AAA Server SecurID Configuration with Route Domains
Hello,
I have to configure native SecurID authentication on redundant F5s with APM remote access. In the "New Server" definition, I can select "Select from Self IP List". All the Self IPs are in separate Route Domains, i.e. configured with %rd (e.g. %100). I imported the sdconf.rec file.
However, it seems that when a Self IP is selected as "Agent Host IP Address", and I test the authentication, no packet destined to the RSA servers leaves the F5 box. I checked this using TCPDUMP on F5. According to "https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/1.htmlunique_1161688081" "To use route domains for AAA authentication traffic, you must use the pool option in the AAA server configuration."
Has anyone implemented native SecurID authentication using Self IPs in route domains? If no, a possible workaround would probably be to use proxy RADIUS - configure F5s as RADIUS clients and authenticate over RADIUS daemon on RSA AM servers.
Thanks for your suggestions in advance!
Srecko