Applies To:
Show VersionsBIG-IQ Centralized Management
- 5.4.0
About AAA server support
Access in BIG-IQ® Centralized Management interacts with authentication, authorization, and accounting (AAA) servers that contain user information. Access supports the following AAA servers:
- RADIUS (authentication and accounting)
- LDAP (authentication and query)
- Active Directory (authentication and query)
- SecurID
- HTTP
- Oracle Access Manager
- OCSP Responder
- CRLDP
- TACACS+ (authentication and accounting)
- Kerberos (authentication and authorization)
A typical configuration includes:
- An AAA server configuration object that specifies information about the external AAA server.
- An access policy that includes a logon item to obtain credentials and an authentication item that uses the credentials to authenticate against a specific AAA server.
About RADIUS authentication
BIG-IQ® Access supports authenticating and authorizing the client against external RADIUS servers. When a client connects with the user name and password, BIG-IQ Access authenticates against the external server on behalf of the client, and authorizes the client to access resources if the credentials are valid.
Configure a RADIUS AAA server
About LDAP authentication
Use BIG-IQ Access to configure an LDAP AAA server You can use LDAPS in place of LDAP when the authentication messages between BIG-IP APM and the LDAP server must be secured with encryption. However, there are instances where you will not need LDAPS and the security it provides. For example, authentication traffic happens on the internal side of Access, and might not be subject to observation by unauthorized users. Another example of when not to use LDAPS is when authentication is used on separate VLANs to ensure that the traffic cannot be observed by unauthorized users.
LDAPS is achieved by directing LDAP traffic over a virtual server that uses server side SSL to communicate with the LDAP server. Essentially, the system creates an LDAP AAA object that has the address of the virtual server. That virtual server (with server SSL) directs its traffic to a pool, which has as a member that has the address of the LDAP server.
Configure an LDAP AAA server
About Active Directory authentication
Use BIG-IQ Access to configure an Active Directory AAA server. You can authenticate using Active Directory authentication with BIG-IQ Access, which supports using Kerberos-based authentication through Active Directory.
Configure an Active Directory AAA server
You configure an Active Directory AAA server to specify domain controllers for Access to use for authenticating users.
About SecurID authentication
RSA SecurID is a two-factor authentication mechanism based on a one-time passcode (OTP) that is generated by using a token code provided by a software or hardware authenticator. A token is a one-time authentication code generated every 60 seconds by an authenticator (hardware or software) assigned to the user.
Configure a SecurID AAA server
About HTTP authentication
An HTTP AAA server directs users to an external web-based server to validate credentials. BIG-IQ Access supports these HTTP authentication types:
- HTTP form-based authentication - Directs users to a form action URL and provides the specified form parameters
- HTTP basic authentication - Directs users to a URI
- HTTP NTLM authentication - Directs users to a URI
- HTTP custom post - Directs users to a POST URL, a submit URL, or a relative URL and provides the specified content
Configuring an HTTP server for form-based authentication
Configuring an HTTP server for Basic/NTLM authentication
Configure an HTTP server for custom post authentication
About Oracle Access Manager integration with Access
You can configure only one AAA Oracle Access Manager (OAM) server, but it can support multiple AccessGates from the same Access server. When you create a AAA OAM server, its transport security mode must match the setting in the OAM access server.
Configure an OAM AAA server
About OCSP authentication
BIG-IQ Centralized Management supports authenticating a client using Online Certificate Status Protocol (OCSP). OCSP is a mechanism used to retrieve the revocation status of an X.509 certificate by sending machine or user certificate information to a remote OCSP responder. This responder maintains up-to-date information about the certificate's revocation status. OCSP ensures that the BIG-IQ system always obtains real-time revocation status during the certificate verification process.
Configure an OCSP responder
About CRLDP authentication
BIG-IQ Centralized Management supports retrieving Certificate Revocation Lists (CRLs) from network locations (distribution points). A Certificate Revocation List Distribution Point (CRLDP) AAA server defines how to access a CRL file from a distribution point. A distribution point is either an LDAP Uniform Resource Identifier (URI), a directory path that identifies the location where the CRLs are published, or a fully qualified HTTP URL.
Configure a CRLDP AAA server
About TACACS+ authentication
BIG-IQ Centralized Management supports authenticating and authorizing the client against Terminal Access Controller Access Control System (TACACS+) servers. TACACS+ is a mechanism used to encrypt the entire body of the authentication packet. If you use TACACS+ authentication, user credentials are authenticated on a remote TACACS+ server. If you use the TACACS+ Accounting feature, the accounting service sends start and stop accounting records to the remote server.
The Access feature of BIG-IQ supports TACACS+ authentication with the TACACS+ Auth access policy item and supports TACACS+ accounting with the TACACS+ Acct access policy item.
Configure a TACACS+ AAA server
About Kerberos authentication
BIG-IQ® Centralized Management® provides an alternative to the form-based login authentication method. Instead, an HTTP 401 (unauthorized) or HTTP 407 (proxy authentication required) response triggers a browser login screen to collect credentials.
This option is useful when a user is already logged in to the local domain and you want to avoid submitting an HTTP form for collecting user credentials. The browser automatically submits credentials to the server and bypasses the login box to collect the credentials again.
The benefits of this feature include:
- Provides flexible login mechanism instead of restricting you to use only the form-based login method.
- Eliminates the need for domain users to explicitly type login information again to log in to BIG-IQ.
- Eliminates the need for user password transmission with Kerberos method.
Configure a Kerberos AAA server
Configure a Kerberos AAA server so that you can add it to a Kerberos authentication action in an access policy.
.About SSO profiles
SAML 2.0 in BIG-IQ® Centralized Management® specifies an SSO profile that involves exchanging information among an identity provider (IdP), a service provider (SP), and a user. The IdP can be any SSO service offering SAML authentication services
Configure an SSO profile
Configure an SSO profile to configure the BIG-IQ system for single sign-on.
.Configure BIG-IQ for device posture checks with endpoint management systems
When you check the device posture of a mobile device from your endpoint management system, before allowing access to the corporate network, you can configure BIG-IQ Centralized Management to verify the mobile device posture. The verification comes from the endpoint management system before allowing access from the access policy. An endpoint management system also controls the corporate data on mobile devices. Edge Client establishes a VPN connection with BIG-IP® APM® and an endpoint management system (Airwatch, Maas360, or Microsoft Intune ) manages and sends device details to APM.
Configure an endpoint management system
To set up API credentials for an Airwatch endpoint management system, do these steps.
To set up API credentials for an IBM Mass360 endpoint management system, do these steps.
To set up API credentials for a Microsoft Intune endpoint management system, do these steps.