F5 APM Radius+Token Authentication

Question

Hello all,&nbsp;
Many days ago I wrote here in order to ask you for support. &nbsp;
I need to deploy an APM solution in order to replace Citrix Access Gateway Enterprise Edition (AGEE). I have configured the AAA servers and the network/webtops resources, but the users cannot be even authenticated. I have re-write the radius shared key many times, but the error persists. I have also reviewed that the F5 is the client of the radius. I have the following mechanism for AAA:&nbsp;
Currently, users need to put username, password and RSA SecurID token. The Radius server (for authentication) gets a pair composed of user+token. The LDAP server (for authorization) gets a pair composed of user+password. There is Radius authentication over RSA; even, the RSA (RSA Authentication Manager 6.1 on Windows Server 2003) contains the radius server on it. I have been thinking of setting a RSA Server in the APM, but currently in the AGEE there is a Radius (port 1812) declared.&nbsp;
Please, could you tell me if there is any bug or something like that in order to deploy this? What could I do, besides everything I have done? &nbsp;
Thanks in advance. &nbsp;
Regards&nbsp;
Jorge&nbsp;

hamish · Answer

Mmm... What variable names in the login page are you using for the pin+tokencode and the radius password. &nbsp;
IIRC, The auth mechanisms both assume that the variable is password (The securid does, which conflicts with auto login for citrix desktops when using AD auth, I think the Radius will be the same). &nbsp;
So you need to do some copying around of variable names between the securid auth and the radius auth. The good news is that this is quite easy. I do something like&nbsp;
Alter the login page to save the pin+token in a variable called pintokencode
2, alter the login page to save the radius pass in a var called radiuspassjust before the securid auth use a variable assignment to copy the pintokencode value to passwordjust before the radius auth use a variable assignment to copy the radiuspass value to password
[Some assumptions made in here. YMMV]&nbsp;
H&nbsp;

jmanya_44531 · Answer

Hello Hamish,&nbsp;
Thanks for your answer. I think that my explanation was no clear enough. &nbsp;
I meant that users need to fill out the following fields in order to get access:&nbsp;
&nbsp;
So, the current VPN Solution has been configured to request authentication and authorization towards to a RSA+Radius Server and LDAP server respectively. So, in the following image you can see how the AVPs are sent in the current environment:&nbsp;
&nbsp;
Do I need to change the variable names on APM in order to allow a "conversation" between it and the AAA servers?&nbsp;
THanks in advance for your help&nbsp;
Regards&nbsp;
JM&nbsp;

Forum Discussion

F5 APM Radius+Token Authentication

2 Replies

Recent Discussions

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries R2600 Tenant sizing

About AWAF "Redirect URLs" in "Responses and Blocks"

ISP Bandwidth Utilization

Related Content

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

APM Sharepoint authentication

AD Authentication and Local DB Authentication in APM

Two-Factor Authentication With Google Authenticator And APM

OWASP Tactical Access Defense Series: Broken Authentication and BIG-IP APM