Configure the F5 BigIP APM to Interoperate with Okta via RADIUS

Some integrations interoperate with Okta through either RADIUS or SAML 2.0. The following screen shots compare the two end-user experiences.

SAML end-user experience

RADIUS end-user experience

There are several advantages to using SAML integrations when available.

1. SAML provides a rich, intuitive and consistent login experience. RADIUS interacts with a text-based challenge with inconsistent formatting. Using SAML can reduce user training and support requirements and the consistent sign in experience with SAML makes users less susceptible to phishing attempts.

2. SAML integrations provide more security as credentials are exposed to fewer parties.

3. SAML integrations run with a simplified infrastructure. The do not require running on-premise agents and require little maintenance. The user agent (web browser, VPN client, etc.) is used to transmit messages in a secure manor; therefore, there is no need for the service provider (firewall or application server) to connect to Okta. Federation is established through a one-time exchange of SAML metadata. This one-time setup establishes trust for ongoing transactions.

4. Okta SAML integrations are very robust and include adaptive MFA and provisioning.

Configuring the F5 BigIP APM to use the Okta RADIUS Agent requires pre-configuration of the RADIUS agent.

1. Download the Okta RADIUS Agent from the Settings > Downloads page in Okta.
2. Install the agent using the instructions in Installing and Configuring the Okta RADIUS Server Agent.
3. For throughput, availability and other considerations, see Okta RADIUS Server Agent Deployment Best Practices.

After installing the Okta RADIUS Agent ensure that you have met these minimum requirements for network connectivity

In this step, add the F5 BIG IP RADIUS app from the OIN and apply settings specific to your deployment. In this section we will configure the following:

• Authentication configuration

• UDP Port

• Secret Key

• Application Username Format

Note

The U2F Security and Windows Hello MFA factors are not compatible with RADIUS-enabled implementations.
For additional information about the Radius apps refer to Configuring RADIUS applications in Okta.

There are some optional advanced radius configuration options that are listed at the end of this document to help with Reporting the Client IP and Sending Groups information to the firewall.

1. Okta, navigate to Applications > Applications> Add Application, search for F5 BIG IP RADIUS, and then click Add Application:

   

2. Enter a unique name.

3. Provide the following Sign On values:

   • Authentication: Retaining this default button allows Okta to perform primary authentication.

   • UDP Port: Required. Each RADIUS app has a unique number. Enter it here.

   • Secret Key: Required. Enter the secret key that will be used to encrypt and decrypt the user password. This key must be identical to what is configured on the F5 BIG IP RADIUS app.

   • Application username format:This determines how the RADIUS client sends in the username. Select an option from the drop-down menu.

4. After completing the setup, assign the app to the users/groups that require access.

For additional information, including guidance on advanced authentication and adaptive multifactor configuration options, see Using the Okta RADIUS App.

In Part 3 you define a RADIUS Server and edit an access policy.

Step 1 –Define a RADIUS Server Profile

1. Sign in to the F5 console with sufficient privileges.
2. Navigate to Access > Authentication > RADIUS and then click Create… to define a new RADIUS server. In older version, navigate to Access Policy > AAA Servers > RADIUS.
3. Enter the following values to create a New RADIUS Server.

   Name	Unique and appropriate name (OktaMFA)
   Mode	Authentication
   Server Connection	Direct
   Server Address	IP or Name of Okta RADIUS Server Agent
   Authentication Service Port	Port (1812)
   Secret	Secret value defined above.
   Confirm Secret	Secret value defined above
   NAS IP Address	Optional: the ip address of the F5
   NAS Identifier	Optional: an identifier of the NAS
   Timeout	Recommended: 60 seconds
   Retries	2

4. Click Finish to save the settings.

Step 2 – Edit an Access Policy

1. Navigate to Access > Profiles / Policies > Access Profiles.

2. Identify the Access Profile you wish to change and click the Edit… link in the Per-Session Policy column, as shown below.

   

3. The screen shown below opens. Click Logon Page to edit the logon page.

   

4. The screen shown below opens.

   

5.   Enable a third input with the following selections.

   • Type: password

   • Variable: factor

   • Login page input field: Factor (e.g. <i>push, sms, 123456</i>)

6. When done, click Save.

7. Edit the existing RADIUS Auth or replace an existing Auth sequence with a RADIUS Auth step pointing to the password only RADIUS server created in the previous step, as shown below.

   

8. After the initial authentication insert a new RADIUS Auth step pointing to the Factor only RADIUS server previously created. Change the Password Source variable to align with the updated logon page input %{session.logon.last.factor}.

   

9. Click Save to save the settings.

10. Click the Apply Access Policy button in the top left hand corner, as shown below.

    

There are two configuration tests for the flows, shown in the following network diagram.

The detailed web sequence is listed below and shown in this diagram.

1. User Logs in with Username/Password
2. Gateway receives data and forwards via Radius to Okta RADIUS Server Agent
3. Okta RADIUS Server Agent sends to Okta Identity Cloud
4. Okta Identify Cloud Determines the Authentication source and responds or optionally forwards to on-prem directory agent
5. Optional: Directory Agent sends Password to Directory
6. Optional: Directory Confirms the password
7. Optional: Directory Agent Confirms the password to Okta Identity Cloud
8. Okta Identity Cloud evaluates the authentication policy and as required sends a message to the Okta RADIUS Server Agent to challenge the user for a factor
9. The Okta RADIUS Server Agent relays the challenge message to the Gateway
10. The Gateway displays a message to select a factor to the user
11. User supplies the desired factor
12. Gateway receives data and forwards via Radius to Okta RADIUS Server Agent
13. Okta RADIUS Server Agent sends to Okta Identity Cloud
14. Okta Identify Cloud evaluates the Choice and triggers the appropriate response (push message shown)
15. Push message is received and Responded to by the user
16. Success Message returned to the Okta RADIUS Server Agent
17. Success Message returned to the gateway
18. Connected

Test 1 – Test with the BIG-IP Edge Client

1. Open the BIG-IP Edge Client.

2. Select the server, and enter your username, password, and factor (OTP value or out of band keyword), as shown below.

   

   Note: The username must be in the format you specified when you added the app in Okta in Part 2, above.

3. Click Connect.

4. Note: When using sms or call, the first login fails, but triggers the delivery of a call or sms code. Initiate another logon with that information. The image in step 2 shows the failure message. This is expected.

5. After successfully completing the challenge you are connected, as shown below. If you entered an incorrect value or take to long to respond to the push notification, you receive the message, "The user name or password is not correct. Please try again."

   

Test 2 – Test Clientless VPN with F5 web portal

1. Navigate to the F5 portal.

2. Select the server, and enter your username, password, and factor (OTP value or out of band keyword), as shown below.

   

   Note: The username must be in the format you specified when you added the app in Okta in Part 2, above.

3. Click Logon.

4. Note: When using sms or call, the first login fails, but triggers the delivery of a call or sms code. Initiate another logon with that information.

5. After successfully completing the challenge you are connected, as shown below. If you entered an incorrect value or take to long to respond to the push notification, you receive the message, "The username or password is not correct. Please try again. (error: Access-Reject)"

   

There are two optional settings you can configure, Client IP Reporting and Groups response.

Configure Client IP Reporting

To configure Okta to be able to parse, report on and eventually enforce policy based off of the source client IP Address you need to configure the F5 BIG IP RADIUS for APM and VPN App in Okta as follows:

Enter the following settings in Advanced RADIUS Settings found on the Sign On tab for the Radius app in your Okta Admin Console

• Client IP: Check Report client IP.
• RADIUS End User IP Attributes: 66 Tunnel-Client-Endpoint

Configure Groups Response

F5 BIG-IP APM can use group information from Okta to make advanced assignment and policy decisions. To configure Okta to send Radius Group information to F5 BIG-IP APM

Enter the following settings in Advanced RADIUS Settings found on the Sign On tab for the Radius app in your Okta Admin Console, as shown below.

• RADIUS Attribute: 25 Class
• Group memberships to return Select Groups to Return

• Response format: Repeating attributes

• Group name format: ${group.name}

For troubleshooting information, refer to the section on RADIUS Authentication on the AskF5 site at https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/7.html.

• Okta Documentation - Configuring Sign On Policies

• F5 RADIUS Authentication: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/7.html