Overview

To implement OpenOTP authentication on F5 using RADIUS, you'll need to configure your F5 appliance and the RADIUS server (using RCDevs OpenOTP and Radius Bridge). Below are the detailed steps to achieve this setup from the F5 perspective:

Prerequisites

  • F5 Big-IP Appliance with Access Policy Manager (APM) enabled.
  • WebADM/OpenOTP server with Radius Bridge installed and configured.
  • Access to F5 management UI, WebADM administration portal and Radius Bridge server configuration file.
  • Create a WebADM Client policy to define authentication settings.

Configure the F5 as a RADIUS Client in Radius Bridge

  1. Edit the clients.conf File on the Radius Bridge Server:

    • SSH into your Radius Bridge server.
    • Open the clients.conf file for editing:
      sudo nano /opt/radiusd/conf/clients.conf
      
    • Add a new RADIUS client entry for your F5 appliance:
      client <F5_IP_Address> {
          secret          = <Shared_Secret>
          shortname       = f5appliance
      }
      
    • Replace <F5_IP_Address> with the IP address of your F5 appliance and <Shared_Secret> with a shared secret that you will use to authenticate the F5 to the Radius Bridge.
  2. Restart the Radius Bridge Service:

    • Restart the Radius Bridge service to apply the new configuration:
      sudo systemctl restart radiusd
      

    or

    sudo /opt/radiusd/bin/radiusd restart
    

Configure F5 to Use RADIUS for Authentication

  1. Log in to the F5 Management UI:

    • Access your F5 Big-IP management interface through a web browser.
  2. Create a New RADIUS AAA Server:

    • Go to AccessAuthenticationRADIUS.
    • Click on Create to add a new RADIUS server.
    • Configure the RADIUS server settings:
      • Name: Give the server a descriptive name (e.g., OpenOTP_Radius).
      • Server Connection: Choose whether you want to use a single server or a pool.
      • IP Address: Enter the IP address of your Radius Bridge server.
      • Service Port: Use the default port 1812 (unless changed).
      • Secret: Enter the shared secret you configured in the clients.conf file.
      • Timeout: Set an appropriate timeout, such as 30 seconds.
      • Retries: Set the number of retry attempts to 0.
    • Click on Finished to save the configuration.
  3. Create a New Access Policy with RADIUS Authentication:

    • Go to AccessProfiles / PoliciesAccess Profiles (Per-Session Policies).
    • Click Create to set up a new access profile.
      • Name: Provide a name for the profile (e.g., Radius_OTP_Profile).
      • Profile Type: Select SSL-VPN.
      • SSO Configuration: Leave this at the default for now.
      • Languages: Select your preferred language.
    • Click Finished.
  4. Edit the Access Policy:

    • In the newly created Access Profile, click on Edit.
    • You will be taken to the Visual Policy Editor.
    • Add a RADIUS Authentication Step:
      • Click on the + symbol between Start and Allow.
      • Choose AuthenticationRADIUS Auth.
      • Select the RADIUS server you created earlier (OpenOTP_Radius).
      • Set a fallback option if necessary (e.g., deny access if authentication fails).
      • Click Save.
  5. Link the Access Profile to a Virtual Server:

    • Go to Local TrafficVirtual Servers.
    • Select the virtual server you want to protect with RADIUS-based OTP.
    • Under Access Policy, attach the access profile you created (Radius_OTP_Profile).
    • Ensure the virtual server is correctly configured to handle SSL/TLS if using SSL-VPN.
  6. Test the Configuration:

    • Attempt to access the virtual server through a client that requires authentication.
    • You should be prompted for the RADIUS-based OTP.
    • The RADIUS server will forward the authentication request to OpenOTP, which will validate the OTP.

Create and configure a WebADM Client Policy for your F5 authentication

Refer to the Policies & Conditional Access documentation for guidance on creating a client policy tailored for your F5 appliance. This documentation will also help you understand how to configure policy matching with the appropriate policy object.