Applies To:

Show Versions Show Versions

Manual Chapter: Configuring AAA Servers in APM
Manual Chapter
Table of Contents   |   << Previous Chapter

About VMware View and APM authentication types

You can authenticate View Clients in Access Policy Manager (APM) using the types of authentication that View Clients support: Active Directory authentication (required) and RSA SecurID authentication (optional). APM supports these authentication types with AAA servers that you configure in APM.

For more information, refer to the BIG-IP Access Policy Manager: Authentication Configuration Guide at http://support.f5.com.

Task summary

You need at least one AAA Active Directory (AD) server object in Access Policy Manager (APM) to support AD authentication for VMware View. If you also want to collect RSA PINs, you need at least one AAA SecurID server object in APM.

Configuring an Active Directory AAA server

Configure an Active Directory AAA server in Access Policy Manager (APM) to specify domain controllers and credentials for APM to use for authenticating users.
  1. On the Main tab, click Access Policy > AAA Servers > Active Directory. The Active Directory Servers list screen opens.
  2. Click Create. The New Server properties screen opens.
  3. In the Name field, type a unique name for the authentication server.
  4. In the Domain Name field, type the name of the Windows Domain.
  5. For the Server Connection setting, select one of these options:
    • Select Use Pool to set up high availability for the AAA server.
    • Select Direct to set up the AAA server for standalone functionality.
  6. If you selected Direct, type a name in the Domain Controller field.
  7. If you selected Use Pool, configure the pool as described here:
    1. Type a name in the Domain Controller Pool Name field.
    2. Specify the Domain Controllers in the pool by typing the IP address and hostname for each and clicking the Add button.
    3. To monitor the health of the AAA server, you have the option to select a health monitor. Only the gateway_icmp monitor is appropriate in this case; you can select it from the Server Pool Monitor list.
  8. In the Admin Name field, type an administrator name that has Active Directory administrative permissions. APM uses the information in the Admin Name and Admin Password fields for AD Query. If Active Directory is configured for anonymous queries, you do not need to provide an Admin Name. Otherwise, APM needs an account with sufficient privilege to bind to an Active Directory server, fetch user group information, and fetch Active Directory password policies to support password-related functionality. (APM must fetch password policies, for example, if you select the Prompt user to change password before expiration option in an AD Query action.) If you do not provide Admin account information in this configuration, APM uses the user account to fetch information. This works if the user account has sufficient privilege.
    Note: The administrator name is case-sensitive.
  9. In the Admin Password field, type the administrator password associated with the Domain Name.
  10. From the Kerberos Preauthentication Encryption Type list, select an encryption type. The default is None. If you specify an encryption type, the BIG-IP system includes Kerberos preauthentication data within the first authentication service request (AS-REQ) packet.
  11. In the Timeout field, type a timeout interval (in seconds) for the AAA server. (This setting is optional.)
  12. Click Finished to add the new server to the configuration, and return to the main screen.
This adds the new Active Directory server to the AAA Server List.

Configuring a SecurID AAA server in APM

Configure a SecurID AAA server for Access Policy Manager to request RSA SecurID authentication from an RSA Manager authentication server.
  1. On the Main tab, click Access Policy > AAA Servers. The AAA Servers list screen opens.
  2. On the menu bar, click AAA Servers By Type, and select SecurID. The SecurID screen opens and displays the servers list.
  3. Click Create. The New Server properties screen opens.
  4. In the Name field, type a unique name for the authentication server.
  5. In the Configuration area, for the Agent Host IP Address (must match the IP address in SecurID Configuration File) setting, select an option as appropriate:
    • Select from Self IP List: Choose this when there is no NAT device between APM and the RSA Authentication Manager. Select an IP from the list of those configured in Access Policy Manager.
    • Other: Choose this when there is a NAT device in the network path between Access Policy Manager and the RSA Authentication Manager server. If selected, type the address as translated by the NAT device.
  6. For the SecurID Configuration File setting, browse to upload the sdconf.rec file. Consult your RSA Authentication Manager administrator to generate this file for you.
  7. Click Finished to add the new server to the configuration, and return to the main screen.
This adds a new RSA SecurID server to the AAA Servers list.
Table of Contents   |   << Previous Chapter

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)