Configure the F5 BigIP APM to Interoperate with Okta via RADIUS

Okta and F5 BIG IP APM interoperate through either RADIUS or SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IDP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on a chiclet, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. 2.0. For each F5 BIG IP APM, you can assign one or more authentication providers. Using RADIUS, Okta’s agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. translates RADIUS authentication requests from the VPN into Okta API calls.

This guide details how to configure F5 BIG IP APM to use the Okta RADIUS Server Agent in conjunction with the Okta Integration Network (OINAn acronym for the Okta Integration Network. The OIN is comprised of thousands of public, pre-integrated business and consumer applications. As an on-demand service, OIN integrations are continuously validated, always up to date, and constantly growing both in number and capability. Okta performs a single integration with an ISV or SP, providing thousands of end users with point-and-click customization for their orgs.) F5 BIG IP RADIUS for APM and VPN AppAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in..

If you want to integrate with Okta via SAML 2.0, add the F5 BIG IP SAML for APM and VPN SAML app in Okta by navigating to the Applications tab, select Applications > Add Application, search for F5 BIG IP SAML for APM and VPN, then click Add.

Best Practice – When to interoperate with SAML vs. RADIUS

Some integrations interoperate with Okta through either RADIUS or SAML 2.0. The following screen shots compare the two end-user experiences.

SAML end-user experience

RADIUS end-user experience

There are several advantages to using SAML integrations when available.

SAML provides a rich, intuitive and consistent login experience. RADIUS interacts with a text-based challenge with inconsistent formatting. Using SAML can reduce user training and support requirements and the consistent sign in experience with SAML makes users less susceptible to phishing attempts.
SAML integrations provide more security as credentials are exposed to fewer parties.
SAML integrations run with a simplified infrastructure. The do not require running on-premise agents and require little maintenance. The user agent (web browser, VPN clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. , etc.) is used to transmit messages in a secure manor; therefore, there is no need for the service provider (firewall or application server) to connect to Okta. Federation is established through a one-time exchange of SAML metadata. This one-time setup establishes trust for ongoing transactions.
Okta SAML integrations are very robust and include adaptive MFA and provisioning.

There are five parts to the configuration, including optional settings. Troubleshooting help and a list of additional resources are also provided.

Part 1 – Preconfiguration: Installing, and configuring the Okta RADIUS Agent.

Configuring the F5 BigIP APM to use the Okta RADIUS Agent requires pre-configuration of the RADIUS agent.

Download the Okta RADIUS Agent from the Settings > Downloads page in Okta.
Install the agent using the instructions in Installing and Configuring the Okta RADIUS Server Agent.
For throughput, availability and other considerations, see Okta RADIUS Server Agent Deployment Best Practices.

After installing the Okta RADIUS Agent ensure that you have met these minimum requirements for network connectivity

Source	Destination	Port/Protocol	Description
Okta RADIUS Agent	Okta Identity Cloud	tcp/443 http	Configuration and authentication traffic
F5 BIG-IP	Okta RADIUS Agent	udp/1812 RADIUS (actual port number defined in next step)	RADIUS traffic between the firewall (client) and the RADIUSs Agent (server)

Part 2 – Use the Okta Admin Console to Configure the Okta RADIUS Agent

In this step, add the F5 BIG IP RADIUS app from the OIN and apply settings specific to your deployment. In this section we will configure the following:

Note: The U2F Security and Windows Hello MFA factors are not compatible with RADIUS-enabled implementations. For additional information about the Radius apps refer to Configuring RADIUS applications in Okta.

There are some optional advanced radius configuration options that are listed at the end of this document to help with Reporting the Client IP and Sending GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. information to the firewall.

Okta, navigate to Applications > Applications> Add Application, search for F5 BIG IP RADIUS, and then click Add Application:
Enter a unique name.
Provide the following Sign On values:
- Authentication: Retaining this default button allows Okta to perform primary authentication.
- UDP Port: Required. Each RADIUS app has a unique number. Enter it here.
- Secret Key: Required. Enter the secret key that will be used to encrypt and decrypt the user password. This key must be identical to what is configured on the F5 BIG IP RADIUS app.
- Application username format:This determines how the RADIUS client sends in the username. Select an option from the drop-down menu.
After completing the setup, assign the app to the users/groups that require access.

For additional information, including guidance on advanced authentication and adaptive multifactor configuration options, see Using the Okta RADIUS App.

Part 3 – Configure F5 BIG IP APM to use the F5 BIG IP RADIUS for APM and VPN OIN App

In Part 3 you define a RADIUS Server and edit an access policy.

Step 1 –Define a RADIUS Server Profile

Sign in to the F5 console with sufficient privileges.
Navigate to Access > Authentication > RADIUS and then click Create… to define a new RADIUS server. In older version, navigate to Access Policy > AAA Servers > RADIUS.

Enter the following values to create a New RADIUS Server.

Name	Unique and appropriate name (OktaMFA)
Mode	Authentication
Server Connection	Direct
Server Address	IP or Name of Okta RADIUS Server Agent
Authentication Service Port	Port (1812)
Secret	Secret value defined above.
Confirm Secret	Secret value defined above
NAS IP Address	Optional: the ip address of the F5
NAS Identifier	Optional: an identifier of the NAS
Timeout	Recommended: 60 seconds
Retries	2

Click Finish to save the settings.

Step 2 – Edit an Access Policy

Navigate to Access > Profiles / Policies > Access Profiles.
Identify the Access Profile you wish to change and click the Edit… link in the Per-Session Policy column, as shown below.
The screen shown below opens. Click Logon Page to edit the logon page.
The screen shown below opens.
Enable a third input with the following selections.
- Type: password
- Variable: factor
- Login page input field: Factor (e.g. <i>push, sms, 123456</i>)
When done, click Save.
Edit the existing RADIUS Auth or replace an existing Auth sequence with a RADIUS Auth step pointing to the password only RADIUS server created in the previous step, as shown below.
After the initial authentication insert a new RADIUS Auth step pointing to the Factor only RADIUS server previously created. Change the Password Source variable to align with the updated logon page input %{session.logon.last.factor}.
Click Save to save the settings.
Click the Apply Access Policy button in the top left hand corner, as shown below.

Part 4 – Test your Configuration

There are two configuration tests for the flows, shown in the following network diagram.

The detailed web sequence is listed below and shown in this diagram.

User Logs in with Username/Password
Gateway receives data and forwards via Radius to Okta RADIUS Server Agent
Okta RADIUS Server Agent sends to Okta Identity Cloud
Okta Identify Cloud Determines the Authentication source and responds or optionally forwards to on-prem directory agent
Optional: Directory Agent sends Password to Directory
Optional: Directory Confirms the password
Optional: Directory Agent Confirms the password to Okta Identity Cloud
Okta Identity Cloud evaluates the authentication policy and as required sends a message to the Okta RADIUS Server Agent to challenge the user for a factor
The Okta RADIUS Server Agent relays the challenge message to the Gateway
The Gateway displays a message to select a factor to the user
User supplies the desired factor
Gateway receives data and forwards via Radius to Okta RADIUS Server Agent
Okta RADIUS Server Agent sends to Okta Identity Cloud
Okta Identify Cloud evaluates the Choice and triggers the appropriate response (push message shown)
Push message is received and Responded to by the user
Success Message returned to the Okta RADIUS Server Agent
Success Message returned to the gateway
Connected

Part 5 – Configure Optional Settings

There are two optional settings you can configure, Client IP Reporting and Groups response.

Configure Client IP Reporting

To configure Okta to be able to parse, report on and eventually enforce policy based off of the source client IP Address you need to configure the F5 BIG IP RADIUS for APM and VPN App in Okta as follows:

Enter the following settings in Advanced RADIUS Settings found on the Sign On tab for the Radius app in your Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console

Client IP: Check Report client IP.
RADIUS End User IP Attributes: 66 Tunnel-Client-Endpoint

Configure Groups Response

F5 BIG-IP APM can use group information from Okta to make advanced assignment and policy decisions. To configure Okta to send Radius Group information to F5 BIG-IP APM

Enter the following settings in Advanced RADIUS Settings found on the Sign On tab for the Radius app in your Okta Admin Console, as shown below.

RADIUS Attribute: 25 Class
Group memberships to return Select Groups to Return
Response format: Repeating attributes
Group name format: ${group.name}

Top