Before you add RSA SecurID authentication to an access policy, you must have at least one AAA SecurID server configured in Access Policy Manager®(APM®). You might need an AAA server configured for another type of authentication, depending on the number of authentication actions that you plan to add to this access policy. This access policy uses Active Directory authentication in addition to SecurID; in this case, an Active Directory AAA server is required.
You add RSA SecurID authentication to an access policy so that APM can request RSA SecurID authentication using the AAA SecurID server that you specify.
1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
2. In the Access Policy column, click the Edit link for the access profile you want to configure. The visual policy editor opens the access policy in a separate screen.
3. Click the (+) icon anywhere in the access policy to add a new action item.
A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
Add a second password field to the logon page and supply the appropriate prompts for both password fields.
a) From the Type list in row 3, select password.
b) In the Post Variable Name field in row 3, typepassword1. The name password1 is an example.
c) From the Session Variable Name field in row 3, typepassword1.
The name password1 is an example. If you typepassword1, the name password1 becomes part of the session variable name,session.logon.last.password1. APM stores user input for the field in this session variable.
You now have two fields that accept passwords on this Logon Page. Next you must set the prompts that display for each password field. This access policy runs RSA SecurID authentication first and another type of authentication afterward.
d) In the Customization area in Logon Page Input Field #2, in place of the textPasswordtypeRSA Tokenor the wording of your choice,
e) In Logon Page Input Field #3, type a prompt for the other type of authentication, for example
Password. f) Click Save.
The properties screen closes and the visual policy editor is displayed.
6. Click the (+) icon anywhere in the access policy to add a new action item.
A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
7. On the Authentication tab, select RSA SecurID and click Add Item. A properties popup screen opens.
8. From the AAA Server list in the properties popup screen, select the SecurID AAA server that you want to associate to the agent.
9. Set Max Logon Attempts to a value from from 1 to 5.
Note: To use this access policy for Citrix Receiver client access, you must set Max Logon Attempts to
1.
10.Click Save.
The properties screen closes and the visual policy editor displays.
11.Add a Variable Assign action after the Logon Page action.
Authentication actions use the password in thesession.last.logon.passwordsession variable. When the access policy runs and reaches this point, the RSA token code is stored in that session variable. After you add the Variable Assign action, a Properties popup screen displays.
12.On the Properties screen, add an entry to replace the contents of thesession.last.logon.password
session variable with the password stored in thesession.last.logon.password1session variable: a) Click Add new entry.
An empty entry appears in the Assignment table. b) Click the change link in the new entry.
A popup screen opens.
c) From the left-side list, select Custom Variable (the default), and type
session.logon.last.password.
d) From the right-side list, select Custom Expression (the default), and typeexpr { "[mcget -secure session.logon.last.password1] }.
e) Click Finished.
The popup screen closes.
65 BIG-IP® Access Policy Manager®: Authentication and Single Sign-On
f) Click Save.
The properties screen closes and the visual policy editor is displayed.
This example adds an AD Auth access policy item as a second type of authentication. You can add an authentication access policy item other than AD Auth.
Thesession.logon.last.passwordsession variable now contains the user-entered password.
13.On the fallback branch after the previous action, click the (+) icon to add an item to the access policy. A popup screen opens.
14.On the Authentication tab, select AD Auth. A properties screen displays.
15.From the Server list, select a server.
16.To support Citrix Receiver clients, you must set Max Logon Attempts to 1.
17.Click Save.
The properties screen closes and the visual policy editor displays.
18.Add another authentication action and any other actions you require.
19.Click Apply Access Policy to save your configuration.
This adds RSA SecurID AAA authentication to the access policy and a second type of authentication.
Creating a virtual server
When creating a virtual server for an access policy, specify that the virtual server is a host virtual server, and not a network virtual server.
1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
2. Click the Create button.
The New Virtual Server screen opens.
3. In the Name field, type a unique name for the virtual server.
4. For the Destination setting, select Host and in the Address field, type the IP address for the virtual server.
5. In the Service Port field, type a port number or select a service name from the Service Port list.
6. From the HTTP Profile list, select http.
7. If you use server SSL for this connection, from the SSL Profile (Server) list, select a server SSL profile.
8. If you use client SSL for this profile, from the SSL Profile (Client) list, select a client SSL profile.
9. In the Access Policy area, from the Access Profile list, select the access profile.
10.From the Connectivity Profile list, select a connectivity profile.
You can select the default connectivity profile, connectivity if you have not defined a specific profile for the traffic that is directed to this virtual server.
11.Click Finished.