Configure the F5 BigIP APM to Interoperate with Okta via RADIUS

This guide details how to configure F5 BIG IP APM to use the Okta RADIUS Server AgentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. in conjunction with the Okta Integration Network (OINAn acronym for the Okta Integration Network. The OIN is comprised of thousands of public, pre-integrated business and consumer applications. As an on-demand service, OIN integrations are continuously validated, always up to date, and constantly growing both in number and capability. Okta performs a single integration with an ISV or SP, providing thousands of end users with point-and-click customization for their orgs.) F5 BIG IP RADIUS for APM and VPN AppAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in..

Okta and F5 BIG IP APM interoperate through either RADIUS or SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IDP, and the SP. 2.0. For each F5 BIG IP APM, you can assign one or more authentication providers. Using RADIUS, Okta’s agent translates RADIUS authentication requests from the VPN into Okta API calls.

For integration with Okta via SAML 2.0, in Okta, add the app from the OIN by navigating to Applications > Applications> Add Application, search for F5 BIG IP RADIUS), and then click Add Application.

The following best practice compares operating with SAML and RADIUS when both are available.

ClosedBest Practice – When to interoperate with SAML vs. RADIUS

Some integrations interoperate with Okta through either RADIUS or SAML 2.0. The following screen shots compare the two end-user experiences.

SAML end-user experience

RADIUS end-user experience

There are several advantages to using SAML integrations when available.

  1. SAML provides a rich, intuitive and consistent login experience. RADIUS interacts with a text-based challenge with inconsistent formatting. Using SAML can reduce user training and support requirements and the consistent sign in experience with SAML makes usersIn Okta literature, we generally refer to "users" as the people who serve as Okta administrators. When we refer to "end users" we are generally referring to the people who the administrators serve. That is, those who use Okta chiclets to access their apps, but have no administrative control. less susceptible to phishing attempts.

  2. SAML integrations provide more security as credentials are exposed to fewer parties.

  3. SAML integrations run with a simplified infrastructure. The do not require running on-premise agents and require little maintenance. The user agent (web browser, VPN clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. , etc.) is used to transmit messages in a secure manor; therefore, there is no need for the service provider (firewall or application server) to connect to Okta. Federation is established through a one-time exchange of SAML metadata. This one-time setup establishes trust for ongoing transactions.

  4. Okta SAML integrations are very robust and include adaptive MFA and provisioning.

There are five parts to the configuration, including optional settings. Troubleshooting help and a list of additional resources are also provided.

Closed Part 1 – Preconfiguration: Installing, and configuring the Okta RADIUS Agent.

Configuring the F5 BigIP APM to use the Okta RADIUS Agent requires pre-configuration of the RADIUS agent.

  1. Download the Okta RADIUS Agent from the Settings > Downloads page in Okta.
  2. Install the agent using the instructions in Installing and Configuring the Okta RADIUS Server Agent.
  3. For throughput, availability and other considerations, see Okta RADIUS Server Agent Deployment Best Practices.

After installing the Okta RADIUS Agent ensure that you have met these minimum requirements for network connectivity

Source Destination Port/Protocol Description
Okta RADIUS Agent Okta Identity Cloud tcp/443
http		 Configuration and authentication traffic
F5 BIG-IP Okta RADIUS Agent udp/1812 RADIUS (actual port number defined in next step) RADIUS traffic between the firewall (client) and the RADIUSs Agent (server)
Closed Part 2 – Use the Okta Admin Console to Configure the Okta RADIUS Agent

In this step, add the F5 BIG IP RADIUS app from the OIN and apply settings specific to your deployment. In this section we will configure the following:

  • Authentication configuration

  • UDP Port

  • Secret Key

  • Application Username Format

Note: The U2F Security and Windows Hello MFA factors are not compatible with RADIUS-enabled implementations. For additional information about the Radius apps refer to Configuring RADIUS applications in Okta.

There are some optional advanced radius configuration options that are listed at the end of this document to help with Reporting the Client IP and Sending GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. information to the firewall.

  1. Okta, navigate to Applications > Applications> Add Application, search for F5 BIG IP RADIUS, and then click Add Application:

  2. Enter a unique name.

  3. Provide the following Sign On values:

    • Authentication: Retaining this default button allows Okta to perform primary authentication.

    • UDP Port: Required. Each RADIUS app has a unique number. Enter it here.

    • Secret Key: Required. Enter the secret key that will be used to encrypt and decrypt the user password. This key must be identical to what is configured on the F5 BIG IP RADIUS app.

    • Application username format:This determines how the RADIUS client sends in the username. Select an option from the drop-down menu.

  4. After completing the setup, assign the app to the users/groups that require access.

For additional information, including guidance on advanced authentication and adaptive multifactor configuration options, see Using the Okta RADIUS App.

Closed Part 3 – Configure F5 BIG IP APM to use the F5 BIG IP RADIUS for APM and VPN OIN App

In Part 3 you define a RADIUS Server and edit an access policy.

Step 1 –Define a RADIUS Server Profile

  1. Sign in to the F5 console with sufficient privileges.
  2. Navigate to Access > Authentication > RADIUS and then click Create… to define a new RADIUS server. In older version, navigate to Access Policy > AAA Servers > RADIUS.
  3. Enter the following values to create a New RADIUS Server.
    Name Unique and appropriate name (OktaMFA)
    ModeAuthentication
    Server ConnectionDirect
    Server AddressIP or Name of Okta RADIUS Server Agent
    Authentication Service PortPort (1812)
    SecretSecret value defined above.
    Confirm SecretSecret value defined above
    NAS IP AddressOptional: the ip address of the F5
    NAS IdentifierOptional: an identifier of the NAS
    TimeoutRecommended: 60 seconds
    Retries2
  4. Click Finish to save the settings.

Step 2 – Edit an Access Policy

  1. Navigate to Access > Profiles / Policies > Access Profiles.

  2. Identify the Access Profile you wish to change and click the Edit… link in the Per-Session Policy column, as shown below.

  3. The screen shown below opens. Click Logon Page to edit the logon page.

  4. The screen shown below opens.

  5.   Enable a third input with the following selections.

    • Type: password

    • Variable: factor

    • Login page input field: Factor (e.g. <i>push, sms, 123456</i>)

  6. When done, click Save.

  7. Edit the existing RADIUS Auth or replace an existing Auth sequence with a RADIUS Auth step pointing to the password only RADIUS server created in the previous step, as shown below.

  8. After the initial authentication insert a new RADIUS Auth step pointing to the Factor only RADIUS server previously created. Change the Password Source variable to align with the updated logon page input %{session.logon.last.factor}.

  9. Click Save to save the settings.

  10. Click the Apply Access Policy button in the top left hand corner, as shown below.

Closed Part 4 – Test your Configuration

There are two configuration tests for the flows, shown in the following network diagram.

The detailed web sequence is listed below and shown in this diagram.

  1. User Logs in with Username/Password
  2. Gateway receives data and forwards via Radius to Okta RADIUS Server Agent
  3. Okta RADIUS Server Agent sends to Okta Identity Cloud
  4. Okta Identify Cloud Determines the Authentication source and responds or optionally forwards to on-prem directory agent
  5. Optional: Directory Agent sends Password to Directory
  6. Optional: Directory Confirms the password
  7. Optional: Directory Agent Confirms the password to Okta Identity Cloud
  8. Okta Identity Cloud evaluates the authentication policy and as required sends a message to the Okta RADIUS Server Agent to challenge the user for a factor
  9. The Okta RADIUS Server Agent relays the challenge message to the Gateway
  10. The Gateway displays a message to select a factor to the user
  11. User supplies the desired factor
  12. Gateway receives data and forwards via Radius to Okta RADIUS Server Agent
  13. Okta RADIUS Server Agent sends to Okta Identity Cloud
  14. Okta Identify Cloud evaluates the Choice and triggers the appropriate response (push message shown)
  15. Push message is received and Responded to by the user
  16. Success Message returned to the Okta RADIUS Server Agent
  17. Success Message returned to the gateway
  18. Connected
ClosedTest 1 – Test with the BIG-IP Edge Client
  1. Open the BIG-IP Edge Client.

  2. Select the server, and enter your username, password, and factor (OTP value or out of band keyword), as shown below.

    Note: The username must be in the format you specified when you added the app in Okta in Part 2, above.

  3. Click Connect.

  4. Note: When using sms or call, the first login fails, but triggers the delivery of a call or sms code. Initiate another logon with that information. The image in step 2 shows the failure message. This is expected.

  5. After successfully completing the challenge you are connected, as shown below. If you entered an incorrect value or take to long to respond to the push notification, you receive the message, "The user name or password is not correct. Please try again."

ClosedTest 2 – Test Clientless VPN with F5 web portal

  1. Navigate to the F5 portal.

  2. Select the server, and enter your username, password, and factor (OTP value or out of band keyword), as shown below.

    Note: The username must be in the format you specified when you added the app in Okta in Part 2, above.

  3. Click Logon.

  4. Note: When using sms or call, the first login fails, but triggers the delivery of a call or sms code. Initiate another logon with that information.

  5. After successfully completing the challenge you are connected, as shown below. If you entered an incorrect value or take to long to respond to the push notification, you receive the message, "The username or password is not correct. Please try again. (error: Access-Reject)"

Closed Part 5 – Configure Optional Settings

There are two optional settings you can configure, Client IP Reporting and Groups response.

Configure Client IP Reporting

To configure Okta to be able to parse, report on and eventually enforce policy based off of the source client IP Address you need to configure the F5 BIG IP RADIUS for APM and VPN App in Okta as follows:

Enter the following settings in Advanced RADIUS Settings found on the Sign On tab for the Radius app in your Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console

  • Client IP: Check Report client IP.
  • RADIUS End User IP Attributes: 66 Tunnel-Client-Endpoint

Configure Groups Response

F5 BIG-IP APM can use group information from Okta to make advanced assignment and policy decisions. To configure Okta to send Radius Group information to F5 BIG-IP APM

Enter the following settings in Advanced RADIUS Settings found on the Sign On tab for the Radius app in your Okta Admin Console, as shown below.

  • RADIUS Attribute: 25 Class
  • Group memberships to return Select Groups to Return

  • Response format: Repeating attributes

  • Group name format: ${group.name}

ClosedTroubleshooting

For troubleshooting information, refer to the section on RADIUS Authentication on the AskF5 site at https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/7.html.

Closed Additional Resources
Top

© Copyright 2018 Okta, Inc