This section describes how to integrate F5 BIG-IP APM with RSA Authentication Manager using RADIUS.
Configure RSA Authentication Manager
To configure your RSA Authentication Manager for use with a RADIUS Agent, you must configure a RADIUS client and a corresponding agent host record in the Authentication Manager Security Console.
The relationship of agent host record to RADIUS client in the Authentication Manager can 1 to 1, 1 to many or 1 to all (global).
RSA Authentication Manager listens on ports UDP 1645 and UDP 1812.
Configure F5 BIG-IP APM
Perform these steps to configure F5 BIG-IP APM as a RADIUS client to RSA Authentication Manager.
1. Sign into the BIG-IP Configuration Utility and click Main > Access > Authentication > RADIUS.
2. On the RADIUS Servers page, click Create...
- Name: Enter a suitable name for the RADIUS Server.
- Server Connection: If your RSA Authentication Manager deployment contains only Primary instance, click on the Direct radio button. If your RSA Authentication Manager deployment has both primary and replica instances, click on the Use Pool radio button.
- Server Pool Name: If Use Pool option is selected above, enter a suitable server pool name.
- Server Addresses: If Use Pool option is selected above, enter the IPs of the RSA Authentication Manager Primary and Replica instances one by one and click Add button. If Direct option is selected above, enter the IP of the RSA Authentication manager Primary instance and click on Add button.
- Authentication Service Port: Can be set to either 1812 or 1645.
- Secret: Enter the Shared Secret configured while creating the RADIUS client in Authentication Manager.
- Confirm Secret: Enter the Shared Secret configured while creating the RADIUS client in Authentication Manager.
Note: The Time Out value is set to 5 and Retries value is set to 3 by default. RSA recommends using Timeout value as 15 and Retries value as 3. But it can be adjusted if required, specially in cases where there is frequent authentication failures due to timeout. Increasing the timeout value means that failover RADIUS server is not used as quickly if the primary RADIUS server is not available.
4. Click Finished.
Next Step: Proceed to Access Profile use case configuration section to apply this integration type to an access profile.