Manual Chapter : HTTP and HTTPS Authentication

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Manual Chapter

About HTTP AAA server authentication

An HTTP AAA server directs users to an external web-based server to validate credentials. Access Policy Manager (APM) supports these HTTP authentication types:

  • HTTP basic authentication - Directs users to a URI
  • HTTP NTLM authentication - Directs users to a URI
  • HTTP form-based authentication - Directs users to a form action URL and provides the specified form parameters
  • HTTP custom post - Directs users to a POST URL, a submit URL, or a relative URL and provides the specified content
Tip: Use HTTPS instead of HTTP authentication for improved security, because HTTP authentication passes user credentials as clear text.

Task summary for HTTP authentication

To set up this configuration, you must first configure one HTTP AAA server that supports the type of authentication that you want: HTTP Basic/NTLM, form-based, or custom post. After you configure an HTTP AAA server, you must add an HTTP Auth action to an access policy and specify the HTTP AAA server that supports the authentication type that you want to use.

Task list

Configuring an AAA server for HTTP Basic/NTLM authentication

You configure an HTTP AAA server when you want to use Basic/NTLM authentication.
  1. On the Main tab, click Access Policy > AAA Servers > HTTP. The HTTP Servers screen displays.
  2. Click Create. The New Server properties screen opens.
  3. In the Name field, type a unique name for the authentication server.
  4. For Authentication Type, select Basic/NTLM.
  5. In the Start URI field, type the complete URI that returns the logon form. The URI resource must respond with a challenge to a non-authenticated request.
  6. Click Finished. The new server displays on the list.

Configuring an HTTP AAA server for form-based authentication

You create a form-based HTTP AAA configuration to use HTTP form-based authentication from an access policy.
  1. On the Main tab, click Access Policy > AAA Servers > HTTP. The HTTP Servers screen displays.
  2. Click Create. The New Profile screen opens.
  3. In the Name field, type a unique name for the authentication server.
  4. For Authentication Type, select Form Based.
  5. Optional: In the Start URI field, type a URL resource, for example, http://plum.tree.lab2.sp.companynet.com/. This resource must respond with a challenge to a non-authenticated request.
    Note: Typing a URL resource is optional, because the form action field specifies either an absolute URL or a relative URL resource. However, if you choose to specify both the Start URI and Form Action, then Access Policy Manager uses both start URI and form action parameters as the final URL for HTTP POST. If you do not specify a start URI, Access Policy Manager is likely to detect that the absolute URI based on the form action parameter should be used for HTTP POST.
  6. From the Form Method list, select either GET or POST. If you specify GET , the authentication request converts as HTTP GET.
  7. In the Form Action field, type the complete destination URL to process the form. This is used to specify the form action URL which is used for doing HTTP form-based authentication. This is required. If you do not specify a form action, then Access Policy Manager uses the URI from the request to perform HTTP form-based authentication.
  8. In the Form Parameter For User Name and Form Parameter For Password fields, type the parameter name and password used by the form to which you are sending the POST request.
  9. In the Hidden Form Parameters/Values field, type the hidden form parameters required by the authentication server logon form at your location. You must provide hidden form parameters and values if there are any. When present, these values are required by the authentication server logon form at your location.
  10. In the Number Of Redirects To Follow field, type how far from the landing page, in pages, the request should travel before failing.
  11. For the Successful Logon Detection Match Type setting, select the method your authenticating server uses, and type the option definition in the Successful Logon Detection Match Value field.
  12. Click Finished. The new server displays on the list.

Configuring an HTTP AAA server for custom post authentication

You create a custom post configuration when there is no form and when body encoding is different from form encoding. (This can happen when POST is generated by JavaScript or ActiveX.) Using a custom post, you can specify the entire post body and any non-default HTTP headers.
  1. On the Main tab, click Access Policy > AAA Servers > HTTP. The HTTP Servers screen displays.
  2. Click Create. The New Profile screen opens.
  3. In the Name field, type a unique name for the authentication server.
  4. For the Authentication Type setting, select Custom Post.
  5. In the Start URI field, type in a URL resource, for example, http://plum.tree.lab2.sp.companynet.com/. If you do not specify a Start URI, Access Policy Manager will likely detect that the absolute URI based on the Form Action parameter should be used for HTTP POST. If you specify a Start URI, Access Policy Manager uses both the Start URI and the Form Action parameters as the final URL for HTTP POST.
  6. In the Form Action field, type the POST URL, the submit URL, or a relative URL.
  7. For the Successful Logon Detection Match Type setting, select the method that the authenticating server uses.
  8. For the Successful Logon Detection Match Value, type a value depending on the Successful Logon Detection Match Type that you selected:
    • By Resulting Direct URL - Specify a URL if you selected this type.
    • By Presence of Specific String in Cookie - Specify a single string if you selected this type.
      Note: With this option, when APM receives a duplicate cookie, it adds it to the existing cookie list. As a result, multiple cookies with the same name, domain, and path can exist and can be searched.
    • By Presence of Cookie That Exactly Matches - Specify the exact key fields (name, path, and domain) that are present in the HTTP response cookie if you select this type. Failure to supply the exact number of keys and the exact values for the HTTP response cookie results in a No matching cookie found error.
      Note: This option supports cookie merge functionality. When APM receives a cookie that has the same name, domain, and path as an existing cookie, it merges it into the existing cookie.
    • By Specific String in Response - Specify a string if you select this option.
  9. In the Number Of Redirects To Follow field, type how far from the landing page, in pages, the request should travel before failing.
  10. From the Content Type list, select an encoding for the HTTP custom post. The default setting is XML UTF-8.
    Note: If you select None, you must add a header in the Custom Headers setting and you must apply your own encoding through an iRule.
  11. In the Custom Body field, specify the body for the HTTP custom post.
  12. For Custom Headers, specify names and values for header content to insert in the HTTP custom post.
  13. Click Finished. The new server displays on the list.
This creates an HTTP AAA server that provides a custom post for authentication.
To put this authentication into effect, add this AAA server to an HTTP Auth action in an access policy.

Creating an access profile

You create an access profile to provide the access policy configuration for a virtual server that establishes a secured session.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. Click Create. The New Profile screen opens.
  3. In the Name field, type a name for the access profile.
    Note: An access profile name must be unique among all access profile and any per-request policy names.
  4. From the Profile Type list, select one:
    • LTM-APM - Select for a web access management configuration.
    • SSL-VPN - Select to configure network access, portal access, or application access. (Most access policy items are available for this type.)
    • ALL - Select to support LTM-APM and SSL-VPN access types.
    • SSO - Select to configure matching virtual servers for Single Sign-On (SSO).
      Note: No access policy is associated with this type of access profile
    • RDG-RAP - Select to validate connections to hosts behind APM when APM acts as a gateway for RDP clients.
    • SWG - Explicit - Select to configure access using Secure Web Gateway explicit forward proxy.
    • SWG - Transparent - Select to configure access using Secure Web Gateway transparent forward proxy.
    • System Authentication - Select to configure administrator access to the BIG-IP system (when using APM as a pluggable authentication module).
    • Identity Service Used internally to provide identity service for a supported integration. Only APM creates this type of profile.
      Note: You can edit Identity Service profile properties.
    Note: Depending on licensing, you might not see all of these profile types.
    Additional settings display.
  5. In the Language Settings area, add and remove accepted languages, and set the default language. A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  6. Click Finished.
This creates an access profile with a default access policy.

Using HTTP authentication in an access policy

Before you can set up an access policy to use HTTP authentication, you must have at least one HTTP AAA server configured.
You configure an access policy with an HTTP Auth action when you want users to authenticate using one of the HTTP authentication types that Access Policy Manager (APM) supports: Basic, NTLM, form-based, or custom.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. In the Access Policy column, click the Edit link for the access profile you want to configure. The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new action item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. On the Logon tab, select Logon Page and click the Add Item button. The Logon Page Agent properties screen opens.
  5. Make any changes that you require to the logon page properties and click Save. The properties screen closes and the visual policy editor displays.
  6. Click the (+) icon anywhere in the access policy to add a new action item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  7. On the Authentication tab, select HTTP Auth and click Add item. A properties popup screen opens.
  8. From the AAA Server list, select the AAA HTTP server you want to use for authentication.
  9. Optional: Add any other branches and actions that you need to complete the access policy.
  10. Click Save. The properties screen closes and the visual policy editor displays.
  11. Click Apply Access Policy to save your configuration.
This adds an HTTP AAA authentication server to the access policy.
To put the access policy into effect, add it to a virtual server.

Creating a virtual server

When creating a virtual server for an access policy, specify an IP address for a single host as the destination address.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address field, type the IP address for a host virtual server. This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.
  5. In the Service Port field, type a port number or select a service name from the Service Port list.
  6. From the HTTP Profile list, select http.
  7. If you use server SSL for this connection, from the SSL Profile (Server) list, select a server SSL profile.
  8. If you use client SSL for this profile, from the SSL Profile (Client) list, select a client SSL profile.
  9. In the Access Policy area, from the Access Profile list, select the access profile that you configured earlier.
  10. From the Connectivity Profile list, select a connectivity profile. You can select the default connectivity profile, connectivity if you have not defined a specific profile for the traffic that is directed to this virtual server.
  11. Click Finished.
You have configured a host virtual server and associated an access profile with it.

Overview: Configuring HTTPS authentication

You can configure HTTP AAA authentication to use server-side SSL (HTTPS). To set up this configuration, you must first configure one HTTP AAA server that supports the type of authentication that you want to use: HTTP Basic/NTLM, form-based, or custom post.

HTTP AAA server configuration notes

Configure the HTTP AAA server so that in the Start URI or Form Action field you use:
  • The http scheme (not https)
  • The host name of the external HTTP server (rather than the IP address)
For example: http://plumtree.lab2.sp.companynet.com.

Virtual server configuration notes

Configure the virtual server to use the host name of the external HTTP server; this is the same host name as used in the HTTP AAA server configuration.

Important: Set the Destination field to use the host name of the external HTTP server. For example: companynet.com (and set the Service Port to HTTP).
To ensure that SSL is used between the HTTP AAA server and the external HTTP server, the virtual server configuration includes a server SSL profile and a pool with a member that uses SSL.

DNS configuration notes

The DNS configuration on the BIG-IP system must send traffic to the virtual server instead of the external HTTP server.

Note: This implementation does not explain how to configure DNS.

Task summary

Before you start these tasks, configure an HTTP AAA server.

Creating a pool for HTTPS authentication

You create a pool (HTTPS) so that you can assign it to a virtual server (HTTP) that accepts HTTP traffic and provides server-side SSL using this pool.
  1. On the Main tab, click Local Traffic > Pools. The Pool List screen opens.
  2. Click Create. The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. Scroll down to the Resources area.
  5. In the New Members Address field, type an IP address.
  6. From the Service Port list, select HTTPS.
  7. Click Add.
  8. Click Finished.

Creating a virtual server for HTTPS authentication

You create a virtual server that accepts HTTP traffic, encrypts it (using a server SSL profile), and passes it to an HTTPS server to provide secure communication between the BIG-IP system and an external HTTP authentication server.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address field, type the IP address of the external HTTP server.
  5. From the Service Port list, select HTTP.
  6. From the SSL Profile (Server) list, select a profile. This ensures that there is an SSL connection between the HTTP virtual server and the external HTTPS server.
  7. From the VLAN and Tunnel Traffic list, select Enabled on...
  8. From the Source Address Translation list, select Auto Map.
  9. Scroll all the way down to the Resources area and from the Default Pool list, select the pool you configured previously. The pool must contain a member configured for HTTPS.
  10. Click Finished.

Creating an access profile

You create an access profile to provide the access policy configuration for a virtual server that establishes a secured session.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. Click Create. The New Profile screen opens.
  3. In the Name field, type a name for the access profile.
    Note: An access profile name must be unique among all access profile and any per-request policy names.
  4. From the Profile Type list, select one:
    • LTM-APM - Select for a web access management configuration.
    • SSL-VPN - Select to configure network access, portal access, or application access. (Most access policy items are available for this type.)
    • ALL - Select to support LTM-APM and SSL-VPN access types.
    • SSO - Select to configure matching virtual servers for Single Sign-On (SSO).
      Note: No access policy is associated with this type of access profile
    • RDG-RAP - Select to validate connections to hosts behind APM when APM acts as a gateway for RDP clients.
    • SWG - Explicit - Select to configure access using Secure Web Gateway explicit forward proxy.
    • SWG - Transparent - Select to configure access using Secure Web Gateway transparent forward proxy.
    • System Authentication - Select to configure administrator access to the BIG-IP system (when using APM as a pluggable authentication module).
    • Identity Service Used internally to provide identity service for a supported integration. Only APM creates this type of profile.
      Note: You can edit Identity Service profile properties.
    Note: Depending on licensing, you might not see all of these profile types.
    Additional settings display.
  5. In the Language Settings area, add and remove accepted languages, and set the default language. A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  6. Click Finished.
This creates an access profile with a default access policy.

Using HTTP authentication in an access policy

Before you can set up an access policy to use HTTP authentication, you must have at least one HTTP AAA server configured.
You configure an access policy with an HTTP Auth action when you want users to authenticate using one of the HTTP authentication types that Access Policy Manager (APM) supports: Basic, NTLM, form-based, or custom.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. In the Access Policy column, click the Edit link for the access profile you want to configure. The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new action item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. On the Logon tab, select Logon Page and click the Add Item button. The Logon Page Agent properties screen opens.
  5. Make any changes that you require to the logon page properties and click Save. The properties screen closes and the visual policy editor displays.
  6. Click the (+) icon anywhere in the access policy to add a new action item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  7. On the Authentication tab, select HTTP Auth and click Add item. A properties popup screen opens.
  8. From the AAA Server list, select the AAA HTTP server you want to use for authentication.
  9. Optional: Add any other branches and actions that you need to complete the access policy.
  10. Click Save. The properties screen closes and the visual policy editor displays.
  11. Click Apply Access Policy to save your configuration.
This adds an HTTP AAA authentication server to the access policy.
To put the access policy into effect, add it to a virtual server.

Adding the access profile to the virtual server

You associate the access profile with the virtual server so that Access Policy Manager can apply the profile to incoming traffic.

  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. In the Access Policy area, from the Access Profile list, select the access profile that you configured earlier.
  4. Click Update to save the changes.
Your access policy is now associated with the virtual server.