Applies To:

Show Versions Show Versions

Manual Chapter: Configuring AAA Servers in APM
Manual Chapter
Table of Contents   |   << Previous Chapter

About VMware View and APM authentication types

You can authenticate View Clients in Access Policy Manager (APM) using the types of authentication that View Clients support: Active Directory authentication (required) and RSA SecurID authentication (optional). APM supports these authentication types with AAA servers that you configure in APM.

For more information, refer to the BIG-IP Access Policy Manager: Authentication Configuration Guide at http://support.f5.com.

Task summary

You need at least one AAA Active Directory server object in APM to support AD authentication for VMware View. If you also want to collect RSA PINs, you need at least one AAA SecurID server object in APM.

Configuring an Active Directory AAA server

You configure an Active Directory AAA server in Access Policy Manager (APM) to specify domain controllers and credentials for APM to use for authenticating users.
  1. On the Main tab, click Access Policy > AAA Servers > Active Directory. The Active Directory Servers list screen opens.
  2. Click Create. The New Server properties screen opens.
  3. In the Name field, type a unique name for the authentication server.
  4. In the Domain Name field, type the name of the Windows domain.
  5. For the Server Connection setting, select one of these options:
    • Select Use Pool to set up high availability for the AAA server.
    • Select Direct to set up the AAA server for standalone functionality.
  6. If you selected Direct, type a name in the Domain Controller field.
  7. If you selected Use Pool, configure the pool:
    1. Type a name in the Domain Controller Pool Name field.
    2. Specify the Domain Controllers in the pool by typing the IP address and host name for each, and clicking the Add button.
    3. To monitor the health of the AAA server, you have the option of selecting a health monitor: only the gateway_icmp monitor is appropriate in this case; you can select it from the Server Pool Monitor list.
  8. In the Admin Name field, type a is case-sensitive name for an administrator who has Active Directory administrative permissions. APM uses the information in the Admin Name and Admin Password fields for AD Query. If Active Directory is configured for anonymous queries, you do not need to provide an Admin Name. Otherwise, APM needs an account with sufficient privilege to bind to an Active Directory server, fetch user group information, and fetch Active Directory password policies to support password-related functionality. (APM must fetch password policies, for example, if you select the Prompt user to change password before expiration option in an AD Query action.) If you do not provide Admin account information in this configuration, APM uses the user account to fetch information. This works if the user account has sufficient privilege.
  9. In the Admin Password field, type the administrator password associated with the Domain Name.
  10. In the Verify Admin Password field, retype the administrator password associated with the Domain Name setting.
  11. In the Group Cache Lifetime field, type the number of days. The default lifetime is 30 days.
  12. In the Password Security Object Cache Lifetime field, type the number of days. The default lifetime is 30 days.
  13. From the Kerberos Preauthentication Encryption Type list, select an encryption type. The default is None. If you specify an encryption type, the BIG-IP system includes Kerberos preauthentication data within the first authentication service request (AS-REQ) packet.
  14. In the Timeout field, type a timeout interval (in seconds) for the AAA server. (This setting is optional.)
  15. Click Finished. The new server displays on the list.
This adds the new Active Directory server to the Active Directory Servers list.

Configuring a SecurID AAA server in APM

Configure a SecurID AAA server for Access Policy Manager (APM) to request RSA SecurID authentication from an RSA Manager authentication server.
  1. On the Main tab, click Access Policy > AAA Servers. The AAA Servers list screen opens.
  2. On the menu bar, click AAA Servers By Type, and select SecurID. The SecurID screen opens and displays the servers list.
  3. Click Create. The New Server properties screen opens.
  4. In the Name field, type a unique name for the authentication server.
  5. In the Configuration area, for the Agent Host IP Address (must match the IP address in SecurID Configuration File) setting, select an option as appropriate:
    • Select from Self IP List: Choose this when there is no NAT device between APM and the RSA Authentication Manager. Select an IP from the list of those configured on the BIG-IP system (in the Network area of the Configuration utility).
    • Other: Choose this when there is a NAT device in the network path between Access Policy Manager and the RSA Authentication Manager server. If selected, type the address as translated by the NAT device.
  6. For the SecurID Configuration File setting, browse to upload the sdconf.rec file. Consult your RSA Authentication Manager administrator to generate this file for you.
  7. Click Finished. The new server displays on the list.
This adds a new RSA SecurID server to the AAA Servers list.
Table of Contents   |   << Previous Chapter

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)