As promised in my last article which discussed configuring the BIG-IP as an SSH Jump Server using smart card authentication, I wanted to continue the discussion of F5's privileged user access with additional use cases. The first follow on article is really dedicated to all those customers who ask, "how do I use a smart card to authenticate to the BIG-IP TMUI?" While yes, I did provide a guide on how to do this natively, I'm here to tell you I think this is a bit easier but don't take my word for it. Try them both!
To reduce duplicating content, I am going to begin with the final configuration deployed in the previous article which has been published at https://devcentral.f5.com/s/articles/configuring-the-big-ip-as-an-ssh-jump-server-using-smart-card-authentication-and-webssh-client-31586. If you have not completed that guide, please do so prior to continuing with the Traffic Management User Interface (TMUI). With that, let's begin.
LTM Licensed and Provisioned
APM Licensed and Provisioned
8Gb of Memory
Completed the PUA deployment based on my previous guide.
Now you may be asking yourself why would I need this? Well, if any of you have attempted this in the past you will notice you will receive an ACL error when trying to access the management IP directly from a portal access resource. Because of this, we will need to complete this step and point our portal access resource to the IP of our virtual server.
Navigate to Local Traffic >> Virtual Servers >> Click Create
Destination Address: This IP is arbitrary, select anything
Service Port: 443
SSL Profile (Client): clientssl
SSL Profile (Server): serverssl
Source Address Translation: Automap
Scroll until you reach the Default Pool option and click the + button to create a new pool.
Health Monitors: HTTP
Address: Management IP address
Service Port: 443
Click Add and Finished
The pool should be selected for you after creation.
Creating a Single Sign On Profile for TMUI
Navigate to Access >> Single Sign On >> Forms Based >> Click Create
After the Portal Access List is created, click the Add button in to add a resource.
Link Type: Paths
Destination Type: IP
Destination IP Address: IP of the BIGIP virtual server
SSO Configuration: Select the SSO profile created previously in this article
Assign the new Portal Access Resource
Navigate to Access >> Profiles / Policies >> Click the Edit button in the row of the PUA Policy created using the previous guide.
From the Admin Access Macro click Advanced Resource Assign
Click the Add / Delete Button from the Resource Assignment page.
Select the Portal Access tab and place a check mark next to the portal access resource created in the previous steps.
Click Apply Access Policy
From a web browser navigate to webtop.demo.lab.
Click OK, Proceed to Application
Select your user certificate when prompted and click OK
From the Webtop, select the portal access resource you created in previous steps.
If successful, you will be redirected to the BIG-IP TMUI as shown below.
Now you have successfully configured SSO to the BIG-IP TMUI using forms based authentication. I'm sure many of you are wondering how it is possible to perform forms based authentication when I provided no password in this entire article. This is possible because of the ability for the F5 PUA solution to generate a one-time password on behalf of the user and present it to the application. Thanks for following and I will continue with additional use cases and capabilities of the F5 BIG-IP.
If for any reason you attempt to logout of TMUI and are logged back in immediately, it is likely because of middle ware you have in place on your workstation though no need to worry, there's an iRule for that! Simply add the following iRule to the Webtop virtual server and you will be good to go.