F5 and RSA Token.

I think you need a Authentication module license for this. You need to check with your F5 account manager who can tell you if you already have a license for this.

 

 

 

CB

 

What are you actually trying to do? You could potentially use RSA to authenticate admin traffic. This does not require an Advanced Client Authentication module. You could use RSA to authenticate client traffic. As cmbhatt suggestions, this would require the ACA add-on license. Or you could be just trying to load balance or route RADIUS communication through LTM.

 

 

If you provide more detail on what you're trying to accomplish, people can give you some direction.

 

 

Aaron

Ok...never mind the original question. Here's what our server guys are trying to accomplish:

 

 

I'm currently LB terminal services(RDP) internally and externally. Now, we will soon deploy 2 factor auth. but would like the F5 to use RSA to authenticate external connections and internal connections would get prompt for AD credentials only and not RSA.

 

 

So, sounds like i would need an Advanced Client Authentication module...how do I verify if I have it installed or not?

 

 

I'm assuming I would also need an iRule??

 

 

thanks!

 

If you want to have LTM perform client authentication on a VIP you would need the ACA license. You can check to see if the ACA is listed as active or optional in your /config/bigip.license or in the GUI under System | License. If you see ADD CLIENT AUTHENTICATION under the Optional section you don't have it. You can contact your F5 account manager to get a quote for adding it. You need a license per LTM unit.

 

 

There is a default LDAP authentication iRule in the /config/profile_base.conf file. You can think of that as a starting point for implementing the authentication. You'll probably want to copy the default iRule and customise it to provide better client feedback for authentication failures.

 

 

Aaron

thanks Aaron...i actually came across another thread that you replied with some useful links and realized I don't have the ACA module.

 

 

Ok, so with the ACA module and an iRule I should be able to distinguish between external and internal traffic and apply separate authentication methods?

If you're able to separate the clients by VLAN, you could configure the same type of virtual server on the different VLANs and keep things isolated that way. That would be the simplest option. If that's not possible, then you could potentially add two separate auth profiles to the same VS. Redstar mentioned in this this post that it worked for him:

 

 

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=5842560111

 

 

You might try asking him to post a sample config or explain the logic he used to select the auth profile from the iRule.

 

 

Aaron

awesome thanks!

If you get something configured and working, could you post an anonymised copy of the VIP, profile and iRule configuration?

 

 

Thanks,

 

Aaron