
  6. For Identity Location, choose from the following options. Identity Location is available for Access Groups running BIG-IP version 14.0 and later.
    • Select
      Host-based service
      to display the authorization realm, service name, and keytab file options. All existing Kerberos AAA servers are host-based services by default.
    • Select
      Kerberos 5 NT Principal
      to display the service principal name and keytab file options. Use this format for VMware View clients.
  7. In the
    Auth Realm
    field, type a Kerberos auth realm name (administrative name), such as
    TESTBED.LAB.COMPANYNET.COM
    .
    Kerberos clients manually map DNS domain names to Kerberos realm names. It establishes the boundaries within which an authentication server has the authority to authenticate a user, host, or service.
  8. For
    Service Name
    , type a Kerberos service name, such as
    HTTP
    .
  9. For
    Service Principal Name
    , type the Kerberos service principal name; for example,
    %{session.vmware.spn}
    . Displays after you select Kerberos 5 NT Principal.
    Use this option to advertise Kerberos as a supported authentication method for VMware View clients by passing the service principal name to the client.
  10. For
    File Name
    , click
    Choose File
    , browse to and select a keytab file.
    A keytab file contains Kerberos encrypted keys that are derived from the Kerberos password. The file contains service keys that the server uses to authenticate the client.
  11. Click
    Save & Close
    .
The new or edited Kerberos server will be displayed in the Kerberos server list page.

About local user database authentication

You can create multiple local user databases to provide on-box authentication, to control user access, to segment your users, and to store user information.
During access policy operation, you can read from and write to a local user database.
You can read from a local user database to:
  • Determine whether a user is locked out of a local user database instance.
  • Check the number of failed login attempts for a user.
  • Check group membership for the user to determine which access policy branch to take.
  • Groups are text strings. You create them from the Configuration utility.
  • You can write to a local user database primarily to increment or reset the number of login failures for a user. You can also update the locked out status for the user; although this option provides flexibility, use it sparingly. Normally, locked out status is set programmatically.
Configure a local user database instance on your managed BIG-IP device. Discover the device and import its configuration into BIG-IQ, and deploy the instances onto target BIG-IP devices in an Access Group. From BIG-IQ, you may view and manage a list of the instances.
  • To add local user database instances, do so on the BIG-IP system that is linked to the device; then re-import the device to the BIG-IQ system.
  • To verify or to change the properties of these resources, do so on the BIG-IP system that is linked to the Access group; if you make changes on the BIG-IP system, re-import the device to the BIG-IQ system.

About F5 adaptive authentication

If you purchased F5 Adaptive Authentication (MFA), you configure Access Policy Manager® (APM®) so your users can register and use devices for multi-factor authentication.
Create a connector to establish a connection to an F5 multi-factor authentication service that is external to and separate from BIG-IP Access Policy Manager and the BIG-IP system. You may also create an F5 adaptive authentication configuration and specify which types of devices may be allowed to authenticate using this MFA configuration. Make these changes on your managed BIG-IP device. Discover the device and import its configuration into BIG-IQ, and deploy the instances onto target BIG-IP devices in an Access Group. From BIG-IQ, you may view and manage a list of the instances.
  • To configure F5 Adaptive Authentication, do so on the BIG-IP system that is linked to the device; then re-import the device to the BIG-IQ system.
  • To verify or to change the properties of these resources, do so on the BIG-IP system that is linked to the Access group; if you make changes on the BIG-IP system, re-import the device to the BIG-IQ system.
F5 adaptive authentication available for BIG-IP versions 14.1 and lower.

Configure Endpoint Management Systems server properties

Use BIG-IQ to configure server properties for your Endpoint Management Systems and deploy these configurations to devices in an Access Group.
  1. Navigate to
    Configuration
    ACCESS
    Access Groups
    , and create or select an Access group. Under
    AUTHENTICATION
    , select
    Endpoint Management Systems.
  2. The screen displays the endpoint management system (either the shared or the device-specific) in the working configuration for the Access group.
    • To configure the properties of a resource, click its name in the table.
    • To locate a resource, click the search button and search for it by name.
    • To make the properties of a shared resource configurable for each device in the Access group, select the resource and then click
      Make Device-Specific
      .
    • To make a device-specific resource into a shared resource, select the resource and click
      Mark Shared
      .
    • To convert a shared resource into a device-specific resource, select the resource and click
      Mark Device Specific
      .
    • To revert the configuration of the non-source BIG-IP device to match that of the source BIG-IP device at the time of the initial import, select the resource and click
      Revert to Original
      .
  3. Select an existing endpoint management system server in a working configuration for the Access group or click
    Create
    from under either Endpoint Management System (Shared) or Endpoint Management System (Device-specific).
    To create a shared object for all devices in an Access group, create or edit an Endpoint Management System AAA server by selecting an existing server under Endpoint Management System (Shared). You may also create an endpoint management system server for a single device or a subset of devices managed by an Access group.
    You will be directed to a page where you may configure the server's properties.
  4. Type the name for the endpoint management system. You cannot change the name if you are editing an existing configuration. Avoid using global reserved words such as all, delete, disable, enable, help, list, show, or None.
  5. Enter a
    Partition
    . The default is
    Common
    . You can also enter a custom path to a partition you have created. Only users with access to a partition can view the objects that the partition contains. If the object resides in the
    Common
    partition, all users can access it.
  6. For
    Type
    , select
    AirWatch
    ,
    IBM Maas360
    , or
    Microsoft Intune
    . Microsoft Intune is available for Access Groups running BIG-IP version 13.1 or later.
  7. From
    Server SSL Profile
    , select a profile.
  8. For
    Update Interval (minutes)
    type a number.
    This is the number of minutes between the start of periodic polling that BIG-IQ performs to obtain enrollment and compliance information from the endpoint management system.
  9. To set up API credentials for an Airwatch endpoint management system, do these steps.
  10. In the
    Username
    and
    Password
    fields, type the user name for the administrator of the endpoint management system and the password that the administrator uses to log in.
  11. For
    API Token
    , type the API token of the application.
  12. To set up API credentials for an IBM Mass360 endpoint management system, do these steps.
  13. In the
    Username
    and
    Password
    fields, type the user name for the administrator of the endpoint management system and the password that the administrator uses to log in.
  14. For
    Billing ID
    , type the billing ID for the user's IBM Maas360 account.
  15. For
    Application ID
    , type the application ID that you got from IBM Maas360.
  16. For
    Access Key
    , type the access key that you got from IBM Maas360.
  17. For
    Platform
    , type the platform version of the IBM Maas360 console.
  18. For
    App Version
    , type the current version number of the application that corresponds to the account.
  19. To set up API credentials for a Microsoft Intune endpoint management system, do these steps.
  20. For
    Tenant Id
    , type the tenant ID that comes with a Microsoft Intune subscription, the domain name for the logon name.
  21. For
    Client Id
    , type the client ID that becomes available after creating a web application
  22. For
    Client Secret
    , type the client secret that becomes available after creating a web application.
  23. Click
    Save & Close
    .
The new or edited Endpoint Management Systems server will be displayed in the Endpoint Management Systems server list page.

Create and edit a CAPTCHA configuration

Use BIG-IQ to view or edit the general properties of a CAPTCHA configuration and to deploy the configuration to devices in an Access group.
  1. Navigate to
    Configuration
    ACCESS
    Access Groups
    , and create or select an Access group. Under
    AUTHENTICATION
    , select
    CAPTCHA Configuration List.
  2. The screen displays the shared CAPTCHA configurations in the working configuration for the Access group.
    • To configure the properties of a resource, click its name in the table.
    • To locate a resource, click the search button and search for it by name.
    • To revert the configuration of the non-source BIG-IP device to match that of the source BIG-IP device at the time of the initial import, select the resource and click
      Revert to Original
      .
  3. Select an existing CAPTCHA configuration server in a working configuration for the Access group or click
    Create
    .
    You will be directed to a page where you may configure the server's properties.
  4. Enter a
    Name
    for this configuration. You cannot change the name if you are editing an existing configuration. Avoid using global reserved words such as all, delete, disable, enable, help, list, show, or None.
  5. Enter a
    Partition
    . The default is
    Common
    . You can also enter a custom path to a partition you have created. Only users with access to a partition can view the objects that the partition contains. If the object resides in the
    Common
    partition, all users can access it.
  6. For
    Secret
    , type the string that was provided as the secret when you signed up for CAPTCHA service.
  7. For
    Site Key
    , type the string that was provided as the site key when you signed up for CAPTCHA service.
  8. For
    Verification URL
    , type the URL of the service that verifies the response to the CAPTCHA challenge.
  9. For
    Challenge URL
    , type the URL of the service that provides the CAPTCHA challenge.
  10. For
    Noscript URL
    , type the URL to use for obtaining the challenge picture if JavaScript is disabled.
  11. For
    Display CAPTCHA After Number of Logon Attempts Equals
    , type the number of logon attempts to allow before issuing a CAPTCHA challenge.
  12. For
    Track Logon Failures
    , Choose one or more options to specify how to track logon failure attempts:
    • Select
      By IP Address
      to check whether logon failures for an IP address exceed the number set in the
      Display CAPTCHA After Number of Logon Attempts Equals
      field.
    • Select
      By Username
      to check whether logon failures for a user name exceed the number set in the
      Display CAPTCHA After Number of Logon Attempts Equals
      field.
  13. For
    Allow Access if CAPTCHA Verification Cannot Complete
    , select
    Enable
    to allow user access when CAPTCHA verification cannot be completed on the server or BIG-IP system side for some reason; for example, the verification URL is unavailable.
  14. For
    Data Theme
    , select the color theme for the CAPTCHA widget:
    Light
    or
    Dark
    . This field is available for configuration for Access Groups running BIG-IP version 13.0 and later.
  15. For
    Data Type
    , select the type of CAPTCHA to serve:
    Image
    or
    Audio
    . This field is available for configuration for Access Groups running BIG-IP version 13.0 and later. Defaults to
    Image
    .
  16. For
    Data Size
    , select the size of the widget:
    Normal
    or
    Compact
    . This field is available for configuration for Access Groups running BIG-IP version 13.0 and later.
  17. Click
    Save & Close
    .
The new or edited CAPTCHA server will be displayed in the CAPTCHA configuration list page.

Create an NTLM Authentication configuration

Access Policy Manager (APM) supports Microsoft Exchange clients that are configured to use Windows NT LAN Manager (NTLM). Create both an NTLM Auth configuration and a machine account to perform an NTLM check outside of an APM configuration. Follow the subsequent procedure to create an NTLM authentication configuration.
  1. Navigate to
    Configuration
    ACCESS
    Access Groups
    , and create or select an Access group. Select
    AUTHENTICATION
    NTLM
    NTLM Auth Configuration
    .
  2. From the NTLM Auth Configuration landing page, you may view the objects in the working configuration for the Access group.
    • To change the properties of the configuration, click its name in the table.
    • To locate a resource, click the search button and search for it by name.
    • To create a new NTLM authentication configuration, click the
      Create
      button. Objects that you created in the device-specific section are copied for other BIG-IP devices in the access group. Open and update these copies individually.
    • To delete an NTLM authentication configuration, select the check box next to the configuration and click the
      Delete
      button. Deleting a configuration also deletes any copies in the access group. However, you cannot delete a configuration that is referenced by an access policy.
    If you decide to edit or create a NTLM authentication configuration, you will navigate to a configuration page where you may follow the subsequent steps.
  3. Enter a
    Name
    for this NTLM configuration. Avoid using global reserved words such as all, delete, disable, enable, help, list, show, or None. You cannot change the name if you are editing an existing configuration.
  4. Enter a
    Partition
    . The default is
    Common
    . You can also enter a custom path to a partition you have created. Only users with access to a partition can view the objects that the partition contains. If the object resides in the
    Common
    partition, all users can access it.
  5. In the
    Device
    drop down menu, select the BIG-IP device associated with this configuration.
  6. In the
    Domain Controller FQDN List
    field, for each domain that you want the machine account to access, type the fully qualified domain name for a domain controller and click
    Add
    . To delete a domain on the list, select an FQDN and click the
    Delete
    button.
  7. Click
    Save & Close
    .
The new or edited NTLM authentication configuration will be displayed in the NTLM authentication configuration list page.

Configure an NTLM machine account

Create both an NTLM authentication configuration and a machine account to perform an NTLM check outside of an APM configuration. Follow the subsequent procedure to create an NTLM machine account.
  1. Navigate to
    Configuration
    ACCESS
    Access Groups
    , and create or select an Access group. Select
    AUTHENTICATION
    NTLM
    NTLM Machine Account
    .
  2. The Machine Account landing page displays the machine account (either the shared or the device-specific) in the working configuration for the Access group.
    • To configure the properties of a resource, click its name in the table.
    • To create a new machine account, click the
      Create
      button. Objects that you created in the device-specific section are copied for other BIG-IP devices in the access group. Open and update these copies individually.
    • To delete a machine account, select the check box next to the account and click the
      Delete
      button. Deleting a machine account also deletes any copies in the access group. However, you cannot delete a machine account that is referenced by an NTLM authentication configuration.
  3. Select an existing machine account in a working configuration for the Access group or click
    Create
    .
    You will be directed to a page where you may configure the server's properties.
  4. Enter a
    Name
    for this NTLM machine account. Avoid using global reserved words such as all, delete, disable, enable, help, list, show, or None. You cannot change the name if you are editing an existing configuration.
  5. Enter a
    Partition
    . The default is
    Common
    . You can also enter a custom path to a partition you have created. Only users with access to a partition can view the objects that the partition contains. If the object resides in the
    Common
    partition, all users can access it.
  6. In the Device dropdown menu, select the BIG-IP device associated with this configuration.
  7. In the
    Machine Account Name
    , type a name for the machine account.
  8. In the
    Domain FQDN
    field, type the fully qualified domain name (FQDN) for the domain that you want the machine account to join
  9. In the
    Domain Controller FQDN
    field, type an optional FQDN for the domain controller.
  10. In the
    Admin User
    field, type the name of a user with administrator privilege.
  11. In the
    Admin Password
    field, type the admin user password.
  12. Click
    Join
    .
  13. Click
    Save & Close
    .
The new or edited NTLM machine account will be displayed in the NTLM machine account list page.

Configure HTTP Connector Request

Before you configure an HTTP Connector request configuration, you must first create an HTTP Connector Transport item to add to the request configuration.
Create or modify an HTTP Connector Request to create parameters for the HTTP Connector to process the request to an external resource. You can add an HTTP connector to an Access policy so users can post an HTTP request to an external HTTP server.
Using an APM policy with an HTTP Connector configured makes it possible for you to use a per-request policy to make HTTP calls. Configure an HTTP Connector Request to specify the request's parameters and how the response process is handled by APM.
  1. Navigate to
    Configuration
    ACCESS
    Access Groups
    , and create or select an Access group.
  2. Navigate to
    AUTHENTICATION
    HTTP Connector
    and select
    HTTP Connector Request.
  3. This screen displays the HTTP Connector Request objects in the working configuration for the Access group.
    • To create a new HTTP Connector request object, click the
      Create
      under HTTP Connector Request (Shared).
    • To locate an object, search for it by name; otherwise, look for it under the
      Name
      column.
    • Select an object from the list to view the the Related Items section. Click
      Show
      to display related items such as an HTTP Connector Transport.
    • To delete an object, select the check box next to the HTTP Connector Request, and then click
      Delete
      . You can delete multiple objects by selecting the check box next to the objects.
      You cannot delete an object that is currently referenced in an Access policy.
  4. Select an existing HTTP Connector request object in a working configuration for the Access group or click
    Create
    .
    You will be directed to a page where you may configure the server's properties.
  5. Enter a
    Name
    for this HTTP server. Avoid using global reserved words such as all, delete, disable, enable, help, list, show, or None. You cannot change the name if you are editing an existing configuration.
  6. Enter a
    Partition
    . The default is
    Common
    . You can also enter a custom path to a partition you have created. Only users with access to a partition can view the objects that the partition contains. If the object resides in the
    Common
    partition, all users can access it.
  7. Select an
    HTTP Connector Transport
    object from the drop-down menu.
    You can create this object either within BIG-IQ or on a managed BIG-IP device. To do so in BIG-IQ, navigate to
    Configuration
    ACCESS
    Access Groups
    and select or create an Access group. Then, navigate to
    AUTHENTICATION
    HTTP Connector
    HTTP Connector Transport
    and select
    Create
    .
  8. Type the
    URL
    on which the HTTP Connector Request action will occur.
  9. Enter the HTTP
    Method
    to use for your external connector, for example,
    POST
    .
  10. Select a pre-set
    Authentication Type
    for this request, or select
    Custom
    .
  11. Optionally enter a
    Username
    and
    Password
    for HTTP calls.
  12. Optionally enter a secret
    Token
    to use for HTTP calls.
  13. In the
    Request Headers
    field, type the header for this HTTP request.
  14. In the
    Request Body
    field, type the HTTP request body to send.
  15. In the
    Response Headers
    field, type the header for this HTTP response.
  16. Choose a
    Response Action
    for this HTTP request from the drop-down menu.
  17. Select
    Save&Close
    .
The HTTP Connector Request object displays in the list and can be added to an Access policy.

Configure HTTP connector transport

Before creating an HTTP Connector Transport, you will need to create a DNS Resolver at
Configuration
NETWORK
DNS Resolvers
.
You will also need to create and define a Server SSL Profile for the connector transport before beginning this configuration. To do so, navigate to
Configuration
LOCAL TRAFFIC
Profiles
and create a Server SSL Profile by selecting
New Profile
and selecting
Profile Server SSL
from the
Type
drop-down menu. If the HTTP server you are creating requires Server Name Indication (SNI), make sure that the corresponding fields in the Server SSL profile referenced in the HTTP Connector Request match with the fields in HTTP Connector Transport. The
Server Name
field should match the server name specified in the
URL
field of the HTTP Connector Request. In the
Server Authentication
section,
Server Certificate
should be set to
require
and the
Authenticate Name
should match with the server name in the URL.
You can use BIG-IQ to create or modify an HTTP Connector Transport object to provide the DNS resolver information and network connection settings, including the limits, for an HTTP Connector Request. Both of these authentication objects can be subsequently added to an Access policy to define parameters for how HTTP requests are handled by Access Policy Manager (APM).
  1. Navigate to
    Configuration
    ACCESS
    Access Groups
    , and create or select an Access group. Navigate to
    AUTHENTICATION
    HTTP Connector
    and select
    HTTP Connector Request.
  2. This screen displays the HTTP Connector Transport objects in the working configuration of this Access group.
    • To create a new HTTP Connector Transport object, click
      Create
      under HTTP Connector Transport (Shared).
    • To locate an object, search for it by name; otherwise, look for it under the
      Name
      column.
    • Select an object from the list to view the Related Items section. Click
      Show
      to display related items such as DNS resolvers or server SSL profiles.
    • To delete an object, select the check box next to the HTTP Connector Transport, and then click
      Delete
      . You can delete multiple objects by selecting the check box next to the objects.
      You cannot delete an object that is currently referenced in an HTTP Connector Request.
  3. Select an existing HTTP Connector Transport object in a working configuration for the Access group or click
    Create
    .
    You will be directed to a page where you can configure the server's properties.
  4. Enter a
    Name
    for this HTTP server. Avoid using global reserved words such as all, delete, disable, enable, help, list, show, or none. You cannot change the name if you are editing an existing configuration.
  5. Enter a
    Partition
    . The default is
    Common
    . You can also enter a custom path to a partition you have created. Only users with access to a partition can view the objects that the partition contains. If the object resides in the
    Common
    partition, all users can access it.
  6. Select an existing DNS Resolver from the drop-down menu or define the parameters for a new resolver at
    Configuration
    NETWORK
    DNS Resolvers
    .
  7. Select a
    Server SSL Profile
    from the drop-down menu.
    To create a profile to add to a connector transport object, follow the instructions in the beginning of this procedure.
  8. Specify the
    Maximum Response Size
    in bytes that the HTTP Connector Transport can receive.
    The
    Maximum Response Size
    limit is ignored if the
    Response Action
    in the associated HTTP Connector Request is set to
    Ignore
    .
  9. Specify the
    Timeout
    in seconds for the HTTP Connector Transport.
  10. Select
    Save & Close
    .
The new HTTP Connector Transport will display in the list. You can then add it to an HTTP Connector Request.