Forum Discussion

Srecko_M__12636's avatar
Srecko_M__12636
Icon for Nimbostratus rankNimbostratus
Sep 30, 2015

AAA Server SecurID Configuration with Route Domains

Hello,

 

I have to configure native SecurID authentication on redundant F5s with APM remote access. In the "New Server" definition, I can select "Select from Self IP List". All the Self IPs are in separate Route Domains, i.e. configured with %rd (e.g. %100). I imported the sdconf.rec file.

 

However, it seems that when a Self IP is selected as "Agent Host IP Address", and I test the authentication, no packet destined to the RSA servers leaves the F5 box. I checked this using TCPDUMP on F5. According to "https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/1.htmlunique_1161688081" "To use route domains for AAA authentication traffic, you must use the pool option in the AAA server configuration."

 

Has anyone implemented native SecurID authentication using Self IPs in route domains? If no, a possible workaround would probably be to use proxy RADIUS - configure F5s as RADIUS clients and authenticate over RADIUS daemon on RSA AM servers.

 

Thanks for your suggestions in advance!

 

Srecko

 

10 Replies

  • Hi Srecko,

    same issue with one of my clients in TMOS v11.6.1HF1.

    The configuration was created and exported on ACE.

    Imported it to a new AAA Secure-ID profile on the F5 and assigned it in the iApp.

    The /var/log/apm filled up immediately with the following error messages:

    err aced[30456]: 01490000:3: Process[/partition_portale/aaa-server-rsa-secure-id]: AceInitializeEx failed, Cannot communicate with the ACE/Server

    The test with the command line utility as described in SOL12164 failed as well. Routes exist to the ACE server (tested with the rdexec tool from bash) and the ACE server hostname can be resolved via DNS on the F5. We tested both a self IP and floating self IP in the AAA profile to be used as agent IP address.

    Alternatively we tried to access the ACE via the BIG-IP management interface by creating and importing a new configuration file (AAA profile modified accordingly regarding the agent IP address).

    No outgoing traffic visible both on the management interface (eth0) and on the wildcard (0.0) in tcpdump.

    Perhaps you were able to solve the problem?

    Thanks in advance for sharing the solution.

    Cheers, Stephan
  • Hi,

    it seems to me, that the ACE configuration file gets somehow corrupted during the import procedure.

    If you extract the configuration file externally, you will see references to the ACE server in cleartext in the
    sdconf.rec
    file. These references are gone after the import.

    The imported file can be found under
    /config/aaa/ace///
    after creating the Secure-ID AAA server profile.

    After replacing the
    sdconf.rec
    file in this folder, I was able to verify a UDP/5500 connection to the RSA server by using the command line tool combined with the rdexec utility to force the execution in the specified route domain (50 in the example below):

    $ rdexec 50 securidtest -p "/config/aaa/ace/part_application/aaaserver_secure-id/" -s 10.33.115.250 -u medusasecurid -w 123456

    The utility
    secureidtest
    is described in AskF5 SOL12164.

    The utility
    rdexec
    is described in AskFf5 SOL13472.

    Cheers, Stephan
  • I think I've heard that there are some limitations when using AAA and route domains probably since moset of the AAA processes are running on RD0. As you mention yourself RADIUS should provide a workaround since you can specify the route domain.

     

  • I was receiving this error when I specified the route domain in the Agent Host IP Address under Access Policy -> AAA Servers -> SecurID -> {ace server name}. Changed to just the IP (no route domain) and that fixed.

     

  • Hi, Ryan, That worked for us, too. So the solution is to just specify the IP address of the server without the RD. Thanks!

     

  • if that is the solution please post it an answer (not comment) so the orginal poster might accept it as such.

     

  • OM's avatar
    OM
    Icon for Nimbostratus rankNimbostratus

    Hi all, I went through this issue too, and I found 2 ways to solve it. My topology: 2 F5 apm in high availability mode. Routing domain 0 bound to management interface only. Other routing domains bound to data vlans only. As the APM does not support routing domain other than 0 in high availability, here are the options that solve the problem:

     

    1- if you have (like me) routing domain 0 bound to management interface only, then you can configure the RSA Server to accept client with an alternate IP (in this case, the standby F5 node management IP address). The aaa server must be created in the Common partition . In aaa server Agent Host IP configuration choose Other and put the management IP address of the F5 failover node. Make sure all firewall rules are opened between F5 nodes and RSA server.

     

    2- You can NAT the management IP addresses of the F5 nodes behind a specific IP when they do a request to RSA Server on port UDP 5500. this way, the RSA Server sees one IP all the time, no matter which F5 node is active. On the F5 aaa securID configuration, go to Agent HOST IP and select other, in the IP address field, put the Natted IP you have chosen in the firewall or router.

     

    my prefered option is 1, as it does not require any additionnal changes on the network.

     

    Omar.