Manual Chapter : Configuring AAA Servers in APM

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 12.0.0
Manual Chapter

Configuring AAA Servers in APM

About VMware View and APM authentication types

You can authenticate View Clients in Access Policy Manager® (APM®) using the types of authentication that View Clients support: Active Directory authentication (required) and RSA SecurID authentication (optional). APM supports these authentication types with AAA servers that you configure in APM.

For more information, refer to BIG-IP® Access Policy Manager®: Authentication and Single-Sign On at http://support.f5.com.

Task summary

You need at least one AAA Active Directory server object in APM to support AD authentication for VMware View. If you also want to collect RSA PINs, you need at least one AAA SecurID server object in APM.

Task list

Configuring an Active Directory AAA server

You configure an Active Directory AAA server in Access Policy Manager® (APM®) to specify domain controllers for APM to use for authenticating users.
  1. On the Main tab, click Access Policy > AAA Servers > Active Directory .
    The Active Directory Servers list screen opens.
  2. Click Create.
    The New Server properties screen opens.
  3. In the Name field, type a unique name for the authentication server.
  4. In the Domain Name field, type the name of the Windows domain.
  5. For the Server Connection setting, select one of these options:
    • Select Use Pool to set up high availability for the AAA server.
    • Select Direct to set up the AAA server for standalone functionality.
  6. If you selected Direct, type a name in the Domain Controller field.
  7. If you selected Use Pool, configure the pool:
    1. Type a name in the Domain Controller Pool Name field.
    2. Specify the Domain Controllers in the pool by typing the IP address and host name for each, and clicking the Add button.
    3. To monitor the health of the AAA server, you have the option of selecting a health monitor: only the gateway_icmp monitor is appropriate in this case; you can select it from the Server Pool Monitor list.
  8. In the Admin Name field, type a case-sensitive name for an administrator who has Active Directory administrative permissions.
    An administrator name and password are required for an AD Query access policy item to succeed when it includes particular options. Credentials are required when a query includes an option to fetch a primary group (or nested groups), to prompt a user to change password, or to perform a complexity check for password reset.
  9. In the Admin Password field, type the administrator password associated with the Domain Name.
  10. In the Verify Admin Password field, retype the administrator password associated with the Domain Name setting.
  11. In the Group Cache Lifetime field, type the number of days.
    The default lifetime is 30 days.
  12. In the Password Security Object Cache Lifetime field, type the number of days.
    The default lifetime is 30 days.
  13. From the Kerberos Preauthentication Encryption Type list, select an encryption type.
    The default is None. If you specify an encryption type, the BIG-IP® system includes Kerberos preauthentication data within the first authentication service request (AS-REQ) packet.
  14. In the Timeout field, type a timeout interval (in seconds) for the AAA server. (This setting is optional.)
  15. Click Finished.
    The new server displays on the list.
This adds the new Active Directory server to the Active Directory Servers list.

Configuring a SecurID AAA server in APM

Configure a SecurID AAA server for Access Policy Manager® (APM®) to request RSA SecurID authentication from an RSA Manager authentication server.
  1. On the Main tab, click Access Policy > AAA Servers .
    The AAA Servers list screen opens.
  2. On the menu bar, click AAA Servers By Type, and select SecurID.
    The SecurID screen opens and displays the servers list.
  3. Click Create.
    The New Server properties screen opens.
  4. In the Name field, type a unique name for the authentication server.
  5. In the Configuration area, for the Agent Host IP Address (must match the IP address in SecurID Configuration File) setting, select an option as appropriate:
    • Select from Self IP List: Choose this when there is no NAT device between APM and the RSA Authentication Manager. Select an IP from the list of those configured on the BIG-IP® system (in the Network area of the Configuration utility).
    • Other: Choose this when there is a NAT device in the network path between Access Policy Manager and the RSA Authentication Manager server. If selected, type the address as translated by the NAT device.
    Note: This setting does not change the source IP address of the packets that are sent to the RSA SecurID server. (Layer 3 source addresses remain unchanged.) The agent host IP address is used only in Layer 7 (application layer) information that is sent to the RSA SecurID server.
  6. For the SecurID Configuration File setting, browse to upload the sdconf.rec file.
    Consult your RSA Authentication Manager administrator to generate this file for you.
  7. Click Finished.
    The new server displays on the list.
This adds a new RSA SecurID server to the AAA Servers list.