Configure F5 BIG IP APM gateway

Use the F5 console to configure F5 BIG IP to integrate with RADIUS.

Steps

There are two parts to this configuration:

  1. Define a RADIUS server profile
  2. Edit an access policy

Before you begin

  • Ensure that you have the common UDP port and secret key values available.

Define a RADIUS server profile

  1. Sign in to the F5 console with sufficient privileges.
  2. Go to AccessAuthenticationRADIUS and then click Create… to define a new RADIUS server. In the older version, go to Access PolicyAAA ServersRADIUS.
  3. Enter the following values to create a New RADIUS Server.
    Name Unique and appropriate name (OktaMFA)
    ModeAuthentication
    Server ConnectionDirect
    Server AddressIP or Name of Okta RADIUS Server Agent
    Authentication Service PortPort (1812)
    SecretSecret value
    Confirm SecretSecret value confirmation
    NAS IP AddressOptional: the IP address of the F5
    NAS IdentifierOptional: an identifier of the NAS
    TimeoutRecommended: 60 seconds
    Retries2
  4. Click Finish to save the settings.

Edit an access policy

  1. Go to AccessProfiles / PoliciesAccess Profiles.

  2. Identify the Access Profile that you want to change and click the Edit… link in the Per-Session Policy column.

  3. The screen shown below opens. Click Logon Page.

  4. Enable a third input with the following selections.

    • Type: password

    • Post/Session Variable Name: factor

    • Login Page Input Field: Factor (e.g. <i>push, sms, 123456</i>)

  5. Click Save.

  6. Edit the existing RADIUS Auth or replace an existing Auth sequence with a RADIUS Auth step pointing to the password-only RADIUS server.

  7. After the initial authentication insert a new RADIUS Auth step pointing to the Factor-only RADIUS server previously created. Change the Password Source variable to align with the updated logon page input %{session.logon.last.factor}.

  8. Click Save.

  9. Click Apply Access Policy in the top left corner.