VPN Access with MFA using Edge Client 7.2.1 and APM 16.0

Introduction

Edge Client 7.2.1 supports OAuth 2.0 authentication flow for native applications. When this feature is configured by the administrators of the BIG-IP system, authentication is entirely performed in the browser. The user does not have to sign-in again when accessing a web application on a browser that uses the same authentication method.

This feature also allows the use of any multi-factor or passwordless authentication that is supported by the browser.


Deploying Okta YubiKey Authentication and BIG-IP APM integration

Supports Yubikey and other U2F/FIDO based authentication systems Edge Client 7.2.1 for macOS and Windows can now behave as an OpenID Connect (OIDC) client, obtain a bearer token and present it to APM for authentication. Rather than using Edge Client’s embedded browser, the OIDC support provides consistent authentication experience by invoking an external browser, default browser for the OS, using the Edge Client to enable multi-factor verification (MFA) and Single Sign-On across multiple applications.

Beginning BIG-IP version 16.0.0, the connectivity profile has OAuth Settings that allow administrators to specify the OIDC server discovery endpoint, Client ID, Scopes, and the Complete Redirection URI. With this release, Edge Client provides the following abilities:

·     Use security keys such as Yubikey, U2F, and FIDO authentication systems as an additional factor of authentication

·     Support password-less authentication through public key registration and authentication

·     Single Sign-On for Edge Client and other enterprise apps that share a common IDP

Figure below shows how external bowser redirected OAuth authentication to authorization endpoint, or IDP, and how second factor authentication is achieved using token endpoint.

In this document, the focus is using YubiKey for MFA as the endpoint token and Okta for IDP service.

YubiKey is a hardware-based multi-factor and passwordless authentication. By adding on YubiKey authentication, the application is protected by another layer of security to verify the identity of the user. For more information, visit Yubico’s website: https://www.yubico.com/products/

For YubiKey and Okta MFA configuration, please follow the instructions in this document:

https://devcentral.f5.com/s/articles/Application-access-using-YubiKey-Authentication-with-APM-and-Okta

Requirements

The following software versions are minimum versions required to perform the following configuration, and also Identity Provider (IDP) account is required:

·     BIG-IP version:           16.0

·     Edge Client version:   7.2.1

·     IDP:                            Okta account


Configure F5 BIG-IP APM and Okta

Use this section to configure APM to for VPN to use OAuth authentication and to be used with Okta as IDP for YubiKey factor authentication.

To configure and test YubiKey using Okta Multi-factor with APM, enter the following tasks:

·     Configure VPN Network Access

·     Configure Access Profile

·     Configure Virtual Server

·     Configure Applications in Okta

·     Configure Authorization Server Access Policy in Okta

·     Configure Edge Client OAuth Settings

·     Configure Access Profile Visual Policy Editor

Configure VPN Network Access

Step 1:    Navigate to Access>Connectivity/VPN>Network (VPN)>+ sign, enter the following information and click Finished:

·     Name—VPNDefault

·     Caption—VPN_Default

Step 2:    Click on Networking Settings tab and click on the + sign next to IPV4 Lease Pool.

Step 3:    In the New IPV4 Lease Pool window, enter the following information click Add and then click Finished:

·     Name—NAT_Pool

·     IP Address Range—select

·     Start IP Address—192.168.1.100

·     Ending IP Address—192.168.1.200

·     Add—click

Step 4:    Click DNS/Hosts tab, enter the following information and click Update.

·     IPV4 Primary Name Server—1.1.1.1

Step 5:    Navigate to Access>Weptops>Weptop Lists>+ sign, enter the following information and click on Fished.

·     Name—VPN_Weptops

·     Type—Full

·     Customization Type—Modern


Configure Access Profile

Step 6:    Navigate to Access>Profiles/Policies>Access Profile (Per-Session Policies)>+ sign, select All for Profile Type option.

Step 7:    In Languages option, select English (EN) click << and click Finished.


Configure Virtual Server

Step 8:    Navigate to Access>Virtual Servers>Virtual Server List>+ sign, enter the following information and then move to the next step:

·     Name—VPN_VS

·     Destination Address/Mask—10.1.10.10

·     Service Port—443 HTTPS

Step 9:    In HTTP Profile (Client) option, select http and then move to the next step.

Step 10: In SSL Profile (Client) option, select clientssl-secure, click << and then move to the next step:

Step 11: In Access Profile option, select VPN_Access and click on the + sign next to Connectivity Profile.

Step 12: In the Create New Connectivity Profile pop-up window, enter the following information and click OK.

·     Profile Name—VPN_Cnnectivity

·     Parent Profile—/Common/connectivity

·     FEC Profile—None

Step 13: Back to the New Virtual Server window, click Finished.


Configure OAuth Server

Step 14: Log onto Okta account and navigate to API>Authorization Server, click Add Authorization Server.

Step 15:  In Add Authorized Server pop-up window, enterer the following information and click Save.

·     Name—F5_VPN

·     Audience—api://default

Step 16: In the F5_VPN Settings window, highlight the following information and copy it.

·     Issuer—https://dev-779340.okta.com/oauth2/ausqyzymejeyI9UmX4x6

Step 17: Go back to BIG-IP APM and navigate to Federation>OAuth Client / Resource Server>Provider>+ sign, enter the following information and move to the next step.

·     Name—VPN_OAuth

·     Type—Okta

Step 18: In OpenID URI option, replace the following part of URI using Issuer copied from Step 5 and click Save.

·     Replace—https://okta-oauth.local/

·     With—https://dev-779340.okta.com/oauth2/ausqyzymejeyI9UmX4x6 (copied from Step 15)

·     Retain—.well-known/openid-configuration

·     Final URI—https://dev-779340.okta.com/oauth2/ausqyzymejeyI9UmX4x6/.well-known/openid-configuration

Step 19: Navigate to Access>Federation>JSON Web Token>Provider List>+ sign, enter the following information and click Save.

·     Name—VPN_JWT

·     Access Token Expires in—60

·     Provider—/Common/VPN_OAuth (click Add)

Step 20: Navigate to Access>Federation>JSON Web Token>Token Configuration click auto_jwt_VPN_OAuth, enter the following information click Add and then click Save.

·     Audience—api://default (click Add)

Step 21: Log onto Okta and navigate to Applications, and then click Add Applications.

Step 22: In the Create New Application 1 Platform window, select Native iOS Android and then click Next.

Step 23: In the Create New Application 2 Settings window, leave the defaults, enter the following information and click Done.

·     Name—Edge Client

·     Login redirect URIs—http://localhost:8000/

·     Logout redirect URIs—Blank

Step 24: Click on Sign On tab and then click on Add Rule.

Step 25: In the App Sign On Rule pop-up window, leave the defaults, enter the following information and click Save.

·     When all the conditions above are met…—Prompt for factor · Multifactor Settings

·     Prompt for factor · Multifactor Settings—Every sign on


Configure Authorization Server Access Policy in Okta

Step 26: Navigate to API>Authorization Servers click on F5_VPN.

Step 27: In the F5_VPN window, click on the Access Policies tab and then click on Add New Access Policy.

Step 28: In the Add Policy pop-up window, enter the following information and click Create Policy.

·     Name—VPN

·     Description—VPN

·     Assigned to—The following clients: (Edge Client)

Step 29: Back to F5_VPN window Access Policies tab, click Add Rule.

Step 30: In Add Rule pop-up window, leave defaults, enter the following information and click Create Rule.

·     Name—vpn

·     IF Grant type is—Implicit (uncheck)

·     IF Grant type is—Resource Owner Password (uncheck)

·     AND Scope requested—The following scopes: (select)

·     The following scopes—openid profile (type in the field)


Configure Edge Client OAuth Settings

Step 31: In Okta, navigate to Applications, click ACTIVE and copy  the following information under Edge Client.

·     Client ID—0oaqyxogtvilho6ST4x6

Step 32: In APM, navigate to Access>Connectivity>Profile, select VPN_Connectivity and click Edit Profile.

Step 33: In the Edit Connectivity Profile pop-up window, paste the following information from step 29 and click OK.

·     Client ID—0oaqyxogtvilho6ST4x6


Configure Access Profile Visual Policy Editor (VPE)

Step 34: Navigate to Access>Profiles / Policies>Access Profiles (Per-Session Polices) and click Edit for VPN_Acess under Per-Session Policy column to open VPE in a separate browser tab.

Step 35: In VPE window, click on Deny.

Step 36: In Select Ending: window, select the following and click Save.

·     Allow

Step 37: Back to VPE window, click on the + sign between Start and Allow.

Step 38: In the pop-up window, in the search field, type advanced, select the following and click Add Item.

·     Advanced Resources Assignment

Step 39: In Properties* tab, click Add new entry and then click Add/Delete.

Step 40: Click Network Access 1/1 tab*, select the following and then click Show 7 more tabs.

·     /Common/VPN_Default

Step 41: Click Webtop 1/1* tab, select the following, click Update to close pop-up window and then click Save.

·     /Common/VPN_Webtops

Step 42: In VPC window, click the + sign between Start and Advanced Resource Assign.

Step 43: In the pop-up window, in the search field, type oauth, select the following and click Add Item.

·     OAuth Scope

Step 44: Select the following information and click Save.

·     Token Validation Mode:        Internal

·     JWT Provider List:                  /Common/VPN_JWT

Step 45: Back in VPE window, click Apply Access Policy.

This section completes the configuration of APM and Okta.


Test VPN MFA with Mobile MFA or YubiKey

Step 1:    Install 7.2.1 Edge Client. Download and installation instruction can be found here:

·      BIG-IP Edge Client for Windows

·      BIG-IP Edge Client and F5 Access for macOS

Step 2:    Open Edge Client and click Connect to APM Virtual Server IP configured in Step 8 of previous section.

Step 3:    Once connection is successful, default browser will open. In the browser, log in using user account (do not use admin account).

Step 4:    If no YubiKey present, use Mobile MFA to log in.

Step 5:    If YubiKey is present, touch the YubiKey.

Step 6:    If MFA is successful connection in the browser message.


Resources

BIG-IP Knowledge Center

BIG-IP APM Knowledge Center

Configuring Single Sign-On with Access Policy Manager


Validated Products and VersionsProducersion

BIG-IP APM 16.0

Edge Client 7.2.1


What’s New in This Version

The following changes have been made since F5 last published this guide:

•     This is a new guide.

Published Oct 16, 2020
Version 1.0
No CommentsBe the first to comment