Applies To:

Show Versions Show Versions

Manual Chapter: Configuring Remote Authentication for Application Traffic
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

25 
As an administrator in a large computing environment, you might prefer to store your sites user accounts remotely, on a dedicated authentication server. Fortunately, you can set up the BIG-IP® system to use this server to authenticate any network traffic passing through the BIG-IP system. Remote authentication servers typically use these protocols:
Application traffic that is slated for load balancing
This type of traffic passes through a virtual server and through Traffic Management Microkernel (TMM) interfaces. To configure remote authentication for this type of traffic, you must create a configuration object and a profile that correspond to the type of authentication server you are using to store your user accounts. For example, if your remote authentication server is an LDAP server, you create an LDAP configuration object and an LDAP profile. For more information, see the remainder of this chapter, click the Help tab in the Configuration utility, or see the Configuration Guide for BIG-IP® Local Traffic Manager.
Management traffic for administering the BIG-IP system
This type of traffic does not pass through a virtual server, and instead passes through the management interface (MGMT). You configure remote authentication for this type of traffic when you create your administrative user accounts. For more information, see Chapter 24, Configuring Remote Authentication and Authorization for Administrative Traffic in this guide, and the TMOSTM Management Guide for BIG-IP® Systems.
When you want to use a remote server to authenticate application traffic passing through the BIG-IP system, you can use one of these server types:
To configure remote user authentication for application traffic, you must create both a configuration object and an authentication profile. Each authentication server type requires a different configuration object and profile. For example, to configure the BIG-IP system to use an LDAP authentication server, you must create an LDAP configuration object and a custom LDAP profile.
When implementing a RADIUS, SSL OCSP, or CRLDP authentication module, you must also create a third type of object. For RADIUS and CRLDP authentication, this object is referred to as a server object. For SSL OCSP authentication, this object is referred to as an OCSP responder.
Note: All remote authentication servers must reside in route domain 0. For information on route domains, see the TMOS® Management Guide for BIG-IP® Systems.
You can configure the BIG-IP system to use an LDAP or Active Directory server for authenticating traffic that passes through the TMM interfaces of the BIG-IP system. By default, client credentials are based on basic HTTP authentication (that is, user name and password). However, you can also enable SSL authentication, which is based on SSL keys and certificates.
The first task in configuring LDAP-based or Active Directory-based remote authentication on the BIG-IP system is to create a custom LDAP configuration object, using the Configuration utility. An LDAP configuration object specifies information that the BIG-IP system needs to perform the remote authentication. For example, the configuration object specifies the remote LDAP tree that the system uses as the source location for the authentication data.
If the remote authentication server uses LDAP or Active Directory and is set up to authenticate SSL authentication traffic, there is an additional feature that you can enable. You can configure the BIG-IP system to perform the server-side SSL handshake that the remote server would normally perform when authenticating client traffic. In this case, there are some preliminary tasks you must perform to prepare for remote authentication using SSL.
2.
On the BIG-IP system, import the certificates, using the Configuration utility.
You can store the certificates in any location on the BIG-IP system.
Once you have performed these preliminary SSL tasks, you can enable SSL-based remote server authentication. You do this as part of creating the LDAP configuration object, which includes these Advanced settings:
SSL CA Certificate
This represents the name of the certificate that normally resides on the remote authentication server.
SSL Client Key
This represents the name of the SSL key that the client sends to the BIG-IP system. This key specification is only necessary when the remote server requires a client certificate.
SSL Client Certificate
This represents the name of the SSL certificate that the client sends to the BIG-IP system. This certificate specification is only necessary when the remote server requires a client certificate.
Important: When specifying key and certificate files while creating an LDAP configuration object, be sure to specify the full path name of the storage location on the BIG-IP system. For example, if the certificate is stored in the directory /config/ssl/ssl.crt, type the value /config/ssl/ssl.crt.
After you create the custom LDAP configuration object, you create a custom LDAP profile, and then assign the custom profile to an HTTP virtual server.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Profiles.
The HTTP Profiles screen opens.
2.
From the Authentication menu, choose Configurations.
The Authentication Configurations screen opens.
3.
On the upper-right corner of the screen, click Create.
The New Authentication Configuration screen opens.
Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create an LDAP configuration object.
4.
In the Name box, type a unique name for the configuration object, such as my_ldap_config.
5.
From the Type list, select LDAP.
This displays the configuration object settings that you can configure.
6.
For the Configuration area, select Basic or Advanced.
Selecting Advanced causes additional settings to appear on the screen.
7.
In the Remote LDAP Tree box, type the file location (tree) of the user authentication database on the LDAP or Active Directory server.
At a minimum, you must specify a domain component (that is, dc=<value>).
8.
For the Hosts setting:
b)
Click Add.
The IP address appears in the text window.
9.
Retain or change the Service Port value.
10.
Retain or change the LDAP Version value.
11.
If you selected a basic configuration in step 6, click Finished. If you selected an advanced configuration in step 6, configure the remaining settings and click Finished.
The next task in configuring LDAP-based or Active Directory-based remote authentication on the BIG-IP system is to create a custom LDAP profile. An LDAP profile specifies information such as the LDAP authentication mode (Enabled or Disabled), and the name of the LDAP configuration object you previously created.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Profiles.
The HTTP Profiles screen opens.
2.
From the Authentication menu, choose Profiles.
The Authentication Profiles screen opens.
3.
On the upper-right corner of the screen, click Create.
The New Authentication Profile screen opens.
Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create an LDAP profile.
4.
In the Name box, type a unique name for the profile, such as my_ldap_profile.
5.
From the Type list, select LDAP.
This displays the profile settings that you can configure.
6.
From the Parent Profile list, verify that ldap is selected
This causes the new profile to inherit its default configuration values from the default profile, named ldap.
7.
From the Configuration list, select the name of the LDAP configuration object that you previously created.
9.
Click Finished.
The final task in the process of implementing authentication using a remote LDAP server is to assign the custom LDAP profile and a default LDAP authentication iRule to a virtual server that is configured to process HTTP traffic (that is, a virtual server to which an HTTP profile is assigned).
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.
The Virtual Servers screen opens.
2.
In the Name column, click the name of a Standard-type virtual server to which an HTTP profile is assigned.
This displays the properties of that virtual server.
3.
From the Configuration list, select Advanced.
This displays additional properties.
4.
From the Authentication Profiles list, from the Available box select the name of the custom LDAP profile that you previously created, and click the Move button (<<).
This moves the profile name to the Enabled box.
Note: If the Authentication Profiles list is unavailable for modification, this indicates that your user role does not grant you permission to modify a virtual server.
5.
Click Update.
A RADIUS authentication module is a mechanism for authenticating client connections passing through a BIG-IP system. You use this module when your authentication data is stored on a remote RADIUS server. In this case, client credentials are based on basic HTTP authentication (that is, user name and password).
To implement a RADIUS authentication module, you must configure the BIG-IP system to access data on a remote RADIUS server. To do this, you must:
The first task in configuring RADIUS-based remote authentication on the BIG-IP system is to create a custom RADIUS server object. After you create the custom RADIUS server object, you create a custom RADIUS configuration object and a custom RADIUS profile, and then assign the custom profile and a default iRule to an HTTP virtual server.
1.
On the Main tab in the navigation page, expand Local Traffic, and click Profiles.
The Profiles screen opens.
2.
From the Authentication menu, choose RADIUS Servers.
This displays the RADIUS Server List screen.
3.
In the upper right corner of the screen, click Create.
This displays the RADIUS Server screen.
Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a RADIUS server object.
4.
For the Name setting, type a unique name for the RADIUS server object, such as my_radius_server.
5.
For the Server setting, type a host name or IP address for the remote RADIUS server.
6.
For the Secret and Confirm Secret settings, type the RADIUS secret.
7.
Retain the default Timeout value.
8.
Click Finished.
The next task in configuring RADIUS-based remote authentication on the BIG-IP system is to create a custom RADIUS configuration object. A RADIUS configuration object specifies information that the BIG-IP system needs to perform the remote authentication.
After you create the custom RADIUS configuration object, you create a custom RADIUS profile, and then assign the custom profile and a default iRule to an HTTP virtual server.
1.
On the Main tab, expand Local Traffic, and click Profiles.
The Profiles screen opens.
2.
From the Authentication menu, choose Configurations.
This displays the Authentication Configurations screen.
3.
In the upper right corner of the screen, click Create.
This displays the New Authentication Configuration screen.
Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a RADIUS configuration object.
4.
For the Name setting, specify a unique name for the configuration object, such as my_radius_config.
5.
For the Type setting, select RADIUS.
The screen expands to show several settings.
6.
From the Configuration list, select Basic or Advanced.
Selecting Advanced causes additional settings to appear on the screen.
7.
For the RADIUS Servers setting, from the Available box select the IP address of the RADIUS server and click the Move button (<<).
This moves the server name to the Selected box.
8.
In the Client ID box, type a NAS-Identifier string.
Required for RADIUS authentication, the NAS-Identifier string appears in Access-Request packets and identifies the NAS that originates the packet. An example of a NAS-Identifier string is a fully-qualified domain name (FQDN).
9.
If you selected a basic configuration in step 7, click Finished. If you selected an advanced configuration in step 7, configure the remaining settings and click Finished.
The next task in configuring RADIUS-based remote authentication on the BIG-IP system is to create a custom RADIUS profile. A RADIUS profile specifies information such as the RADIUS authentication mode (Enabled or Disabled), and the name of the RADIUS configuration object you previously created.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Profiles.
The HTTP Profiles screen opens.
2.
From the Authentication menu, choose Profiles.
The Authentication Profiles screen opens.
3.
On the upper-right corner of the screen, click Create.
The New Authentication Profile screen opens.
Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a RADIUS profile.
4.
From the Type list, select RADIUS.
This displays the profile settings that you can configure.
5.
In the Name box, type a unique name for the profile, such as my_radius_profile.
6.
From the Parent Profile list, verify that radius is selected.
This causes the new profile to inherit configuration values from the default profile, named radius.
7.
From the Configuration list, select the name of the RADIUS configuration object that you previously created.
9.
Click Finished.
The final task in the process of implementing authentication using a remote RADIUS server is to assign the custom RADIUS profile to a virtual server that is configured to process HTTP traffic (that is, a virtual server to which an HTTP profile is assigned).
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.
The Virtual Servers screen opens.
2.
In the Name column, click the name of a virtual server.
This displays the properties of that virtual server.
3.
From the Configuration list, select Advanced.
This displays additional properties.
4.
From the Authentication Profiles list, from the Available box select the name of the custom RADIUS profile that you previously created, and click the Move button (<<).
This moves the profile name to the Enabled box.
Note: If the Authentication Profiles list is unavailable for modification, this indicates that your user role does not grant you permission to modify a virtual server.
5.
Click Update.
You can configure the BIG-IP system to use a TACACS+ server for authenticating traffic that passes through the TMM interfaces of the BIG-IP system. In this case, client credentials are based on basic HTTP authentication (that is, user name and password).
The first task in configuring TACACS+ remote authentication on the BIG-IP system is to create a custom TACACS+ configuration object. A TACACS+ configuration object specifies information that the BIG-IP system needs to perform the remote authentication. For example, the configuration object specifies the IP address of the remote TACACS+ server.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Profiles.
The HTTP Profiles screen opens.
2.
From the Authentication menu, choose Configurations.
The Authentication Configurations screen opens.
3.
On the upper-right corner of the screen, click Create.
The New Authentication Configuration screen opens.
Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a TACACS+ configuration object.
4.
From the Type list, select TACACS+.
This displays the configuration object settings that you can configure.
5.
In the Name box, type a unique name for the configuration object, such as my_tacacs_config.
6.
For the Configuration area, select Basic or Advanced.
Selecting Advanced causes additional settings to appear on the screen.
7.
In the Servers box, type the IP address of the remote TACACS+ server and click Add.
The IP address appears in the text box.
8.
For the Hosts setting, type the IP address of the remote LDAP or Active Directory server and click Add.
The IP address appears in the text window.
9.
In the Secret box, type a TACACS+ secret. key to be used for encrypting or decrypting packets sent to or from the server.
10.
In the Confirm Secret box, re-type the secret key you typed in the Secret box.
11.
If you selected a basic configuration in step 6, click Finished. If you selected an advanced configuration in step 6, configure the remaining settings and click Finished.
Once you have created the TACACS+ configuration object, you must create a custom TACACS+ profile and modify an HTTP virtual server.
The next task in configuring TACACS+-based remote authentication on the BIG-IP system is to create a custom TACACS+ profile. After you create the profile, you assign the custom profile, the default http profile, and a default iRule to a virtual server.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Profiles.
The HTTP Profiles screen opens.
2.
From the Authentication menu, choose Profiles.
The Authentication Profiles screen opens.
3.
On the upper-right corner of the screen, click Create.
The New Authentication Profile screen opens.
Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a TACACS+ profile.
4.
From the Type list, select TACACS+.
This displays the profile settings that you can configure.
5.
In the Name box, type a unique name for the profile, such as my_tacacs_profile.
6.
From the Parent Profile list, verify that tacacs is selected.
This causes the new profile to inherit its default configuration values from the default profile, named tacacs.
7.
From the Configuration list, select the name of the TACACS+ configuration object that you previously created.
9.
Click Finished.
The final task in the process of implementing authentication using a remote TACACS+ server is to assign the custom TACACS+ profile and an existing default authentication iRule to a virtual server that is configured to process HTTP traffic (that is, a virtual server to which an HTTP profile is assigned).
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.
The Virtual Servers screen opens.
2.
In the Name column, click the name of a virtual server.
This displays the properties of that virtual server.
3.
From the Configuration list, select Advanced.
This displays additional properties.
4.
From the Authentication Profiles list, from the Available box select the name of the custom TACACS+ profile that you previously created, and click the Move button (<<).
This moves the profile name to the Enabled box.
Note: If the Authentication Profiles list is unavailable for modification, this indicates that your user role does not grant you permission to modify a virtual server.
5.
Click Update.
With the SSL Client Certificate LDAP authentication module, you can use a remote LDAP server to impose access control on application traffic. The module bases this access control on SSL certificates and roles that you specify.
To configure SSL Client Certificate LDAP-based authentication for application traffic, you complete these tasks:
The first task in configuring SSL Client Certificate LDAP-based remote authentication on the BIG-IP system is to create a custom SSL Client Certificate LDAP configuration object, using the Configuration utility. An SSL Client Certificate LDAP configuration object specifies information that the BIG-IP system needs to perform the remote authentication.
After you create the custom SSL Client Certificate LDAP configuration object, you create a custom SSL Client Certificate LDAP profile, and then assign the custom profile to an SSL virtual server.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Profiles.
The HTTP Profiles screen opens.
2.
From the Authentication menu, choose Configurations.
The Authentication Configurations screen opens.
3.
On the upper-right corner of the screen, click Create.
The New Authentication Configuration screen opens.
Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create an SSL Client Certificate LDAP configuration object.
4.
In the Name box, type a unique name for the configuration object, such as my_ssl_client_cert_ldap_config.
5.
From the Type list, select SSL Client Certificate LDAP.
This displays the configuration object settings that you can configure.
6.
For the Configuration area, select Basic or Advanced.
Selecting Advanced causes additional settings to appear on the screen.
7.
For the Hosts setting:
b)
Click Add.
The IP address appears in the text window.
8.
From the Search Type list, select User, Certificate Map, or Certificate.
9.
In the User Base DN box, type the search base for the sub tree that the LDAP server uses to perform a User or Certificate search type.
10.
In the User Key box, type the attribute that the LDAP server uses to designate a user ID.
11.
If you selected a basic configuration in step 6, click Finished. If you selected an advanced configuration in step 6, configure the remaining settings and click Finished.
The next task in configuring LDAP-based remote authentication on the BIG-IP system is to create a custom SSL Client Certificate LDAP profile. An SSL Client Certificate LDAP profile specifies information such as the the name of the LDAP configuration object you previously created.
After you create the custom SSL Client Certificate LDAP profile, you assign the custom profile and a default iRule to a virtual server.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Profiles.
The HTTP Profiles screen opens.
2.
From the Authentication menu, choose Profiles.
The Authentication Profiles screen opens.
3.
On the upper-right corner of the screen, click Create.
The New Authentication Profile screen opens.
Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create an SSL Client Certificate LDAP profile.
4.
In the Name box, type a unique name for the profile, such as my_ssl_client_cert_ldap_profile.
5.
From the Type list, select SSL Client Certificate LDAP.
This displays the profile settings that you can configure.
6.
From the Parent Profile list, verify that sol ldap is selected
This causes the new profile to inherit its default configuration values from the default profile, named ldap.
7.
From the Configuration list, select the name of the LDAP configuration object that you previously created.
9.
Click Finished.
The final task in the process of implementing authorization using a remote LDAP server is to assign the custom SSL Client Certificate LDAP profile and a default LDAP authentication iRule to a virtual server that is configured to process HTTP traffic (that is, a virtual server to which an HTTP profile is assigned).
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.
The Virtual Servers screen opens.
2.
In the Name column, click the name of a Standard-type virtual server to which an HTTP server profile is assigned.
This displays the properties of that virtual server.
3.
From the Configuration list, select Advanced.
This displays additional properties.
4.
From the Authentication Profiles list, from the Available box select the name of the custom SSL CLient Certificate LDAP profile that you previously created, and click the Move button (<<).
This moves the profile name to the Enabled box.
Note: If the Authentication Profiles list is unavailable for modification, this indicates that your user role does not grant you permission to modify a virtual server.
5.
Click Update.
An SSL OCSP authentication module is a mechanism for authenticating client connections passing through a local traffic management system. More specifically, an SSL OCSP authentication module checks the revocation status of an SSL certificate, as part of authenticating that certificate.
The first task in configuring SSL OCSP-based remote authentication on the BIG-IP system is to create a custom SSL OCSP responder object. An SSL OCSP responder object is an object that you create that includes a URL for an external SSL OCSP responder. You must create a separate SSL OCSP responder object for each external SSL OCSP responder.
After you create the custom SSL OCSP responder object, you create a custom SSL OCSP configuration object and a custom SSL OCSP profile, and then assign the custom profile and a default iRule to an HTTP virtual server.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Profiles.
The Profiles screen opens.
2.
From the Authentication menu, choose OCSP Responders.
This displays the OCSP Responders list screen.
3.
In the upper right corner of the screen, click Create.
This displays the New OCSP Responder screen.
Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create an SSL OCSP responder object.
4.
For the Name setting, type a unique name for the OCSP responder object, such as my_ocsp_responder.
6.
Click Finished.
The next task in configuring SSL OCSP-based remote authentication on the BIG-IP system is to create a custom SSL OCSP configuration object. An SSL OCSP configuration object specifies information that the BIG-IP system needs to perform the remote authentication.
After you create the custom SSL OCSP configuration object, you create a custom SSL OCSP profile, and then assign the custom profile and a default iRule to an HTTP virtual server.
1.
On the Main tab, expand Local Traffic, and click Profiles.
The Profiles screen opens.
2.
From the Authentication menu, choose Configurations.
This displays the Authentication Configurations screen.
3.
In the upper right corner of the screen, click Create.
This displays the New Authentication Configuration screen.
Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create an SSL OCSP configuration object.
4.
For the Name setting, specify a unique name for the configuration object, such as my_ocsp_config.
5.
For the Type setting, select SSL OCSP.
6.
For the Responders setting, from the Available box select the name of an OCSP responder object and click the Move button (<<).
This moves the name to the Selected box.
8.
Click Finished.
The next task in configuring SSL OCSP-based remote authentication on the BIG-IP system is to create a custom SSL OCSP profile. An SSL OCSP profile specifies information such as the name of the SSL OCSP configuration object you previously created.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Profiles.
The HTTP Profiles screen opens.
2.
From the Authentication menu, choose Profiles.
The Authentication Profiles screen opens.
3.
On the upper-right corner of the screen, click Create.
The New Authentication Profile screen opens.
Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create an SSL OCSP profile.
4.
From the Type list, select SSL OCSP.
This displays the profile settings that you can configure.
5.
In the Name box, type a unique name for the profile, such as my_ssl_ocsp_profile.
6.
From the Parent Profile list, verify that ssl_ocsp is selected.
This causes the new profile to inherit configuration values from the default profile, named ssl_ocsp.
7.
From the Configuration list, select the name of the SSL OCSP configuration object that you previously created.
9.
Click Finished.
The final task in the process of implementing SSL OCSP authentication is to assign the custom SSL OCSP profile to a virtual server that is configured to process HTTP traffic (that is, a virtual server to which an HTTP profile is assigned).
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.
The Virtual Servers screen opens.
2.
In the Name column, click the name of a virtual server.
This displays the properties of that virtual server.
3.
From the Configuration list, select Advanced.
This displays additional properties.
4.
From the Authentication Profiles list, from the Available box select the name of the custom SSL OCSP profile that you previously created, and click the Move button (<<).
This moves the profile name to the Enabled box.
Note: If the Authentication Profiles list is unavailable for modification, this indicates that your user role does not grant you permission to modify a virtual server.
5.
Click Update.
A Certificate Revocation List Distribution Point (CRLDP) authentication module is a mechanism for authenticating client connections passing through a local traffic management system. More specifically, a CRLDP authentication module checks the revocation status of an SSL certificate, as part of authenticating that certificate.
The first task in configuring CRLDP-based remote authentication on the BIG-IP system is to create a custom CRLDP server object. A CRLDP server object is an object that you create that includes a URL for an external CRLDP server. You must create a separate CRLDP server object for each external CRLDP responder.
After you create the custom CRLDP object, you create a custom CRLDP configuration object and a custom CRLDP profile, and then assign the custom profile and a default iRule to an HTTP virtual server.
1.
2.
Click Profiles.
The Profiles screen opens.
3.
From the Authentication menu, choose CRLDP Servers.
This displays the CRLDP Servers list screen.
4.
In the upper right corner of the screen, click Create.
This displays the New CRLDP Server screen.
Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a CRLDP responder object.
5.
For the Name setting, type a unique name for the CRLDP server object, such as my_crldp_server.
7.
Click Finished.
The next task in configuring CRLDP-based remote authentication on the BIG-IP system is to create a custom CRLDP configuration object. A CRLDP configuration object specifies information that the BIG-IP system needs to perform the remote authentication.
After you create the custom CRLDP configuration object, you create a custom CRLDP profile, and then assign the custom profile and a default iRule to an HTTP virtual server.
1.
On the Main tab, expand Local Traffic, and click Profiles.
The Profiles screen opens.
2.
From the Authentication menu, choose Configurations.
This displays the Authentication Configurations screen.
3.
In the upper right corner of the screen, click Create.
This displays the New Authentication Configuration screen.
Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a CRLDP configuration object.
4.
For the Name setting, specify a unique name for the configuration object, such as my_crldp_config.
5.
For the Type setting, select CRLDP.
6.
For the Servers setting, from the Available box select the name of a CRLDP server object and click the Move button (<<).
This moves the name to the Selected box.
8.
Click Finished.
The next task in configuring CRLDP-based remote authentication on the BIG-IP system is to create a custom CRLDP profile. A CRLDP profile specifies information such as the name of the CRLDP configuration object you previously created.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Profiles.
The HTTP Profiles screen opens.
2.
From the Authentication menu, choose Profiles.
The Authentication Profiles screen opens.
3.
On the upper-right corner of the screen, click Create.
The New Authentication Profile screen opens.
Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a CRLDP profile.
4.
From the Type list, select CRLDP.
This displays the profile settings that you can configure.
5.
In the Name box, type a unique name for the profile, such as my_crldp_profile.
6.
From the Parent Profile list, verify that ssl_crldp is selected.
This causes the new profile to inherit configuration values from the default profile, named ssl_crldp.
7.
From the Configuration list, select the name of the CRLDP configuration object that you previously created.
9.
Click Finished.
The final task in the process of implementing CRLDP authentication is to assign the custom CRLDP profile to a virtual server that is configured to process HTTP traffic (that is, a virtual server to which an HTTP profile is assigned).
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.
The Virtual Servers screen opens.
2.
In the Name column, click the name of a virtual server.
This displays the properties of that virtual server.
3.
From the Configuration list, select Advanced.
This displays additional properties.
4.
From the Authentication Profiles list, from the Available box select the name of the custom CRLDP profile that you previously created, and click the Move button (<<).
This moves the profile name to the Enabled box.
Note: If the Authentication Profiles list is unavailable for modification, this indicates that your user role does not grant you permission to modify a virtual server.
5.
Click Update.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)