Integrate F5 BIG-IP Access Policy Manager (APM)

Authentication method	Notes	Supported protocols
Token	Identity as a Service supports response-only tokens. One-step or two-step authentication. Note: Challenge/response tokens unsupported with MSCHAPv2.	EAP-GTC or EAP MSCHAPv2
OTP (One Time Password) by SMS or Token	Two-step authentication only	EAP-GTC

Note: The PA-VM supports only CHAP authentication methods with RADIUS.

The following F5 BIG-IP features are documented in this technical integration guide:

●       Access Policy Managers can be used with most standard browsers supporting secure HTTP (also known as HTTPS).

●       Standard SSL encryption from the client browser to the Access Policy Manager.

●       The F5 Big-IP Access Policy Manager provides a web-based Configuration utility. The Configuration utility includes tools for managing the Access Policy Manager, configuring secure access, creating and assigning resources, certificate generation and installation, and customization of the remote client user interface.

●       The Access Policy Manager can perform authentication, authorization, and accounting (AAA), using standard AAA methods, including LDAP directories, Microsoft® Active Directory® and Microsoft Windows® Domain servers, RADIUS servers, and HTTP authentication.

●       With Access Policy Manager, you can configure a network access VPN connection for remote access. Using network access, you create an access policy and local traffic virtual server so end users can establish a full VPN connection to internal network resources.

Complete the following steps before integrating your authentication system with Identity as a Service:

1.      Install and configure your first-factor authentication resource using the documentation provided by the vendor. The first-factor authentication resource can be a RADIUS server or an external authentication resource (a Local DB, LDAP-compliant directory or Windows domain controller through Kerberos).

2.      Install and configure the RADIUS appliance using the documentation provided by the vendor. The device must be able to route traffic before integrating with Identity as a Service.

3.      Install and configure Identity as a Service and an Identity as a Service gateway (containing a RADIUS proxy agent). Take note of the shared secrets, IP addresses, and ports you use. You need this information to configure the RADIUS appliance and first-factor authentication resource.

4.      If you want to configure your RADIUS appliance and first-factor authentication resource to recognize Identity as a Service user groups, you must define the Identity as a Service user groups first.

You can set the IP address for the computer or workstation to connect to the F5 BIG-IP controller using one of the following methods:

●       Connect to the management interface using the default network

All F5 BIG-IP systems ship with a default network configured on the management interface. You can access the web-based Configuration utility through the management port, and configure the unit directly. You can use this method if you do not want to configure the management interface before you connect to the web-based configuration utility.

●       Run the Configuration utility remotely

You can run the Configuration utility remotely only from a workstation that is on the same LAN as the unit. To allow remote connections for the Configuration utility, the traffic management software comes with two predefined IP addresses, and a predefined root password.

–  The default root password is default.

–  The preferred default IP address is 192.168.1.245.

If this IP address is unsuitable for your network, the traffic management software uses an alternate IP address, 192.168.245.245. However, if you define an IP alias on an administrative workstation in the same IP network as the system, the unit detects the network of the alias and uses the corresponding default IP address.

Once the utility finishes and the system reboots, these default IP addresses are replaced by the information that you entered in the initial configuration you create with the Configuration utility.

You need to set the static IP address to access the F5 BIG-IP management port IP address.

Set the static IP address to access the F5 BIG-IP management port IP address

1.      To change the computer’s IP address in Windows, type network and sharing in the Search box in the Start Menu and select Network and Sharing Center.

●       If you are using Windows 8.x it will be on the Start Screen.

●       If you are using Windows 7 or 10 it will be on the Start Menu.

2.      In the Network and Sharing Center, click Change adapter settings.

3.      Right-click your Local Area Connection and select Properties to display the Local Area Connection Properties page.

4.      In the Local Area Connection Properties page, highlight Internet Protocol Version 4 (TCP/IPv4) and then click Properties.

The Internet Protocol Version 4 (TCP/IPv4) Properties page appears.

5.      In the Internet Protocol Version 4 (TCP/IPv4) Properties page, do the following:

a.      Select the Use the following IP address radio button.

b.      Enter the correct IP address.

c.      Enter the Subnet mask.

d.      Enter the Default gateway that corresponds with F5 BIG-IP Management port network and subnet.

6.      Click OK to close the Local Area Connections Properties page.

7.      Open a command prompt and type ipconfig to see whether the network adapter settings have been successfully changed.

Before you can configure and manage the system, you need to connect the unit to a management workstation or network. There are three ways to attach a management workstation or network to the traffic management system.

●       Use a Serial consoleYou can connect a null modem cable to the port marked CONSOLE on the unit, and access the command line with a terminal emulator..

●       Add a network to the management interface.You can configure an IP address on the Ethernet interface 1.1 labeled MGMT and access the web-based Configuration utility to configure the traffic management software.

●       Use the default network to connect to the management interface.You can connect a cable to the Ethernet interface 1.1 labeled MGMT and access the web-based Configuration utility to configure the traffic management software and use the default network for setup.

Connect using the default network option to change the management and internal/external interface IPs using the CLI

1.      After assigning the static IP to the Client computer or workstation, launch the putty client to SSH to the F5 BIG-IP management IP client. The Putty Configuration page appears.

2.      In the Host Name (or IP address) field, enter the F5 BIG-IP management IP address.

3.      Click Open to open the command line interface (CLI).

4.      Login using the following BIG-IP system default credentials:

●       Login: root

●       Password: default

5.      Edit the Network configuration file eth0 (Management IP) using the vi editor.

6.      Add management IP and Netmask details as per your Corporate Network or LAN and then save the file.

Note: To get into the ex-mode, press the [Esc] key and then type a : (the colon). For example, to exit from VI saving changes, press [Esc], (colon) and type: wq (:wq).

7.      Edit the Network configuration file eth1 (Internal IP) using the vi editor.

8.      Assign the DHCP IP from the Corporate Network or LAN for internal interface eth1.

Note: Ensure that you set BOOTPRPTO to dhcp.

Note: If you are required to set the static IP to internal interface (eth1), add the IP address and Netmask details manually.

9.      At the command prompt, type #ifconfig eth0 (Interface name) to verify the assigned IPs.

Before you begin, be sure to have the F5 BIG-IP base registration key. Using the Setup utility, you can activate the license and provision the F5 BIG-IP system. After you get the management workstation connected to the management interface, you can open the Configuration utility and begin licensing the system. When you start the utility from a Web browser, you use the selected default IP address as the application URL.

To start the Configuration utility in a web browser

1.      From a workstation attached to the network on which you configured the Management Interface, type the following URL syntax where <https://management_IP_address> is the address you configured for device management.

For example: https://192.168.1.245 (which is the default).

If you changed the default, use the IP address that is assigned to the Management port.

The BIG-IP Configuration Utility opens.

2.      At the login prompt, enter the default user name admin, and password admin, and then click Log in. The Setup Utility page appears.

3.      Click Next. The License Activation page appears.

4.      Click Activate. The License General Properties page appears.

5.      In the Base Registration Key field, type or paste the registration key that you received when you purchased the F5 BIG-IP device.

6.      Click Next. The BIG-IP system automatically connects to the F5 License Server and activates the license.

See the following link for more information about activation methods of licensing the BIG-IP system.

https://support.f5.com/kb/en-us/solutions/public/7000/700/sol7752.html

Note: Traffic processing is briefly interrupted while the BIG-IP system reloads the configuration.

7.      After the license is activated and the BIG-IP configuration is reloaded, the Resource Provisioning page appears.

8.      From the Access Policy (APM) drop-down module select Nominal.

9.      Scroll down the page and click Next. It takes few seconds for the configuration to update. Once done, click Continue.

The Device Certificates page appears.

10.  Click Next. The Platform page appears.

11.  In the Platform page, do the following:

a.      For the Management Port Configuration, click Manual.

b.      Enter the Management Port IP address.

c.      Enter the Network mask.

d.      Enter the Management Route.

Note: Choose DHCP if you are required to obtain the IP from DHCP Server.

e. In the Host Name field, enter the host name of this F5 BIG-IP system, for example, bigip.mydomain.com.

f. Enter new root and admin account passwords and confirm the passwords.

g. Click Next. The F5 BIG-IP system prompts you to log in again.

12.  Log into the F5 BIG-IP system again with the new password.

The F5 BIG-IP system license is now activated, and the F5 BIG-IP APM module is provisioned. The Standard network configuration screen within the Setup utility appears.

13.  Click Next. The Redundant Device Wizard Options page appears.

14.  Deselect the Display configuration synchronization options checkbox and then click Next. The Internal Network Configuration page appears.

15.  Click Next.

Using the Setup utility, you can configure the internal network by specifying self IP addresses and settings for VLAN internal, which is the default VLAN for the internal network.

To configure the internal and external networks

1.      In the Internal Network Configuration page, complete the following:

a.      Specify the Self IP setting for the internal network by doing the following:

–  In the Address field, type a self IP address.

–  In the Netmask field, type a network mask for the self IP address.

–  For the Port Lockdown setting, retain the default value.

b.      For the VLAN Tag ID setting, retain the default value, auto. This is the recommended value.

c.      For the Interfaces settings, do the following:

–  From the VLAN Interfaces drop-down list, select an interface number.

–  From the Tagging list, select Tagged or Untagged.

Note: Select Tagged when you want traffic for that interface to be tagged with a VLAN ID.

2.      Click Add.

3.      Click Next. The External Network Configuration page appears.

4.      In the External Network Configuration page, complete the following:

d.      Specify the Self IP setting for the external network by doing the following:

–  In the Address field, type a self IP address.

–  In the Netmask field, type a network mask for the self IP address.

–  For the Port Lockdown setting, retain the default value.

e.      In the Default Gateway field, type the IP address that you want to use as the default gateway to VLAN external.

f.        For the VLAN Tag ID setting, retain the default value, auto. This is the recommended value.

g.      For the VLAN Interfaces settings, do the following:

–  From the Interfaces drop-down list, select an interface number.

–  From the Tagging list, select Tagged or Untagged.

Note: Select Tagged when you want traffic for that interface to be tagged with a VLAN ID.

5.      Click Add.

6.      Click Finished.

 

 

When using an external Microsoft Active Directory (AD) server to authenticate F5 users, you must configure the Active Directory (AD) server to recognize the F5 as a client.

To set up the F5 BIG-IP Appliance, you must add the Active Directory as an AAA (Authentication) Server.

To configure a connection to the Active Directory server on F5 BIG-IP APM Appliance

1.      On the Main tab of the F5 navigation pane, expand Access Policy, click AAA Servers and then click the plus sign (+) next to Active Directory.

The New Server page appears.

2.      In the New Server page, do the following:

a.      Under General Properties, in the Name field enter the name for the Active Directory (AD) server.

b.      In the Domain Name field type your domain name, for example, mydomain.com.

c.      In the Server Connection field, select Direct.

d.      In the Domain Controller field, enter the IP address of your Active Directory (AD) server.

e.      In the Admin Name field, enter the Active Directory (AD) server administrator user name, for example, administrator.

f.        In the Admin Password and Verify Admin Password fields, enter the Active Directory (AD) server Administrator user password.

g.      Accept all other default settings.

3.      Click Finished.

4.      On the Main tab of the F5 navigation pane, expand Access Policy, click AAA Servers to list the AAA Servers.

5.      Obtain the LDAP STRINGS from the Active Directory (AD) Server by doing the following:

a.      Go to Domain Controller (Active Directory server) and click Start > All Programs > Administrative Tools and select the ADSI Edit application.

b.      Right- click ADSI Edit and click Connect to...

c.      Click OK. The Connection Settings page appears.

d.      Click OK. ADSI Edit automatically attempts to load the current domain.

e.      Expand Default naming context > DC > CN=Users, right-click CN=Administrator and select Properties.

The Administrator Properties page appears.

f.        Click the Attribute Editor tab and scroll until you find the field distinguishedName.

g.      Click View. The String Attribute Editor page appears.

h.      Make a note of the information in the Value field. This is the user string that you will use later.

i.        Click OK.

6.      On the Main tab of the F5 navigation pane, expand System and click Users > Authentication. The Users Authentication page appears.

7.      In the Users Authentication page, do the following:

a.      Under Authentication, in the User Directory field, select Remote - Active Directory from the drop-down list.

b.      In the Host field enter your Active Directory Server IP address.

c.      In the Port field enter 389.

d.      In the Remote Directory field, enter the domain string value that you recorded in Step 5 of this procedure.

e.      In the Scope field, select Sub from the drop-down list.

f.        In the Bind field, enter the DN, the DN password and confirm the password.

g.      Accept all other default settings.

8.      Click Finished.

When using an external RADIUS server to authenticate F5 users, you must configure the server to recognize the F5 as a client and specify a shared secret for the RADIUS server to use to authenticate the client request. To set up the F5 BIG-IP Appliance, you must add Identity as a Service as an AAA (Authentication) Server.

To configure a connection to Identity as a Service on F5 BIG-IP APM appliance

1.      On the Main tab of the F5 navigation pane, expand Access Policy, click AAA Servers and then click the plus sign (+) next to RADIUS.

2.      The New Server page appears.

3.      In the New Server page, do the following:

a.      Under General Properties, in the Name field enter the name for the RADIUS server.

b.      In the Mode field select Authentication.

c.      In the Server Address field enter the IP address of your RADIUS server.

d.      In the Authentication Service Port field, enter the port for your RADIUS server, for example 1812.

e.      Enter and confirm the shared-secret for your RADIUS server.

f.        Select UTF-8 from the Character Set drop-down menu.

g.      Accept all other default settings.

4.      Click Finished.

With the APM wizards, you can quickly configure any of the three access types with a simple working configuration. After you configure a connection with the wizard, you can go back and edit the configuration to further customize the access policy.

For this Technical Integration Guide, we have used the Network Access Setup Wizard for Remote Access.

To configure the Access Policy Manager for remote access

1.      To access APM Wizards, in the F5 navigation pane, expand Templates and Wizards, and then click Device Wizards. The Device Wizards page appears.

2.      Select the Network Access Setup Wizard for Remote Access option, and then click Next. The Basic Properties page appears.

Note: This wizard configures a working VPN connection. Typically, this allows users outside your network to connect to specified networks and use their applications and network sites as if they are physically on the network.

3.      In the Basic Properties page, do the following:

a.      Enter the Policy Name for the access policy that will be created.

The Policy Name is the name of the access policy that will be created and is used as the naming prefix for other objects configured with the access policy. Later, when you look for items created with the wizard, they are named with this prefix.

b.      Accept the Default Language (English), or change it, if required.

c.      Select the Full Webtop Enabled check box.

d.      Deselect the Enable Antivirus Check in Access Policy check box.

At a later time, you can refine this client-side check to verify a specific antivirus product.

e.      Click Next. The System DNS/NTP Configuration page appears.

4.      For BIG-IP APM, you must have the DNS and NTP settings configured. To configure these setting, do the following:

a.      For the DNS Lookup Server List, enter the IP address of the DNS server and then click Add.

b.      For the DNS Search Domain List, enter the Name of the DNS server and then click Add.

c.      For the Time Server List, enter the Name of the NTP server and then click Add.

d.      Scroll down the page, click Next. The Select Authentication page appears.

5.      In the Select Authentication page, do the following:

a.      For Authentication Options, select Use Existing.

b.      From the Filter by Server Type drop-down lists, select RADIUS and your AAA RADIUS Server, for example, IdentityGuard or Active Directory.

c.      Click Next. The Configure Lease Pool page appears.

6.      In the Configure Lease Pool page, do the following:

a.      From the Supported IP Version drop-down list, select IPv4.

b.      Specify the Type for the IPV4 Member List (either IP Address or IP Address Range).

c.      Enter the Start IP Address.

d.      Enter the End IP Address.

e.      Click Add one time to specify an IP range.

Note: Click Edit to specify a different IP address.

7.      Click Next. The Configure Network Access page appears for you to specify the network traffic options.

Note: Lease pools are a configuration requirement for network access connections. Each connection is assigned an IP address from the lease pool. You must configure a lease pool with as many IP addresses as required for the number of connected users you expect to host.

8.      Specify the desired Traffic Options. (If you select the option to use split tunneling, then only network traffic that you specify will go through the network access connection.

9.      Click Next. The Configure DNS Hosts for Network Access page appears.

10.  In the Configure DNS Hosts for Network Access, enter an IPV4 Primary Name Server IP address and then click Next. The Virtual Server (HTTPS connection) page appears.

11.  In the Virtual Server IP Address field enter an IP address for a public or Private IP that remote users can access through the Local network, Internet, or a VPN client.

Note: The IP address for this field needs to be on the same subnet as the external self-IP address.

12.  Select the Create Redirect Server check box.

Selecting this option eliminates connection issues that users encounter when they do not type https before the virtual server IP.

13.  Click Next. The Review Configuration page appears.

14.  Review the configuration. If you need to, you can use the Previous and Next buttons to edit the configuration.

15.  Click Next.

16.  After reviewing and approving your settings, click Finished. The Access Profiles List page appears.

17.  When you have finished customizing your configuration, click Apply Access Policy to apply your access policy.

The system creates and applies network access objects. Current authentication methods have been created and applied to an access policy.

Note: When you have finished, you can still edit any setting associated with the access profile from the Access Profile page. To do so, navigate to Access Policy > Access Profiles > <name of access profile>). You can also edit the virtual server on the Virtual Server page by navigating to Local Traffic > Virtual Servers > <name of virtual server>).

You can customize the Logon page to collect the Active Directory password and Identity as a Service token.

You can customize the Logon page to collect the Active Directory password and the Identity as a Service token response.

Typically, when you configure an authentication action, you precede it with a Logon Page action to collect credentials. This example describes how to include more than one authentication in an access policy and present a Logon page only once. In this example, item the first password presented is the Active Directory password and the second password presented is the Identity as a Service token response.

To add a second password on login UI for one-step authentication

1.      Login to F5 BIG-IP.

2.      Click the Main tab and select Access Policy > Access Profiles. The Access Profiles List page appears.

3.      In the Access Policy column, click the Edit link for the access profile you want to configure. The visual policy editor opens the access policy in a separate screen.

4.      Click the Logon Page link. The Logon Page Agent Properties popup page appears.

5.      To customize the Logon Page to prompt for a token code in addition to a password, do the following to add a second password field to the Logon page and supply the appropriate prompts for both password fields.

a.      From the Type list in row 3, select password.

b.      In the Post Variable Name field in row 3, type password1. The name password1 is an example.

c.      From the Session Variable Name field in row 3, type password1.

The name password1 is an example. If you type password1, the name password1 becomes part of the session variable name, session.logon.last.password1. APM stores user input for the field in this session variable.

You now have two fields that accept passwords on this Logon Page.

6.      Next you must set the prompts that display for each password field. This access policy runs authentication AD/LDAP/Local DB first and another type of authentication, such as Entrust IdentityGuard afterward. To do this, complete the following:

a.      Input Field #2, in place of the text Password type AD Password/LDAP Password/Local DB Password or the wording of your choice, based on the first authentication method you already defined.

b.      In Logon Page Input Field #3, type a prompt for the other type of authentication, for example, Identity Guard Token ID.

c.      Click Save. The Properties page closes and the visual policy editor appears.

Using the Visual Policy Editor, you can add or modify settings associated with the access profile. You may want to do this to change or define external or internal authentication flows in the BIG-IP Appliance.

To use the Visual Policy Editor to modify authentication flows

1.      Log into F5 BIG-IP.

2.      Click the Main tab and select Access Policy > Access Profiles > <name of access profile>.

3.      Click Edit. The Visual Properties Editor opens in Web browser.

The following diagrams provide examples of the following:

●       Authentication with only Identity as a Service RADIUS (see Figure 1)

●       Authentication with Active Directory and Identity as a Service RADIUS proxy (see Figure 2)

●       Authentication with Local database and Identity as a Service RADIUS proxy (see Figure 3)

Figure 1

Figure 2

Figure 3

Note: Before you add Identity as a Service authentication to an access policy, you must have at least one AAA Identity as a Service server configured in Access Policy Manager (APM). You might need an AAA server or a local users database configured for another type of authentication, depending on the type or number of authentication actions that you plan to add to this access policy. This access policy uses Active Directory/LDAP authentication in addition to Identity as a Service. In this case, an Active Directory, LDAP AAA server, or local users database is required.

Big-IP Edge Client is a native platform-specific application for desktop operating systems that provides network access and endpoint inspection. Big-IP Edge Client allows users to connect to the Big-IP APM system to provide layer 3 network access to protected enterprise network resources.

Download and set the F5 BIG-IP Edge (VPN) client

1.      Login to F5 BIG-IP.

2.      Click the Main tab in the F5 navigation pane and then select Access Policy > Secure Connectivity. The Connectivity Profiles List page appears.

3.      Select the Remote Access Profile.

4.      From the Customize Package drop-down menu, select required the Client Software (Windows or Mac) as per the requirement. (For this example, Windows has been selected.) The Customize Windows Client Package appears.

5.      Customize the Client Software by choosing the options as required and then click Download.

6.      Save the BigIPEdgeClient.exe file and then install it.

7.      Launch F5 Big-IP Edge Client by clicking Start > Programs > F5 BIG-IP Edge Client.

8.      Click Change Server and enter the F5 Big-IP APM Virtual Server IP address.

9.      Click Next to connect to the Big-IP Server and open the Logon window.

Note: See the following link to learn more about Big-IP APM Client Compatibility Matrix, for example, OS, browser and browser compatibility, and supported access and endpoint security features: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-clientcompatmatrix-12-0-0.html

Note: Entrust recommends that when multiple RADIUS applications are configured that each RADIUS application is given a unique shared secret.

Integrate a RADIUS client

1.      Click > Security > Applications. The Applications page appears.

2.      Click Add. The Select an Application Template page appears.

3.      Under RADIUS and VPN Integrations, click F5. The Add F5 page appears.

4.      Optional: Edit the Application Name.

5.      Optional. Enter a Description for your application.

6.      Optional. Add a custom application logo as follows:

a.      Click next to Application Logo. The Upload Logo dialog box appears.

b.      Click to select an image file to upload.

c.      Browse to select your file and click Open. The Upload Logo dialog box displays your selected image.

d.      If required, resize your image.

e.      Click OK.

7.      Click Next. The Setup page appears.

8.      Click Add to next to Hosts to add the host name of the VPN server. The RADIUS agent receives the request on this host. The RADIUS Agent on the Gateway determines the RADIUS application the request is for based on the host name and port.

9.      Enter the host name in the Host dialog box and then click OK. Repeat this step to add more host names.

10.  In the Port field, enter the port on which the RADIUS agent accepts messages.

Tip: Do not enter 8443 as the port number for this application. Port 8443 is used by the Entrust Identity Enterprise agent in your Gateway.

Attention: The RADIUS agent uses the host name that sent a request and the port number that it received the request from to determine which RADIUS application made the request. Because of that:
–Two RADIUS applications with the same port value cannot share any host names.
–Two RADIUS applications that have one or more matching host names must have different port values.

11.  In the Shared Secret field, enter the shared secret that is used by your VPN server. This is the RADIUS secret shared between your VPN server and the RADIUS server. The shared secret value must match a shared secret in your RADIUS client.

12.  From the Select RADIUS Agent drop-down list, select the name of the Gateway containing the RADIUS agent to which this application will be assigned.

13.  Optional: From the Select RADIUS Attribute for IP Address drop-down list, select the RADIUS attribute that corresponds to your IP location.

14.  In the Challenge Response Queue Max Time field, set the number of seconds that the RADIUS agent waits for a response to first-factor authentication. The default value is 180 seconds.

15.  In the Challenge Response Queue Max Size field, set the maximum number of second-factor challenge requests allowed in the queue of your RADIUS application. The default value is 1000 requests. The maximum value is 10,000.

16.  In the Request Cache Timeout field, set the number of seconds to cache requests. The default value is 10 seconds.

17.  From the Character Set drop-down list, select the character set used to decode and encode string values (including the user ID and password values) in RADIUS messages. The options are UTF-8 and ISO-8859-1.

18.  Optional: Select Log RADIUS messages to enable RADIUS message logging. When enabled, messages for the RADIUS agent are logged to the same log file as the gateway logs.

19.  Optional: Enable the Authentication Settings.

20.  Optional. Add Response Attributes. Response attributes are returned to the RADIUS application after successful authentication. Use this setting to configure RADIUS attributes to return information such as the user's group information to the VPN server.

21.  Optional: Configure the EAP Settings to set up the application to use the EAP RADIUS authentication protocol.

a.      Select EAP Enabled to allow the RADIUS application to accept EAP messages.

–  When enabled, authentication messages with EAP content are treated as EAP requests. The application can accept only EAP authentication requests.

–  When disabled, incoming authentication requests are processed by the RADIUS application as a standard RADIUS authentication request (even if the request includes EAP content). In this case, the application can accept only standard RADIUS authentication requests.

b.      Select the EAP Protocol from the drop-down list. The options are PEAPv0 with MS-CHAPv2 and PEAPv1 with GTC.

This setting defines the type of EAP authentication protocol that is performed on EAP requests received by the RADIUS application. Consult the configuration requirements of your VPN server to determine which EAP protocol to select.

c.      Select Return MPPE Keys to include the MPPE (Microsoft Point-to-Point Encryption) recv and mppe send keys in the Access-Accept message returned during a successful EAP authentication. The setting is enabled by default.

d.      Select Use PEAPv1 label when calculating MPPE Keys to use the PEAPv1 label when calculating the mmpe recv and mppe send keys.

e.      Leave the Minimum TLS Version,  Maximum TLS Version and Allow Weak Ciphers at the default settings unless you have an older VPN and need to configure these settings to allow older versions of TLS or weaker ciphers to interoperate with older VPN servers that do not support the latest versions.

22.  Configure the  Deprecated Settings if your RADIUS application is connected to a Gateway version older than 3.0. These values are only required for backwards compatibility.

a.      Select Token OTP Only, Password with second-factor, or No first-factor as the Authentication Type. This setting defines the level of authentication required to access a RADIUS application that relies on a gateway RADIUS agent configured before release 3.1.

Note: MSCHAPv2 authentication is not supported when No first-factor authentication is configured for the RADIUS application.

23.  Click Submit.

1.      Launch F5 Big-IP Edge Client and click Connect.

2.      Enter the Identity as a Service user name and click Logon.

3.      Enter the response to the second-factor challenge.

4.      Click Logon.

The VPN/Remote access connection is established.

1.      Launch F5 BIG-IP Edge Client and click Connect.

2.      Enter the Identity as a Service user name and password and then click Logon.

3.      Enter the response to the second-factor challenge.

4.      Click Logon.

The VPN/Remote access connection is established.

 

Test using the Entrust Identity app for push authentication

1.      Log in with the correct first-factor username/password on your RADIUS client.

2.      Open the Entrust Identity app on a mobile device.

3.      Unlock (log in) using the identity you want to use to respond to the request.

4.      Tap Actions.

5.      Review the transaction summary details.

6.      Tap Confirm.