Configure the F5 BigIP APM to Interoperate with Okta via RADIUS

Okta and F5 BIG IP APM interoperate through either RADIUS or SAML 2.0. For each F5 BIG IP APM, you can assign one or more authentication providers. Using RADIUS, Okta’s agent translates RADIUS authentication requests from the VPN into Okta API calls.

This guide details how to configure F5 BIG IP APM to use the Okta RADIUS Server Agent in conjunction with the Okta Integration Network (OIN) F5 BIG IP RADIUS for APM and VPN App.

If you want to integrate with Okta via SAML 2.0, add the F5 BIG IP SAML for APM and VPN SAML app in Okta by navigating to the Applications tab, select Applications > Add Application, search for F5 BIG IP SAML for APM and VPN, then click Add.

Some integrations interoperate with Okta through either RADIUS or SAML 2.0. The following screen shots compare the two end-user experiences.

SAML end-user experience

RADIUS end-user experience

Note

Note

The Yubikey factor doesn't appear in the menu as an option.
The end user must enter the Yubikey code into the Response field and click Continue.

There are several advantages to using SAML integrations when available.

  1. SAML provides a rich, intuitive and consistent login experience. RADIUS interacts with a text-based challenge with inconsistent formatting. Using SAML can reduce user training and support requirements and the consistent sign in experience with SAML makes users less susceptible to phishing attempts.

  2. SAML integrations provide more security as credentials are exposed to fewer parties.

  3. SAML integrations run with a simplified infrastructure. The do not require running on-premise agents and require little maintenance. The user agent (web browser, VPN client, etc.) is used to transmit messages in a secure manner; therefore, there is no need for the service provider (firewall or application server) to connect to Okta. Federation is established through a one-time exchange of SAML metadata. This one-time setup establishes trust for ongoing transactions.

  4. Okta SAML integrations are very robust and include adaptive MFA and provisioning.

There are five parts to the configuration, including optional settings. Troubleshooting help and a list of additional resources are also provided.

The following MFA Factors are supported:

 

MFA Factor Password Authentication Protocol
PAP		 Extensible Authentication Protocol - Generic Token Card
EAP-GTC		 Extensible Authentication Protocol - Tunneled Transport Layer Security
EAP-TTLS
Okta Verify (TOTP and PUSH) Supported Supported Supported - as long as challenge is avoided.
For example:
MFA-only or password, MFA for TOTP.
Push can work with primary auth + MFA as the push challenge is sent out-of-band.
Voice Call Supported Supported Not supported
SMS Authentication Supported Supported Not supported
Google Authenticator Supported Supported Supported - as long as challenge is avoided.
For example MFA only or password, MFA.
Symantec VIP Supported Supported Supported
Security Question Supported Supported Not supported
Custom TOTP Authentication Supported Supported Not supported
Duo(Push, SMS and Passcode only) Supported Supported Supported (passcode, Push)
YubiKey Supported Supported Supported

RSA Token

Supported

Supported

Supported

Email

Supported

Supported

Not supported
Info

Note

The U2F Security and Windows Hello MFA factors are not compatible with RADIUS-enabled implementations.
For additional information about the Radius apps refer to Configuring RADIUS applications in Okta.

Configuring the F5 BigIP APM to use the Okta RADIUS Agent requires pre-configuration of the RADIUS agent.

  1. Download the Okta RADIUS Agent from the Settings > Downloads page in Okta.
  2. Install the agent using the instructions in Installing and Configuring the Okta RADIUS Server Agent.
  3. For throughput, availability and other considerations, see Okta RADIUS Server Agent Deployment Best Practices.

After installing the Okta RADIUS Agent ensure that you have met these minimum requirements for network connectivity

Source Destination Port/Protocol Description
Okta RADIUS Agent Okta Identity Cloud tcp/443
http		 Configuration and authentication traffic
F5 BIG-IP Okta RADIUS Agent udp/1812 RADIUS (actual port number defined in next step) RADIUS traffic between the firewall (client) and the RADIUSs Agent (server)

In this step, add the F5 BIG IP RADIUS app from the OIN and apply settings specific to your deployment. In this section we will configure the following:

  • Authentication configuration

  • UDP Port

  • Secret Key

  • Application Username Format

Info

Note

The U2F Security and Windows Hello MFA factors are not compatible with RADIUS-enabled implementations.
For additional information about the Radius apps refer to Configuring RADIUS applications in Okta.

There are some optional advanced radius configuration options that are listed at the end of this document to help with Reporting the Client IP and Sending Groups information to the firewall.

  1. Okta, navigate to Applications > Applications> Add Application, search for F5 BIG IP RADIUS, and then click Add Application:

  2. Enter a unique name.

  3. Provide the following Sign On values:

    • Authentication: Retaining this default button allows Okta to perform primary authentication.

    • UDP Port: Required. Each RADIUS app has a unique number. Enter it here.

    • Secret Key: Required. Enter the secret key that will be used to encrypt and decrypt the user password. This key must be identical to what is configured on the F5 BIG IP RADIUS app.

    • Application username format:This determines how the RADIUS client sends in the username. Select an option from the drop-down menu.

  4. After completing the setup, assign the app to the users/groups that require access.

For additional information, including guidance on advanced authentication and adaptive multifactor configuration options, see Using the Okta RADIUS App.

In Part 3 you define a RADIUS Server and edit an access policy.

Step 1 –Define a RADIUS Server Profile

  1. Sign in to the F5 console with sufficient privileges.
  2. Navigate to Access > Authentication > RADIUS and then click Create… to define a new RADIUS server. In older version, navigate to Access Policy > AAA Servers > RADIUS.
  3. Enter the following values to create a New RADIUS Server.
    Name Unique and appropriate name (OktaMFA)
    ModeAuthentication
    Server ConnectionDirect
    Server AddressIP or Name of Okta RADIUS Server Agent
    Authentication Service PortPort (1812)
    SecretSecret value defined above.
    Confirm SecretSecret value defined above
    NAS IP AddressOptional: the ip address of the F5
    NAS IdentifierOptional: an identifier of the NAS
    TimeoutRecommended: 60 seconds
    Retries2
  4. Click Finish to save the settings.

Step 2 – Edit an Access Policy

  1. Navigate to Access > Profiles / Policies > Access Profiles.

  2. Identify the Access Profile you wish to change and click the Edit… link in the Per-Session Policy column, as shown below.

  3. The screen shown below opens. Click Logon Page to edit the logon page.

  4. The screen shown below opens.

  5.   Enable a third input with the following selections.

    • Type: password

    • Variable: factor

    • Login page input field: Factor (e.g. <i>push, sms, 123456</i>)

  6. When done, click Save.

  7. Edit the existing RADIUS Auth or replace an existing Auth sequence with a RADIUS Auth step pointing to the password only RADIUS server created in the previous step, as shown below.

  8. After the initial authentication insert a new RADIUS Auth step pointing to the Factor only RADIUS server previously created. Change the Password Source variable to align with the updated logon page input %{session.logon.last.factor}.

  9. Click Save to save the settings.

  10. Click the Apply Access Policy button in the top left hand corner, as shown below.

There are two configuration tests for the flows, shown in the following network diagram.

The detailed web sequence is listed below and shown in this diagram.

  1. User Logs in with Username/Password
  2. Gateway receives data and forwards via Radius to Okta RADIUS Server Agent
  3. Okta RADIUS Server Agent sends to Okta Identity Cloud
  4. Okta Identify Cloud Determines the Authentication source and responds or optionally forwards to on-prem directory agent
  5. Optional: Directory Agent sends Password to Directory
  6. Optional: Directory Confirms the password
  7. Optional: Directory Agent Confirms the password to Okta Identity Cloud
  8. Okta Identity Cloud evaluates the authentication policy and as required sends a message to the Okta RADIUS Server Agent to challenge the user for a factor
  9. The Okta RADIUS Server Agent relays the challenge message to the Gateway
  10. The Gateway displays a message to select a factor to the user
  11. User supplies the desired factor
  12. Gateway receives data and forwards via Radius to Okta RADIUS Server Agent
  13. Okta RADIUS Server Agent sends to Okta Identity Cloud
  14. Okta Identify Cloud evaluates the Choice and triggers the appropriate response (push message shown)
  15. Push message is received and Responded to by the user
  16. Success Message returned to the Okta RADIUS Server Agent
  17. Success Message returned to the gateway
  18. Connected
  1. Open the BIG-IP Edge Client.

  2. Select the server, and enter your username, password, and factor (OTP value or out of band keyword), as shown below.

    Note: The username must be in the format you specified when you added the app in Okta in Part 2, above.

  3. Click Connect.

  4. Note: When using sms or call, the first login fails, but triggers the delivery of a call or sms code. Initiate another logon with that information. The image in step 2 shows the failure message. This is expected.

  5. After successfully completing the challenge you are connected, as shown below. If you entered an incorrect value or take to long to respond to the push notification, you receive the message, "The user name or password is not correct. Please try again."

  1. Navigate to the F5 portal.

  2. Select the server, and enter your username, password, and factor (OTP value or out of band keyword), as shown below.

    Note: The username must be in the format you specified when you added the app in Okta in Part 2, above.

  3. Click Logon.

  4. Note: When using sms or call, the first login fails, but triggers the delivery of a call or sms code. Initiate another logon with that information.

  5. After successfully completing the challenge you are connected, as shown below. If you entered an incorrect value or take to long to respond to the push notification, you receive the message, "The username or password is not correct. Please try again. (error: Access-Reject)"

There are two optional settings you can configure, Client IP Reporting and Groups response.

Configure Client IP Reporting

To configure Okta to be able to parse, report on and eventually enforce policy based off of the source client IP Address you need to configure the F5 BIG IP RADIUS for APM and VPN App in Okta as follows:

Enter the following settings in Advanced RADIUS Settings found on the Sign On tab for the Radius app in your Okta Admin Console

  • Client IP: Check Report client IP.
  • RADIUS End User IP Attributes: 66 Tunnel-Client-Endpoint

Configure Groups Response

F5 BIG-IP APM can use group information from Okta to make advanced assignment and policy decisions. To configure Okta to send Radius Group information to F5 BIG-IP APM

Enter the following settings in Advanced RADIUS Settings found on the Sign On tab for the Radius app in your Okta Admin Console, as shown below.

  • RADIUS Attribute: 25 Class
  • Group memberships to return Select Groups to Return

  • Response format: Repeating attributes

  • Group name format: ${group.name}

For troubleshooting information, refer to the section on RADIUS Authentication on the AskF5 site at https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/7.html.