Applies To:

Show Versions Show Versions

Manual Chapter: BIG-IP® Local Traffic Manager version 9.4 Implementations Guide: 24 - Configuring Remote Authentication for Application Traffic
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


24

Configuring Remote Authentication for Application Traffic


Introducing remote authentication for application traffic

As an administrator in a large computing environment, you might prefer to store your site's user accounts remotely, on a dedicated authentication server. Fortunately, you can set up the BIG-IP® system to use this server to authenticate any network traffic passing through the BIG-IP system. Remote authentication servers typically use these protocols:

  • Lightweight Directory Access Protocol (LDAP)
  • Remote Authentication Dial-in User Service (RADIUS)
  • TACACS+ (derived from Terminal Access Controller Access Control System (TACACS))
  • Online Status Certificate Protocol (OCSP)
  • Certificate Revocation List Distribution Point (CRLDP)

Using a remote authentication server, the BIG-IP system can authenticate two types of network traffic:

  • Application traffic that is slated for load balancing
    This type of traffic passes through a virtual server and through Traffic Management Microkernel (TMM) interfaces. To configure remote authentication for this type of traffic, you must create a configuration object and a profile that correspond to the type of authentication server you are using to store your user accounts. For example, if your remote authentication server is an LDAP server, you create an LDAP configuration object and an LDAP profile. For more information, see the remainder of this chapter, and the Configuration Guide for BIG-IP® Local Traffic Management.
  • Management traffic for administering the BIG-IP system
    This type of traffic does not pass through a virtual server, and instead passes through the management interface (MGMT). You configure remote authentication for this type of traffic when you create your administrative user accounts. Administrative user accounts are accounts that you create for the system and network administrators who manage the BIG-IP system. For more information, see Chapter 23, Configuring Remote Authentication for Management Traffic in this guide, and the BIG-IP® Network and System Management Guide.

When you want to use a remote server to authenticate application traffic passing through the BIG-IP system, you can use one of these server types:

  • An LDAP or Active Directory server
  • A RADIUS server
  • A TACACS+ server
  • An SSL OCSP responder
  • A CRLDP server

To configure remote user authentication for application traffic, you must create both a configuration object and an authentication profile. Each authentication server type requires a different configuration object and profile. For example, to configure the BIG-IP system to use an LDAP authentication server, you must create an LDAP configuration object and a custom LDAP profile.

When implementing a RADIUS, SSL OCSP, or CRLDP authentication module, you must also create a third type of object. For RADIUS and CRLDP authentication, this object is referred to as a server object. For SSL OCSP authentication, this object is referred to as an OCSP responder.

Configuring authentication that uses a remote LDAP or Active Directory server

You can configure the BIG-IP system to use an LDAP or Active Directory server for authenticating traffic that passes through the TMM interfaces of the BIG-IP system. By default, client credentials are based on basic HTTP authentication (that is, user name and password). However, you can also enable SSL authentication, which is based on SSL keys and certificates.

To configure LDAP or Active Directory authentication for application traffic, you complete these tasks:

  • Create an LDAP-type configuration object
  • Create an LDAP-type authentication profile
  • Modify a virtual server that is configured to manage HTTP traffic

Creating an LDAP configuration object

The first task in configuring LDAP-based or Active Directory-based remote authentication on the BIG-IP system is to create a custom LDAP configuration object, using the Configuration utility. An LDAP configuration object specifies information that the BIG-IP system needs to perform the remote authentication. For example, the configuration object specifies the remote LDAP tree that the system uses as the source location for the authentication data.

If the remote authentication server uses LDAP or Active Directory and is set up to authenticate SSL authentication traffic, there is an additional feature that you can enable. You can configure the BIG-IP system to perform the server-side SSL handshake that the remote server would normally perform when authenticating client traffic. In this case, there are some preliminary tasks you must perform to prepare for remote authentication using SSL.

To prepare for SSL-based remote authentication

  1. Convert the Certificate Authority (CA) or self-signed certificates to PEM format.
  2. On the BIG-IP system, import the certificates, using the Configuration utility.
    You can store the certificates in any location on the BIG-IP system. For information on importing certificates, see the Configuration Guide for BIG-IP® Local Traffic Management.

Once you have performed these preliminary SSL tasks, you can enable SSL-based remote server authentication. You do this as part of creating the LDAP configuration object, which includes these Advanced settings:

  • SSL CA Certificate
    This represents the name of the certificate that normally resides on the remote authentication server.
  • SSL Client Key
    This represents the name of the SSL key that the client sends to the BIG-IP system. This key specification is only necessary when the remote server requires a client certificate.
  • SSL Client Certificate
    This represents the name of the SSL certificate that the client sends to the BIG-IP system. This certificate specification is only necessary when the remote server requires a client certificate.
Important

When specifying key and certificate files while creating an LDAP configuration object, be sure to specify the full path name of the storage location on the BIG-IP system. For example, if the certificate is stored in the directory /config/bigconfig/ssl.crt, type the value /config/bigconfig/ssl.crt.

After you create the custom LDAP configuration object, you create a custom LDAP profile, and then assign the custom profile to an HTTP virtual server.

To create a custom LDAP configuration object

  1. On the Main tab of the navigation pane, expand Local Traffic, and click Profiles.
    The HTTP Profiles screen opens.
  2. From the Authentication menu, choose Configurations.
    The Authentication Configurations screen opens.
  3. On the upper-right corner of the screen, click Create.
    The New Authentication Configuration screen opens.
  4. Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create an LDAP configuration object.
  5. In the Name box, type a unique name for the configuration object, such as my_ldap_config.
  6. From the Type list, select LDAP.
    This displays the configuration object settings that you can configure.
  7. For the Configuration area, select Basic or Advanced.
    Selecting Advanced causes additional settings to appear on the screen.
  8. In the Remote LDAP Tree box, type the file location (tree) of the user authentication database on the LDAP or Active Directory server.
    At a minimum, you must specify a domain component (that is, dc=<value>).
  9. For the Hosts setting:
    1. Type the IP address of the remote LDAP or Active Directory server.
    2. Click Add.
      The IP address appears in the text window.
  10. Retain or change the Service Port value.
  11. Retain or change the LDAP Version value.
  12. If you selected a basic configuration in step 6, click Finished. If you selected an advanced configuration in step 6, configure the remaining settings and click Finished.
    For descriptions of all advanced settings, see the online help or the Configuration Guide for BIG-IP® Local Traffic Management.
Note

For information about enabling SSL authentication, see the beginning of this section, Creating an LDAP configuration object .

Creating an LDAP authentication profile

The next task in configuring LDAP-based or Active Directory-based remote authentication on the BIG-IP system is to create a custom LDAP profile. An LDAP profile specifies information such as the LDAP authentication mode (Enabled or Disabled), and the name of the LDAP configuration object you previously created.

After you create the custom LDAP profile, you assign the custom profile and a default iRule to a virtual server.

To create a custom LDAP profile

  1. On the Main tab of the navigation pane, expand Local Traffic, and click Profiles.
    The HTTP Profiles screen opens.
  2. From the Authentication menu, choose Profiles.
    The Authentication Profiles screen opens.
  3. On the upper-right corner of the screen, click Create.
    The New Authentication Profile screen opens.
  4. Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create an LDAP profile.
  5. In the Name box, type a unique name for the profile, such as my_ldap_profile.
  6. From the Type list, select LDAP.
    This displays the profile settings that you can configure.
  7. From the Parent Profile list, verify that ldap is selected
    This causes the new profile to inherit its default configuration values from the default profile, named ldap.
  8. From the Configuration list, select the name of the LDAP configuration object that you previously created.
  9. For all remaining settings, retain the default values.
  10. Click Finished.

Modifying a virtual server for LDAP authentication

The final task in the process of implementing authentication using a remote LDAP server is to assign the custom LDAP profile and a default LDAP authentication iRule to a virtual server that is configured to process HTTP traffic (that is, a virtual server to which an HTTP profile is assigned).

Note

The virtual server to which you assign the profiles and the iRule must be a Standard type of virtual server.

To modify a virtual server for LDAP authentication

  1. On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.
    The Virtual Servers screen opens.
  2. In the Name column, click the name of a Standard-type virtual server to which an HTTP profile is assigned.
    This displays the properties of that virtual server.
  3. From the Configuration list, select Advanced.
    This displays additional properties.
  4. From the Authentication Profiles list, from the Available box select the name of the custom LDAP profile that you previously created, and click the Move button (<<).
    This moves the profile name to the Enabled box.
  5. Note: If the Authentication Profiles list is unavailable for modification, this indicates that your user role does not grant you permission to modify a virtual server.
  6. Click Update.

Configuring authentication that uses a remote RADIUS server

A RADIUS authentication module is a mechanism for authenticating client connections passing through a BIG-IP system. You use this module when your authentication data is stored on a remote RADIUS server. In this case, client credentials are based on basic HTTP authentication (that is, user name and password).

To implement a RADIUS authentication module, you must configure the BIG-IP system to access data on a remote RADIUS server. To do this, you must create:

  • One or more high-level RADIUS server objects
  • A RADIUS configuration object
  • A RADIUS profile
  • Modify a virtual server to assign the RADIUS profile to it.

Creating a RADIUS server object

The first task in configuring RADIUS-based remote authentication on the BIG-IP system is to create a custom RADIUS server object. After you create the custom RADIUS server object, you create a custom RADIUS configuration object and a custom RADIUS profile, and then assign the custom profile and a default iRule to an HTTP virtual server.

To create a RADIUS server object

  1. On the Main tab, expand Local Traffic.
  2. Click Profiles.
    The Profiles screen opens.
  3. From the Authentication menu, choose RADIUS Servers.
    This displays the RADIUS Server List screen.
  4. In the upper right corner of the screen, click Create.
  5. Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a RADIUS server object.
  6. For the Name setting, type a unique name for the RADIUS server object, such as my_radius_server.
  7. For the Server setting, type a host name or IP address for the remote RADIUS server.
  8. For the Secret and Confirm Secret settings, type the RADIUS secret.
  9. Retain the default Timeout value.
  10. Click Finished.

Creating a RADIUS configuration object

The next task in configuring RADIUS-based remote authentication on the BIG-IP system is to create a custom RADIUS configuration object. A RADIUS configuration object specifies information that the BIG-IP system needs to perform the remote authentication.

After you create the custom RADIUS configuration object, you create a custom RADIUS profile, and then assign the custom profile and a default iRule to an HTTP virtual server.

To create a RADIUS configuration object

  1. On the Main tab, expand Local Traffic, and click Profiles.
    The Profiles screen opens.
  2. From the Authentication menu, choose Configurations.
  3. In the upper right corner of the screen, click Create.
    This displays the New Configuration screen.
  4. Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a RADIUS configuration object.
  5. For the Name setting, specify a unique name for the configuration object, such as my_radius_config.
  6. For the Type setting, select RADIUS.
    The screen expands to show several settings.
  7. From the Configuration list, select Basic or Advanced.
    Selecting Advanced causes additional settings to appear on the screen.
  8. For the RADIUS Servers setting, from the Available box select the IP address of the RADIUS server and click the Move button (<<).
    This moves the server name to the Selected box.
  9. In the Client ID box, type a NAS-Identifier string.
    Required for RADIUS authentication, the NAS-Identifier string appears in Access-Request packets and identifies the NAS that originates the packet. An example of a NAS-Identifier string is a fully-qualified domain name (FQDN).
  10. If you selected a basic configuration in step 7, click Finished. If you selected an advanced configuration in step 7, configure the remaining settings and click Finished.
    For descriptions of all advanced settings, see the online help or the Configuration Guide for BIG-IP® Local Traffic Management.

Creating a RADIUS profile

The next task in configuring RADIUS-based remote authentication on the BIG-IP system is to create a custom RADIUS profile. A RADIUS profile specifies information such as the RADIUS authentication mode (Enabled or Disabled), and the name of the RADIUS configuration object you previously created.

After you create the profile, you assign the custom profile and a default iRule to an HTTP virtual server.

To create a custom RADUS profile

  1. On the Main tab of the navigation pane, expand Local Traffic, and click Profiles.
    The HTTP Profiles screen opens.
  2. From the Authentication menu, choose Profiles.
    The Authentication Profiles screen opens.
  3. On the upper-right corner of the screen, click Create.
    The New Authentication Profile screen opens.
  4. Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a RADIUS profile.
  5. From the Type list, select RADIUS.
    This displays the profile settings that you can configure.
  6. In the Name box, type a unique name for the profile, such as my_radius_profile.
  7. From the Parent Profile list, verify that radius is selected.
    This causes the new profile to inherit configuration values from the default profile, named radius.
  8. From the Configuration list, select the name of the RADIUS configuration object that you previously created.
  9. For all remaining settings, retain the default values.
  10. Click Finished.

Modifying a virtual server for RADIUS authentication

The final task in the process of implementing authentication using a remote RADIUS server is to assign the custom RADIUS profile to a virtual server that is configured to process HTTP traffic (that is, a virtual server to which an HTTP profile is assigned).

Note

The virtual server to which you assign an authentication profile must be a Standard type of virtual server.

To modify a virtual server for RADIUS authentication

  1. On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.
    The Virtual Servers screen opens.
  2. In the Name column, click the name of a virtual server.
    This displays the properties of that virtual server.
  3. From the Configuration list, select Advanced.
    This displays additional properties.
  4. From the Authentication Profiles list, from the Available box select the name of the custom RADIUS profile that you previously created, and click the Move button (<<).
    This moves the profile name to the Enabled box.
  5. Note: If the Authentication Profiles list is unavailable for modification, this indicates that your user role does not grant you permission to modify a virtual server.
  6. Click Update.

Configuring authentication that uses a remote TACACS+ server

You can configure the BIG-IP system to use a TACACS+ server for authenticating traffic that passes through the TMM interfaces of the BIG-IP system. In this case, client credentials are based on basic HTTP authentication (that is, user name and password).

To configure LDAP or Active Directory authentication for application traffic, you complete these tasks:

  • Create an LDAP-type configuration object
  • Create an LDAP-type authentication profile
  • Modify a virtual server configured to manage HTTP traffic

Creating a TACACS+ configuration object

The first task in configuring TACACS+ remote authentication on the BIG-IP system is to create a custom TACACS+ configuration object. A TACACS+ configuration object specifies information that the BIG-IP system needs to perform the remote authentication. For example, the configuration object specifies the IP address of the remote TACACS+ server.

To create a custom TACACS+ configuration object

  1. On the Main tab of the navigation pane, expand Local Traffic, and click Profiles.
    The HTTP Profiles screen opens.
  2. From the Authentication menu, choose Configurations.
    The Authentication Configurations screen opens.
  3. On the upper-right corner of the screen, click Create.
    The New Authentication Configuration screen opens.
  4. From the Type list, select TACACS+.
    This displays the configuration object settings that you can configure.
  5. In the Name box, type a unique name for the configuration object, such as my_tacacs_config.
  6. For the Configuration area, select Basic or Advanced.
    Selecting Advanced causes additional settings to appear on the screen.
  7. In the Servers box, type the IP address of the remote TACACS+ server and click Add.
    The IP address appears in the text box.
  8. For the Hosts setting, type the IP address of the remote LDAP or Active Directory server and click Add.
    The IP address appears in the text window.
  9. In the Secret box, type a TACACS+ secret. key to be used for encrypting or decrypting packets sent to or from the server.
  10. In the Confirm Secret box, re-type the secret key you typed in the Secret box.
  11. If you selected a basic configuration in step 6, click Finished. If you selected an advanced configuration in step 6, configure the remaining settings and click Finished.
    For descriptions of all advanced settings, see the online help or the Configuration Guide for BIG-IP® Local Traffic Management.

Once you have created the TACACS+ configuration object, you must create a custom TACACS+ profile and modify an HTTP virtual server.

Creating a TACACS+ profile

The next task in configuring TACACS+-based remote authentication on the BIG-IP system is to create a custom TACACS+ profile. After you create the profile, you assign the custom profile, the default http profile, and a default iRule to a virtual server.

To create a custom TACACS+ profile

  1. On the Main tab of the navigation pane, expand Local Traffic, and click Profiles.
    The HTTP Profiles screen opens.
  2. From the Authentication menu, choose Profiles.
    The Authentication Profiles screen opens.
  3. On the upper-right corner of the screen, click Create.
    The New Authentication Profile screen opens.
  4. From the Type list, select TACACS+.
    This displays the profile settings that you can configure.
  5. In the Name box, type a unique name for the profile, such as my_tacacs_profile.
  6. From the Parent Profile list, verify that tacacs is selected.
    This causes the new profile to inherit its default configuration values from the default profile, named tacacs.
  7. From the Configuration list, select the name of the TACACS+ configuration object that you previously created.
  8. For all remaining settings, retain the default values.
  9. Click Finished.

Modifying a virtual server for TACACS+ authentication

The final task in the process of implementing authentication using a remote TACACS+ server is to assign the custom TACACS+ profile and an existing default authentication iRule to a virtual server that is configured to process HTTP traffic (that is, a virtual server to which an HTTP profile is assigned).

Note

The virtual server to which you assign an authentication profile and iRule must be a Standard type of virtual server.

To modify a virtual server for TACACS+ authentication

  1. On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.
    The Virtual Servers screen opens.
  2. In the Name column, click the name of a virtual server.
    This displays the properties of that virtual server.
  3. From the Configuration list, select Advanced.
    This displays additional properties.
  4. From the Authentication Profiles list, from the Available box select the name of the custom TACACS+ profile that you previously created, and click the Move button (<<).
    This moves the profile name to the Enabled box.
  5. Note: If the Authentication Profiles list is unavailable for modification, this indicates that your user role does not grant you permission to modify a virtual server.
  6. Click Update.

Configuring SSL-based authorization using a remote LDAP server

With the SSL Client Certificate LDAP authentication module, you can use a remote LDAP server to impose access control on application traffic. The module bases this access control on SSL certificates and roles that you specify.

To configure LDAP or Active Directory authentication for application traffic, you complete these tasks:

  • Create an SSL Client Certificate LDAP-type configuration object
  • Create an SSL Client Certificate LDAP-type authentication profile
  • Modify a virtual server that is configured to manage HTTP traffic

Creating an SSL CLient Certificate LDAP configuration object

The first task in configuring SSL Client Certificate LDAP-based remote authentication on the BIG-IP system is to create a custom SSL Client Certificate LDAP configuration object, using the Configuration utility. An SSL Client Certificate LDAP configuration object specifies information that the BIG-IP system needs to perform the remote authentication.

After you create the custom SSL Client Certificate LDAP configuration object, you create a custom SSL Client Certificate LDAP profile, and then assign the custom profile to an SSL virtual server.

To create a custom SSL Client Certificate LDAP configuration object

  1. On the Main tab of the navigation pane, expand Local Traffic, and click Profiles.
    The HTTP Profiles screen opens.
  2. From the Authentication menu, choose Configurations.
    The Authentication Configurations screen opens.
  3. On the upper-right corner of the screen, click Create.
    The New Authentication Configuration screen opens.
  4. In the Name box, type a unique name for the configuration object, such as my_ssl_client_cert_ldap_config.
  5. From the Type list, select SSL Client Certificate LDAP.
    This displays the configuration object settings that you can configure.
  6. For the Configuration area, select Basic or Advanced.
    Selecting Advanced causes additional settings to appear on the screen.
  7. For the Hosts setting:
    1. Type the IP address of the remote LDAP.
    2. Click Add.
      The IP address appears in the text window.
  8. From the Search Type list, select User, Certificate Map, or Certificate.
    For descriptions of these values, see the online help or the Configuration Guide for BIG-IP® Local Traffic Management.
  9. In the User Base DN box, type the search base for the sub tree that the LDAP server uses to perform a User or Certificate search type.
  10. In the User Key box, type the attribute that the LDAP server uses to designate a user ID.
  11. If you selected a basic configuration in step 6, click Finished. If you selected an advanced configuration in step 6, configure the remaining settings and click Finished.
    For descriptions of all advanced settings, see the online help or the Configuration Guide for BIG-IP® Local Traffic Management.

Creating an SSL Client Certificate LDAP authentication profile

The next task in configuring LDAP-based remote authentication on the BIG-IP system is to create a custom SSL Client Certificate LDAP profile. An SSL Client Certificate LDAP profile specifies information such as the the name of the LDAP configuration object you previously created.

After you create the custom SSL Client Certificate LDAP profile, you assign the custom profile and a default iRule to a virtual server.

To create a custom SSL Client Certificate LDAP profile

  1. On the Main tab of the navigation pane, expand Local Traffic, and click Profiles.
    The HTTP Profiles screen opens.
  2. From the Authentication menu, choose Profiles.
    The Authentication Profiles screen opens.
  3. On the upper-right corner of the screen, click Create.
    The New Authentication Profile screen opens.
  4. In the Name box, type a unique name for the profile, such as my_ssl_client_cert_ldap_profile.
  5. From the Type list, select SSL Client Certificate LDAP.
    This displays the profile settings that you can configure.
  6. From the Parent Profile list, verify that sol ldap is selected
    This causes the new profile to inherit its default configuration values from the default profile, named ldap.
  7. From the Configuration list, select the name of the LDAP configuration object that you previously created.
  8. For all remaining settings, retain the default values.
  9. Click Finished.

Modifying a virtual server for SSL Client Certificate LDAP authorization

The final task in the process of implementing authorization using a remote LDAP server is to assign the custom SSL Client Certificate LDAP profile and a default LDAP authentication iRule to a virtual server that is configured to process HTTP traffic (that is, a virtual server to which an HTTP profile is assigned).

Note

The virtual server to which you assign the profiles and the iRule must be a Standard type of virtual server.

To modify a virtual server for SSL Client Certificate LDAP authorization

  1. On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.
    The Virtual Servers screen opens.
  2. In the Name column, click the name of a Standard-type virtual server to which an HTTP server profile is assigned.
    This displays the properties of that virtual server.
  3. From the Configuration list, select Advanced.
    This displays additional properties.
  4. From the Authentication Profiles list, from the Available box select the name of the custom SSL CLient Certificate LDAP profile that you previously created, and click the Move button (<<).
    This moves the profile name to the Enabled box.
  5. Note: If the Authentication Profiles list is unavailable for modification, this indicates that your user role does not grant you permission to modify a virtual server.
  6. Click Update.

Configuring SSL certificate revocation using an OCSP responder

An SSL OCSP authentication module is a mechanism for authenticating client connections passing through an LTM system. More specifically, an SSL OCSP authentication module checks the revocation status of an SSL certificate, as part of authenticating that certificate.

To implement an OCSP authentication module, you must create:

  • One or more high-level OCSP responder objects
  • An SSL OCSP configuration object
  • An SSL OCSP profile
  • Modify a virtual server to assign the SSL OCSP profile to it.

Creating an SSL OCSP responder object

The first task in configuring SSL OCSP-based remote authentication on the BIG-IP system is to create a custom SSL OCSP responder object. An SSL OCSP responder object is an object that you create that includes a URL for an external SSL OCSP responder. You must create a separate SSL OCSP responder object for each external SSL OCSP responder.

After you create the custom SSL OCSP responder object, you create a custom SSL OCSP configuration object and a custom SSL OCSP profile, and then assign the custom profile and a default iRule to an HTTP virtual server.

To create an SSL OCSP responder object

  1. On the Main tab, expand Local Traffic.
  2. Click Profiles.
    The Profiles screen opens.
  3. From the Authentication menu, choose OCSP Responders.
    This displays the OCSP Responders list screen.
  4. In the upper right corner of the screen, click Create.
  5. For the Name setting, type a unique name for the OCSP responder object, such as my_ocsp_responder.
  6. Type or retain all configuration values.
  7. Click Finished.

Creating an SSL OCSP configuration object

The next task in configuring SSL OCSP-based remote authentication on the BIG-IP system is to create a custom SSL OCSP configuration object. An SSL OCSP configuration object specifies information that the BIG-IP system needs to perform the remote authentication.

After you create the custom SSL OCSP configuration object, you create a custom SSL OCSP profile, and then assign the custom profile and a default iRule to an HTTP virtual server.

To create an SSL OCSP configuration object

  1. On the Main tab, expand Local Traffic, and click Profiles.
    The Profiles screen opens.
  2. From the Authentication menu, choose Configurations.
  3. In the upper right corner of the screen, click Create.
    This displays the New Configuration screen.
  4. For the Name setting, specify a unique name for the configuration object, such as my_ocsp_config.
  5. For the Type setting, select SSL OCSP.
  6. For the Responders setting, from the Available box select the name of an OCSP responder object and click the Move button (<<).
    This moves the name to the Selected box.
  7. Repeat the previous step for each responder object.
  8. Click Finished.

Creating an SSL OCSP profile

The next task in configuring SSL OCSP-based remote authentication on the BIG-IP system is to create a custom SSL OCSP profile. An SSL OCSP profile specifies information such as the name of the SSL OCSP configuration object you previously created.

After you create the profile, you assign the custom profile and a default iRule to an HTTP virtual server.

To create a custom SSL OCSP profile

  1. On the Main tab of the navigation pane, expand Local Traffic, and click Profiles.
    The HTTP Profiles screen opens.
  2. From the Authentication menu, choose Profiles.
    The Authentication Profiles screen opens.
  3. On the upper-right corner of the screen, click Create.
    The New Authentication Profile screen opens.
  4. From the Type list, select SSL OCSP.
    This displays the profile settings that you can configure.
  5. In the Name box, type a unique name for the profile, such as my_ssl_ocsp_profile.
  6. From the Parent Profile list, verify that ssl_ocsp is selected.
    This causes the new profile to inherit configuration values from the default profile, named ssl_ocsp.
  7. From the Configuration list, select the name of the SSL OCSP configuration object that you previously created.
  8. For all remaining settings, retain the default values.
  9. Click Finished.

Modifying a virtual server for SSL OCSP authentication

The final task in the process of implementing SSL OCSP authentication is to assign the custom SSL OCSP profile to a virtual server that is configured to process HTTP traffic (that is, a virtual server to which an HTTP profile is assigned).

Note

The virtual server to which you assign an authentication profile must be a Standard type of virtual server.

To modify a virtual server for SSL OCSP authentication

  1. On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.
    The Virtual Servers screen opens.
  2. In the Name column, click the name of a virtual server.
    This displays the properties of that virtual server.
  3. From the Configuration list, select Advanced.
    This displays additional properties.
  4. From the Authentication Profiles list, from the Available box select the name of the custom SSL OCSP profile that you previously created, and click the Move button (<<).
    This moves the profile name to the Enabled box.
  5. Note: If the Authentication Profiles list is unavailable for modification, this indicates that your user role does not grant you permission to modify a virtual server.
  6. Click Update.

Configuring a CRLDP authentication module

A Certificate Revocation List Distribution Point (CRLDP) authentication module is a mechanism for authenticating client connections passing through an LTM system. More specifically, a CRLDP authentication module checks the revocation status of an SSL certificate, as part of authenticating that certificate.

To implement a CRLDP authentication module, you must create:

  • One or more high-level CRLDP server objects
  • A CRLDP configuration object
  • A CRLDP profile
  • Modify a virtual server to assign the CRLDP profile to it.

Creating a CRLDP server object

The first task in configuring CRLDP-based remote authentication on the BIG-IP system is to create a custom CRLDP server object. A CRLDP server object is an object that you create that includes a URL for an external CRLDP server. You must create a separate CRLDP server object for each external CRLDP responder.

After you create the custom CRLDP object, you create a custom CRLDP configuration object and a custom CRLDP profile, and then assign the custom profile and a default iRule to an HTTP virtual server.

To create a CRLDP responder object

  1. On the Main tab, expand Local Traffic.
  2. Click Profiles.
    The Profiles screen opens.
  3. From the Authentication menu, choose CRLDP Servers.
    This displays the CRLDP Servers list screen.
  4. In the upper right corner of the screen, click Create.
  5. For the Name setting, type a unique name for the CRLDP server object, such as my_crldp_server.
  6. Type or retain all configuration values.
  7. Click Finished.

Creating a CRLDP configuration object

The next task in configuring CRLDP-based remote authentication on the BIG-IP system is to create a custom CRLDP configuration object. A CRLDP configuration object specifies information that the BIG-IP system needs to perform the remote authentication.

After you create the custom CRLDP configuration object, you create a custom CRLDP profile, and then assign the custom profile and a default iRule to an HTTP virtual server.

To create a CRLDP configuration object

  1. On the Main tab, expand Local Traffic, and click Profiles.
    The Profiles screen opens.
  2. From the Authentication menu, choose Configurations.
  3. In the upper right corner of the screen, click Create.
    This displays the New Configuration screen.
  4. For the Name setting, specify a unique name for the configuration object, such as my_crldp_config.
  5. For the Type setting, select CRLDP.
  6. For the Servers setting, from the Available box select the name of a CRLDP server object and click the Move button (<<).
    This moves the name to the Selected box.
  7. Repeat the previous step for each server object.
  8. Click Finished.

Creating a CRLDP profile

The next task in configuring CRLDP-based remote authentication on the BIG-IP system is to create a custom CRLDP profile. A CRLDP profile specifies information such as the name of the CRLDP configuration object you previously created.

After you create the profile, you assign the custom profile and a default iRule to an HTTP virtual server.

To create a custom CRLDP profile

  1. On the Main tab of the navigation pane, expand Local Traffic, and click Profiles.
    The HTTP Profiles screen opens.
  2. From the Authentication menu, choose Profiles.
    The Authentication Profiles screen opens.
  3. On the upper-right corner of the screen, click Create.
    The New Authentication Profile screen opens.
  4. From the Type list, select CRLDP.
    This displays the profile settings that you can configure.
  5. In the Name box, type a unique name for the profile, such as my_crldp_profile.
  6. From the Parent Profile list, verify that ssl_crldp is selected.
    This causes the new profile to inherit configuration values from the default profile, named ssl_crldp.
  7. From the Configuration list, select the name of the CRLDP configuration object that you previously created.
  8. For all remaining settings, retain the default values.
  9. Click Finished.

Modifying a virtual server for CRLDP authentication

The final task in the process of implementing CRLDP authentication is to assign the custom CRLDP profile to a virtual server that is configured to process HTTP traffic (that is, a virtual server to which an HTTP profile is assigned).

Note

The virtual server to which you assign an authentication profile must be a Standard type of virtual server.

To modify a virtual server for CRLDP authentication

  1. On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.
    The Virtual Servers screen opens.
  2. In the Name column, click the name of a virtual server.
    This displays the properties of that virtual server.
  3. From the Configuration list, select Advanced.
    This displays additional properties.
  4. From the Authentication Profiles list, from the Available box select the name of the custom CRLDP profile that you previously created, and click the Move button (<<).
    This moves the profile name to the Enabled box.
  5. Note: If the Authentication Profiles list is unavailable for modification, this indicates that your user role does not grant you permission to modify a virtual server.
  6. Click Update.



Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)