Balanced

Best way to have a good idea, is to have lots of ideas

Setting up F5 APM with Google Authenticator

Setting up a secure VPN is easier than you might think. With F5 APM and Google authenticator you’re up and running soon.

There is an article on devcentral doing this but I thought it could be a bit simpler so I wrote my own. Tested on version 12 but should be more or less applicable to version 11 as well. Please let me know if there’s any differences and I’ll update the article.

Configure a functioning VPN base

  1. Start with opening up the Device Wizards
    devicewizard
  2. Choose the Network Access Setup Wizard for Remote Access and click Next
    networkaccesswizard
  3. Choose a policy name and click next.
  4. Then select “No authentication” (we will set that up later) and Next.
  5. Configure lease pool. This is a the addresses that your clients will get when connecting to the VPN.
    Enter the IP range you wish to use, and click on Add, then NextExample:
    clientiprange
  6.  Click next again to configure the network access.Force all traffic through tunnel
    Means that all traffic will go through the tunnelUse split tunnel for traffic
    Only the traffic you want to go through the tunnel will go through the tunnel.

    I would advice using split tunnel and this guide will continue based on that.

  7. Choosing split tunnel will add an additional part of the form where you will choose which traffic should go through the tunnel.
    You will have to enter all your internal networks here (or the ones you want VPN clients to access)Also add your local domain if you have one, then click Next.Example:splittunnelconfig
  8. Enter the IP of your dns server, click Next
  9. Enter the IP of the virtual server that will serve the VPN clients, click Next
  10. Review your choices, click Next, then finished.

Add local authentication

Remember when we chose “No authentication in the previous step? This is where we make sure that users needs to authenticate.

  1. Go to Access Policy, Local User DB, Manage Instances
    manageinstance
  2.  Click on Create New Instance
  3. Choose a name, click OK
  4. Then go to Access Policy, Local User DB, Manage usersmanageusers
  5. Click on Create user, enter username, password and select the instance you just created.
    createuser
  6. Now go to Access Policy, Access Profiles
    accessprofiles
  7. Click on Edit in the Access Policy column
    Editaccesspolicy
  8. Now the visual policy editor should launch. Click on the plus sign between “Logon page” and “Resource assign”.
    Addgettoken
  9.  Select the Authentication tab and then LocalDB Auth. Then click “Add Item”
    AddLocalDBAuth
  10.  Select your LocalDB Instance and click on “Save”
    LocalDBAuthconfig
  11. Your visual policy editor should look like this now:
    afterlocalauthpolicy
  12. Click on Apply Access Policy
    applyaccesspolicy

Now you have a fully functioning VPN service (provided that you open up the firewall, of course) and technically you could stop here. But let’s add the two factor authentication to make it more secure!

Adding Google authenticator to an access policy

This part is a bit trickier, but you’ll make it.

Create the necessary iRules

These rules are shamelessly stolen from the original article:

https://devcentral.f5.com/articles/two-factor-authentication-with-google-authenticator-and-apm

To create rules, go to Local Traffic, iRules and the click on Create. Copy the code from below, and paste it into the iRule Window.

It’s important that you give the rule ga_code_verify the exact same name as stated here, otherwise it won’t work later.

ga_code_verify

This rule is used to calculate and verify the Google authenticator token

generate_ga_code

This rule is used to generate the tokens for google authenticator.

Generate Google authenticator tokens

Create the VIP used to generate Google authenticator tokens

  1. Go to Local Traffic, Virtual servers
  2. Click on Create
  3. Give the virtual server a name, ie generate_ga_token
  4. Give the virtual server an IP on your local subnet
  5. Assign an HTTP profile
  6. Assign an SSL profile (if you want to use SSL)
  7. Assign generate_ga_code irule to the virtual server
  8. Click on Finished

Generate a token

  1. Surf to the address of the VIP, ie https://generategacode.mydomain.local, or http://192.168.1.50 (if that’s your VIP ip)
  2. You should then see this page:
    generatetokenpage
  3. Enter the username of your user and a name for the token after the “@” sign. We need the name to label the token in the google authenticator app.
  4. Enter a secret if you like, or let the load balancer generate it for you. You will not have to remember this secret later.
  5. Check generate QR code and click on “Submit”
  6. Open up your Google Authenticator app and touch the “plus sign”, select scan barcode and scan the QR code.
  7. Save the secret, we will need it soon.

Save the key in a data group list

  1. Go to Local Traffic, iRules, Data Group Lists
  2. Click on Create
  3. Give the data group list the name google_auth_keys and add your user name and the secret generated earlier
    googleauthkeysdatagrouplist
  4. Click Finished

Update the Virtual server with the verification iRule

  1. Go to Local Traffic, Virtual servers
  2. Find the the Virtual server created during the Wizard (the one the does not have redirect in it’s name) and click on it:
    virtualserversmyvpn
  3. In the following page, choose Resources and click on manage in the iRules section
    Addingirule
  4. Find the ga_code_verify rule in the right list and click on the arrows pointing left. The rule should now be moved to the left side, to the enabled select list.
    assigngacodeverify

Update the Access Policy

So now we have a google authentication token in our phone, the irules has been created and assigned. Now we just need to tie it all together in the access policy.

  1. Now go to Access Policy, Access Profiles
    accessprofiles
  2. Click on Edit in the Access Policy column
    Editaccesspolicy
  3. In the Visual policy editor, click the plus sign between LocalDB Auth and Resource Assignaddinggettoken
  4. In the Logon tab, choose Logon Page and then Add Item
    Addgettokenpage
  5. Change the text as marked in this picture:gettokenpageconfig
  6. Click Save
  7. Then click on Add New Macro
  8. Name it and click Save:emptymacro
  9. Now click on Edit Terminals in the Macro settings
  10. Click on Add Terminal
  11. Name the terminal “Failure”
  12. Rename the terminal called “Out” to successful
  13. Click on the Set default tab and set the default to Failure.
  14. Click on save
  15. Edit the new macro by clicking on the plus sign in the macro settings
    emptymacroaddevent
  16. Go to the General Purpose Tab, click on iRule event and then Add Item
  17. Name: Google Auth verification
    ID: ga_code_verify
    iruleevent
  18. Then click on Branch rules, Add Brand Rule
    Name and change the expression according to the following image (make sure they’re in the same order)For lazy people that don’t want to type (replace the X with the number):
    expr { [mcget {session.custom.ga_result}] == X }
    branchrules
  19. Then click Save
  20. Click on the terminals and set Successful to Successful and the rest to Failureterminals
  21. Now we’re going to insert the Macro in the main policy. Click on the plus sign between Get GA Token and resource assign
  22. Click on the Macro tab and select your Verify Google Token macro. click “Add Item”
  23. Now click on Apply Access Policy
    applyaccesspolicy

Your final policy should look like this:

finalvpnpolicy

And now we’re done!

Some notes

  • If you want to use mobile phones you might run into trouble with the default anti-virus policy.
  • You will want to have a legitimate certificate on the Virtual server serving your VPN. The default setting is a self signed certificate.

Previous

Tampermonkey – F5 Case creation

Next

BigipReport 4.2.0

9 Comments

  1. sebastian

    Great article

  2. siraj

    Great Article, Thanks Patrik,
    since long time I have been trying to setup the same but no luck, But this time you made it. 🙂

  3. Chen

    Patrik…Google auth is free or paid product? Thank you for your time in advance.

  4. malek

    Many thanks. it is a great article. i have tested but unfortunately i faced one issue .
    I got username and password page then I entered my username and password then authentication success after logging in I got prompt for the one time password so I got it from my google authenticator on my phone and entered it in the prompt after that it give my the login page again didn’t to enter the username and password again.

    So I have done troubleshoot and found that after it fails when policy try to verify the authenticate code. I don’t t if you can help my in this issue

    • Thank you Malek. Sorry to hear it’s not working out for you. Check out the comment from Ben?

  5. ben

    Worked perfectly. The only thing I had to change was the username in the datagroup – I had to add user.name@domain.com

    • Thanks Ben! Due to renovations my environment has been down for some time so I can’t go through the guide myself. Did you feel that this part was lacking in the guide?

Leave a Reply

Powered by WordPress & Theme by Anders Norén