Configuring 2FA for BigIP management interface using RSA

Thanks a lot Martijn. Do you have any more details on the setup process on both ends (F5 and RSA)? Looks like our RSA server is not configured for Radius authentication. Thanks a lot

The Radius configuration will likely depend on the version of Authentication Manager you are running. I suggest you check the RSA community site or contact your RSA SE for that part. If you do go the RSA Radius route then remember that all Radius authenticated users will get the same access to Big-IP unless you also implement Remote Role Groups which I presume would be based on a returned Radius attribute.

I suggest after you enable Radius on AM that you try adding a Radius attribute to the user or group and then capture with Wireshark to see exactly how the attribute is passed. The RSA community site tells you how to decrypt Radius use the Secret key. Unfortunately I have only done Remote Role Groups with Tacacs therefore I cannot provide you a specific Radius example.

Hi,

Assuming you are on a recent version of RSA AM (version 8.x) you do the following:

On the RSA Server:

In the RSA Operations Console go to Deployment Configuration -> RADIUS Servers an make sure you RADIUS server is started.

In the RSA Security Console go to RADIUS -> RADIUS Clients -> Add New to configure the F5 BIG-IP as a RADIUS client. Do not forget to create a RSA Agent Host for your F5 BIG-IP. This can be done when creating the RADIUS client by clicking on 'Save & Create Associated RSA Agent'.

On the F5 BIG-IP:

Go to System -> Users -> Authentication and change the user directory from local to Remote - RADIUS.

As David says, if you do not configure the rest, all RSA users are able to log in to your F5 BIG-IP. You can create Remote Role Groups as mentioned.

You can also make the created RSA Agent host a restricted agent so only one RSA user group may access this RSA Agent. By adding only F5 administrators in this group, you can restrict access to the F5 BIG-IP.

Hope this helps.

Regards, Martijn.

Thanks a lot Martijn. Do you have any more details on the setup process on both ends (F5 and RSA)? Looks like our RSA server is not configured for Radius authentication. Thanks a lot

The Radius configuration will likely depend on the version of Authentication Manager you are running. I suggest you check the RSA community site or contact your RSA SE for that part. If you do go the RSA Radius route then remember that all Radius authenticated users will get the same access to Big-IP unless you also implement Remote Role Groups which I presume would be based on a returned Radius attribute.

I suggest after you enable Radius on AM that you try adding a Radius attribute to the user or group and then capture with Wireshark to see exactly how the attribute is passed. The RSA community site tells you how to decrypt Radius use the Secret key. Unfortunately I have only done Remote Role Groups with Tacacs therefore I cannot provide you a specific Radius example.

Hi,

Assuming you are on a recent version of RSA AM (version 8.x) you do the following:

On the RSA Server:

In the RSA Operations Console go to Deployment Configuration -> RADIUS Servers an make sure you RADIUS server is started.

In the RSA Security Console go to RADIUS -> RADIUS Clients -> Add New to configure the F5 BIG-IP as a RADIUS client. Do not forget to create a RSA Agent Host for your F5 BIG-IP. This can be done when creating the RADIUS client by clicking on 'Save & Create Associated RSA Agent'.

On the F5 BIG-IP:

Go to System -> Users -> Authentication and change the user directory from local to Remote - RADIUS.

As David says, if you do not configure the rest, all RSA users are able to log in to your F5 BIG-IP. You can create Remote Role Groups as mentioned.

You can also make the created RSA Agent host a restricted agent so only one RSA user group may access this RSA Agent. By adding only F5 administrators in this group, you can restrict access to the F5 BIG-IP.

Hope this helps.

Regards, Martijn.