Overview
To implement OpenOTP authentication on F5 using RADIUS, you'll need to configure your F5 appliance and the RADIUS server (using RCDevs OpenOTP and Radius Bridge). Below are the detailed steps to achieve this setup from the F5 perspective:
Prerequisites
- F5 Big-IP Appliance with Access Policy Manager (APM) enabled.
- WebADM/OpenOTP server with Radius Bridge installed and configured.
- Access to F5 management UI, WebADM administration portal and Radius Bridge server configuration file.
- Create a WebADM Client policy to define authentication settings.
Configure the F5 as a RADIUS Client in Radius Bridge
-
Edit the
clients.conf
File on the Radius Bridge Server:- SSH into your Radius Bridge server.
- Open the
clients.conf
file for editing:sudo nano /opt/radiusd/conf/clients.conf
- Add a new RADIUS client entry for your F5 appliance:
client <F5_IP_Address> { secret = <Shared_Secret> shortname = f5appliance }
- Replace
<F5_IP_Address>
with the IP address of your F5 appliance and<Shared_Secret>
with a shared secret that you will use to authenticate the F5 to the Radius Bridge.
-
Restart the Radius Bridge Service:
- Restart the Radius Bridge service to apply the new configuration:
sudo systemctl restart radiusd
or
sudo /opt/radiusd/bin/radiusd restart
- Restart the Radius Bridge service to apply the new configuration:
Configure F5 to Use RADIUS for Authentication
-
Log in to the F5 Management UI:
- Access your F5 Big-IP management interface through a web browser.
-
Create a New RADIUS AAA Server:
- Go to
Access
→Authentication
→RADIUS
. - Click on
Create
to add a new RADIUS server. - Configure the RADIUS server settings:
- Name: Give the server a descriptive name (e.g.,
OpenOTP_Radius
). - Server Connection: Choose whether you want to use a single server or a pool.
- IP Address: Enter the IP address of your Radius Bridge server.
- Service Port: Use the default port
1812
(unless changed). - Secret: Enter the shared secret you configured in the
clients.conf
file. - Timeout: Set an appropriate timeout, such as
30 seconds
. - Retries: Set the number of retry attempts to
0
.
- Name: Give the server a descriptive name (e.g.,
- Click on
Finished
to save the configuration.
- Go to
-
Create a New Access Policy with RADIUS Authentication:
- Go to
Access
→Profiles / Policies
→Access Profiles (Per-Session Policies)
. - Click
Create
to set up a new access profile.- Name: Provide a name for the profile (e.g.,
Radius_OTP_Profile
). - Profile Type: Select
SSL-VPN
. - SSO Configuration: Leave this at the default for now.
- Languages: Select your preferred language.
- Name: Provide a name for the profile (e.g.,
- Click
Finished
.
- Go to
-
Edit the Access Policy:
- In the newly created Access Profile, click on
Edit
. - You will be taken to the Visual Policy Editor.
- Add a RADIUS Authentication Step:
- Click on the
+
symbol betweenStart
andAllow
. - Choose
Authentication
→RADIUS Auth
. - Select the RADIUS server you created earlier (
OpenOTP_Radius
). - Set a fallback option if necessary (e.g., deny access if authentication fails).
- Click
Save
.
- Click on the
- In the newly created Access Profile, click on
-
Link the Access Profile to a Virtual Server:
- Go to
Local Traffic
→Virtual Servers
. - Select the virtual server you want to protect with RADIUS-based OTP.
- Under
Access Policy
, attach the access profile you created (Radius_OTP_Profile
). - Ensure the virtual server is correctly configured to handle SSL/TLS if using SSL-VPN.
- Go to
-
Test the Configuration:
- Attempt to access the virtual server through a client that requires authentication.
- You should be prompted for the RADIUS-based OTP.
- The RADIUS server will forward the authentication request to OpenOTP, which will validate the OTP.
Create and configure a WebADM Client Policy for your F5 authentication
Refer to the Policies & Conditional Access documentation for guidance on creating a client policy tailored for your F5 appliance. This documentation will also help you understand how to configure policy matching with the appropriate policy object.