Forum Discussion
MazeRunner_3283
Nimbostratus
NimbostratusConfiguring 2FA for BigIP management interface using RSA
I have a requirement to support two-factor authentication on the BIG-IP MGMT interfaces using RSA as authentication source. The BigIP TMM version is 11.6.1. Looks like RSA option is not avalible for System Authentication policy type. Any idea how to overcome this? Thank you
- MvdG
Cirrus
Hi,
You can use the RADIUS server component of your RSA server and configure RADIUS as the authentication method of your admin users.
Regards, Martijn
MazeRunner_3283Thanks a lot Martijn. Do you have any more details on the setup process on both ends (F5 and RSA)? Looks like our RSA server is not configured for Radius authentication. Thanks a lot
David_GillThe Radius configuration will likely depend on the version of Authentication Manager you are running. I suggest you check the RSA community site or contact your RSA SE for that part. If you do go the RSA Radius route then remember that all Radius authenticated users will get the same access to Big-IP unless you also implement Remote Role Groups which I presume would be based on a returned Radius attribute.
I suggest after you enable Radius on AM that you try adding a Radius attribute to the user or group and then capture with Wireshark to see exactly how the attribute is passed. The RSA community site tells you how to decrypt Radius use the Secret key. Unfortunately I have only done Remote Role Groups with Tacacs therefore I cannot provide you a specific Radius example.
- MvdG
Hi,
Assuming you are on a recent version of RSA AM (version 8.x) you do the following:
On the RSA Server:
In the RSA Operations Console go to Deployment Configuration -> RADIUS Servers an make sure you RADIUS server is started.
In the RSA Security Console go to RADIUS -> RADIUS Clients -> Add New to configure the F5 BIG-IP as a RADIUS client. Do not forget to create a RSA Agent Host for your F5 BIG-IP. This can be done when creating the RADIUS client by clicking on 'Save & Create Associated RSA Agent'.
On the F5 BIG-IP:
Go to System -> Users -> Authentication and change the user directory from local to Remote - RADIUS.
As David says, if you do not configure the rest, all RSA users are able to log in to your F5 BIG-IP. You can create Remote Role Groups as mentioned.
You can also make the created RSA Agent host a restricted agent so only one RSA user group may access this RSA Agent. By adding only F5 administrators in this group, you can restrict access to the F5 BIG-IP.
Hope this helps.
Regards, Martijn.
- Martijn_144688
Cirrostratus
Hi,
You can use the RADIUS server component of your RSA server and configure RADIUS as the authentication method of your admin users.
Regards, Martijn
- Deepu2017
Altostratus
Did anyone do this with DUO for F5 ASM ?
- MazeRunner_3283
Thanks a lot Martijn. Do you have any more details on the setup process on both ends (F5 and RSA)? Looks like our RSA server is not configured for Radius authentication. Thanks a lot
- David_Gill
The Radius configuration will likely depend on the version of Authentication Manager you are running. I suggest you check the RSA community site or contact your RSA SE for that part. If you do go the RSA Radius route then remember that all Radius authenticated users will get the same access to Big-IP unless you also implement Remote Role Groups which I presume would be based on a returned Radius attribute.
I suggest after you enable Radius on AM that you try adding a Radius attribute to the user or group and then capture with Wireshark to see exactly how the attribute is passed. The RSA community site tells you how to decrypt Radius use the Secret key. Unfortunately I have only done Remote Role Groups with Tacacs therefore I cannot provide you a specific Radius example.
