Forum Discussion

MazeRunner_3283's avatar
MazeRunner_3283
Icon for Nimbostratus rankNimbostratus
Mar 01, 2018

Configuring 2FA for BigIP management interface using RSA

I have a requirement to support two-factor authentication on the BIG-IP MGMT interfaces using RSA as authentication source. The BigIP TMM version is 11.6.1. Looks like RSA option is not avalible for ...
BIG-IP Access Policy Manager (APM)
security
Martijn_144688's avatar
Martijn_144688
Icon for Cirrostratus rankCirrostratus
Mar 02, 2018

Hi,

 

You can use the RADIUS server component of your RSA server and configure RADIUS as the authentication method of your admin users.

 

Regards, Martijn

 

  • Deepu2017's avatar
    Deepu2017
    Icon for Altostratus rankAltostratus
    Apr 17, 2019

    Did anyone do this with DUO for F5 ASM ?

     

  • MazeRunner_3283's avatar
    MazeRunner_3283
    Icon for Nimbostratus rankNimbostratus
    Mar 02, 2018

    Thanks a lot Martijn. Do you have any more details on the setup process on both ends (F5 and RSA)? Looks like our RSA server is not configured for Radius authentication. Thanks a lot

     

  • David_Gill's avatar
    David_Gill
    Icon for Cirrus rankCirrus
    Mar 03, 2018

    The Radius configuration will likely depend on the version of Authentication Manager you are running. I suggest you check the RSA community site or contact your RSA SE for that part. If you do go the RSA Radius route then remember that all Radius authenticated users will get the same access to Big-IP unless you also implement Remote Role Groups which I presume would be based on a returned Radius attribute.

     

    I suggest after you enable Radius on AM that you try adding a Radius attribute to the user or group and then capture with Wireshark to see exactly how the attribute is passed. The RSA community site tells you how to decrypt Radius use the Secret key. Unfortunately I have only done Remote Role Groups with Tacacs therefore I cannot provide you a specific Radius example.

     

  • Martijn_144688's avatar
    Martijn_144688
    Icon for Cirrostratus rankCirrostratus
    Mar 05, 2018

    Hi,

     

    Assuming you are on a recent version of RSA AM (version 8.x) you do the following:

     

    On the RSA Server:

     

    In the RSA Operations Console go to Deployment Configuration -> RADIUS Servers an make sure you RADIUS server is started.

     

    In the RSA Security Console go to RADIUS -> RADIUS Clients -> Add New to configure the F5 BIG-IP as a RADIUS client. Do not forget to create a RSA Agent Host for your F5 BIG-IP. This can be done when creating the RADIUS client by clicking on 'Save & Create Associated RSA Agent'.

     

    On the F5 BIG-IP:

     

    Go to System -> Users -> Authentication and change the user directory from local to Remote - RADIUS.

     

    As David says, if you do not configure the rest, all RSA users are able to log in to your F5 BIG-IP. You can create Remote Role Groups as mentioned.

     

    You can also make the created RSA Agent host a restricted agent so only one RSA user group may access this RSA Agent. By adding only F5 administrators in this group, you can restrict access to the F5 BIG-IP.

     

    Hope this helps.

     

    Regards, Martijn.