Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

Installation guide for securing the authentication to your F5 Big-IP APM™ solution with Nordic Edge One Time Password Server, delivering strong authetication via SMS to your mobile phone.

1 Summary This is the complete installation guide for securing the authentication to your F5 Big-IP APM™ with Nordic Edge One

Time Password Server 3, delivering strong authentication via SMS to your mobile phone. You will be able to test

the product with your existing F5 Big-IP APM™ and LDAP user database, without making any changes that affect

existing users. The guide will also allow you to make the complete installation efficiently, using a maximum of 1

hour. Nordic Edge provides several methods for delivering one time passwords, like the mobile client Pledge, e-

mail, tokens, prefetch, Yubikey etc. - however in this test we are only going to use SMS.

This is a step-by-step guide that covers the entire Nordic Edge OTP Server installation from A to Z. It is based on

the scenario that you are running your F5 Big-IP APM™ against Active Directory, and that you install the One Time

Password Server on a Windows Server. The One Time Password Server is platform independent and works with all

other LDAP user databases, like eDirectory, Sun One, Open LDAP etc. If you are not running Active Directory or

Windows and if you have any questions regarding the slight differences in the installation process, you are most

welcome to contact us at support@nordicedge.se and we will take you through the entire process.

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

Table of Contents

1 Summary

Table of Contents

2 Prerequisites

Definitions

Important information regarding communication

3 Getting started

3.1 Register and download the software

4       Installation

4.1      Start the installation

4.2      Installing license

5   Configuring the One Time Password Server

5.1  Start the OTP Configurator

Start the OTP Configurator by clicking on the left button - “Configuration”

5.2   Configure the One Time Password Server

5.3      Configure RADIUS

5.4      Configure databases

5.5      Configure LDAP Host Settings

5.6   Configure the LDAP database settings

5.7      Configure search filter

5.8    Test LDAP Authentication

6 Configure the SSL-VPN client settings.

7    Configure Delivery Method

8 Restart the One Time Password Server as Windows Service

9  Add mobile phone number with Microsoft Management Console

10 CONFIGURING F5 BIG-IP™

To use the Nordic Edge OTP Server, you have to configure a RADIUS authentication server, bind the server to

an access profile and then use this access profile in the SSL-VPN Virtual Server.

10.1 Adding the authentication server

10.2 Adding authentication server to Access Policy

10.3 Test the configuration

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

11      Purchase

12     Technical questions

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

2 Prerequisites

You will need to have done a basic installation of F5 Big-IP APM™. As this guide only show you how to enable

SMS password functionality for secure login you will need to have a server available, for example a virtual

machine with Windows Server 2003 installed with Ethernet in bridge mode. The server needs to have an ip-address

configured and must also be able to reach your DNS-servers, your F5 Big-IP APM™ solution and the Active Directory.

Since the software is quite small and easy to remove, you can also use any existing server in your network.

Definitions

In this Step by Step guide the guide for securing the authentication to your F5 Big-IP APM™ is referred as "SSL-VPN Solution".

Important information regarding communication

The One Time Password Server is a software that you can place on any server in your internal network or DMZ.

- The One Time Password Server needs to be able to communicate (Outbound traffic) with your LDAP or JDBC

User Database. Default port for LDAP and Secure LDAP is TCP port 389 / 636.

- SSL-VPN solution needs to be able to communicate (Outbound traffic) with the One Time Password Server with

Radius, UDP port 1812 or 1645 (Outbound traffic)

- If you want to use the Nordic Edge SMS Gateway, the One Time Password Server needs to be able to

communicate (Outbound traffic) with otp.nordicedge.net and otp.nordicedge.se with HTTPS on TCP port 443.

In this test-scenario you will want to communicate with RADIUS port 1812 or 1645 and use our Nordic

Edge 

SMS Gateway.

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

3 Getting started

3.1 Register and download the software

 Go to http://www.nordicedge.com and click "PRODUCTS" under "One Time Password Server" choose "Download"

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

Enter your contact details and choose OTP Server. Click "Send" to receive the software.

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

You will receive an e-mail  a link for downloading the software. A 30 days evaluation license will be sent

via e-mail when you download the software.

Download the 32 or 64 bit version depending on your platform.

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

4       Installation

4.1 Start the installation

Start the installation on the server where you want to install the One Time Password Server

 

Please note that if you are installing on a Windows 2008 Server you need to right click on the otp3install.exe using

explorer and click on “Run as Administrator”.

 

 

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

4.2      Installing license

Choose the license.dat that you have received via e-mail. 

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

Leave it default on yes and click “Done”

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

5   Configuring the One Time Password Server

5.1  Start the OTP Configurator

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

Start the OTP Configurator by clicking on the left button - “Configuration”              

5.2   Configure the One Time Password Server

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

On the Server page you can set the length of the one time password and for how long it should be valid. Default is

5 minutes.

You can also set a default country prefix, which means that you will not need to state it in the mobile attribute. 

For more information regarding the optional setting please see One Time Password Server 3 – Administration

manual

For now, leave this page as default and go on to the next part – Configure RADIUS.

5.3      Configure RADIUS

Change to the RADIUS tab and configure the RADIUS port you want to use to communicate with your SSL-VPN

server. In this example we are using RADIUS port 1812.

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

 Click Save config.

5.4      Configure databases

In this setup we are going to use the LDAP database Microsoft Active Directory

Change to the Databases tab and click on the LDAP Database button.

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

5.5      Configure LDAP Host Settings

For our configuration we are going to use the active directory installed on the same server as the One

Time Password Server. We will use the internal IP-address (127.0.0.1) as host address.

We will use the standard LDAP port nb (389) to communicate with Active Directory.

For Admin DN we are going to use the Administrator to search for users in the Active Directory. For now

the user only need read rights to the user object but be aware that you later might want to use options

like disable accounts and use the Pledge Enrollment concept for the Pledge Mobile Client. In examples

like these the Admin DN need rights to modify the disable account attribute and to store oath-keys at

optional user attributes.

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

Configure your LDAP host settings and click test. You should now get a messages saying “LDAP

connection success”

Click OK and Save

 Next step is to configure the LDAP database settings.

5.6   Configure the LDAP database settings

The BASE DN is the search base for where your users contains. Click on the button with three dots at

the right side of the Base DN field to browse your LDAP Database.

Click on the Organization Unit or Organization where your store your users objects and click OK.

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

5.7      Configure search filter

Next step is to configure the search filter for letting the One Time Password search for the right object classes and

attribute according to Microsoft Active Directory.

Click on the “Sample Button” and choose the filter template for MS Active Directory and click OK twice.

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

5.8    Test LDAP Authentication

Click on the Test LDAP Authentication button and type in the userid for a user you want to try to authenticate. 

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

Type in the password

If everything is correctly configured you will get a success message.

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

6 Configure the SSL-VPN client settings.Since we are configuring the One Time Password Server to act as RADIUS-server. The actual SSL-VPN server /

appliance box is considered a client to the One Time Password Server.

In this step we are going to configure the settings for the SSL-VPN client.

In the left pane click on ”Clients” 

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

Type in a name for your SSL-VPN server and the ipaddress to your SSL-VPN server.

Type in the RADIUS shared secret (this must match the shared secret in Access Gateway).

Choose the Active Directory you configured earlier as User Database.

Click Save

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

7    Configure Delivery MethodThe Delivery Methods object category is used to enable and configure one or more delivery methods

that the OTP Server can use to send the one-time passwords.

 

One Time Password Server offers various methods like SMS, Oath Tokens, Instant Messaging, HTTP,

Yubikey.

In this example we will use SMS as Method and the Nordic Edge SMS-service as SMS-provider.

In the evaluating phase we offer customer to use our Nordic Edge SMS-service free of charge in 30 days

from the activation of the Demo Account.

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

In the left Pane, click “Deliver Methods” and then Nordic Edge SMS. In the right pane enable Nordic

Edge SMS Gateway.

To Request a demo account click “Request a demo account”.

Click “Yes”

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

You should now get a success message and the Username and Password for the Nordic Edge SMS-

gateway has automatically been filled in. Click OK and Save Config.

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

8 Restart the One Time Password Server as Windows ServiceIn the server panel for click “Shutdown”

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

In Windows Control Panel, open Administrative Tools / Services

Find the NordicEdge OTPServer Service, right click on that service and click “Start”.

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

9  Add mobile phone number with Microsoft Management ConsoleAdd mobile phone number to your test users mobile phone attribute by starting the Microsoft MMC

and select the user that you want to use for testing and enter the mobile phone number in the Mobile

attribute.

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

10 CONFIGURING F5 Big-IP APM™To use the Nordic Edge OTP Server, you have to configure a RADIUS authentication server, bind the

server to an access profile and then use this access profile in the SSL-VPN Virtual Server. In this

example, we already have an access profile and a Virtual Server for remote access. There are multiple

ways to setup remote access. You can for example do this with the Device Wizards that will guide you

through this process. For a detailed discussion on how to configure a SSL-VPN server, please review the

BIG-IP Administration Guide.

10.1 Adding the authentication server

First step is to add an RADIUS authentication server. Goto Access Policy --> AAA Servers -->

RADIUS and click the “+” button.

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

-Name: Give the server a suitable name.

-Mode: Authentication.

-Server Connection: Direct.

-Server Address: IP address of the Nordic Edge OTP Server.

-Authentication Service Port: Port of the Nordic Edge OTP Server (this must match the RADIUS port in OTP

Server).

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

-Secret: Enter the secret key and confirm it (this must match the shared secret in OTP Server).

-Timeout: Raise the server time-out to 25 seconds. This allows the RADIUS server to respond with an alternative

attribute to F5 Big-IP APM if the operator fails to deliver the OTP SMS.

After the server are added, an overview will be found in the "AAA Servers By Type"

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

10.2 Adding authentication server to Access Policy

Goto Access Policys --> Access Profiles --> Access Profiles List. Choose "Edit" under "Access Policy" at your Access

Profile.

Click at the "+" sign after "Login Page"

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

Scroll down and choose "Radius Auth". Click the button " Add Item"

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

In the drop down list at "AAA Server" choose the OTP Server configured earlier. Click Save. Then click close in the upper right corner in the GUI.

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

Back at "Access Profiles List" Mark the Access Profile and click "Apply Access Policy"

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

 

10.3 Test the configurationNavigate to the BIG-IP Virtual Server log on page. Enter the Microsoft Active Directory user name and password

used earlier to configure the OTP server. After entering your credentials, press “Logon” to continue.

A Flash SMS will be delivered to your mobile phone containing the One Time Password.

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™

 

Enter the One Time Password and click on “Logon”.

You will now be logged in, and depending on the configured access profile, your VPN connection can be a full

SSL-VPN tunnel, a clientless session etc. This can be controlled in a way to let the connecting user make the

connection type choice, or it can be enforced by the administrator.

 Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)™