Lab 1: Configure Identity Aware Proxy(15.1)

The 15.1 Zero Trust Architecture shifts many of the objects that would exist in a per-session policy to the per-request policy thereby creating a more secure authentication and authorization scheme. The authenticity of each request is further enhanced through the use of F5’s Access Guard agent installed on a client. This agent provides a PKI signed report of the posture assessment performed on the client real-time rather than the historical way plug-ins reported status. Previously, after a user connected to an application they would experience a delay in access as the agent performed the posture assessment to provide an unsigned report to the BIG-IP.

IMPORTANT: The F5 Access Guard is DEPRECATED and the available configuration procedure is no longer supported for all the BIG-IP versions.

Topics Covered

  • Real-time Posture Assessments
  • Per-Request Frameworks
  • Contextual Access
  • HTTP Connector

Expected time to complete: 1 hour

Setup Lab Environment

To access your dedicated student lab environment, you will need a web browser and Remote Desktop Protocol (RDP) client software. The web browser will be used to access the Unified Demo Framework (UDF) Training Portal. The RDP client will be used to connect to the jumphost, where you will be able to access the BIG-IP management interfaces (HTTPS, SSH).

  1. Click DEPLOYMENT located on the top left corner to display the environment

  2. Click ACCESS next to jumpbox.f5lab.local

    image090

  3. Select your RDP resolution.

  4. The RDP client on your local host establishes a RDP connection to the Jump Host.

  5. Login with the following credentials:

    • User: f5lab\user1
    • Password: user1

  6. After successful logon the Chrome browser will auto launch opening the site https://portal.f5lab.local. This process usually takes 30 seconds after logon.

    image091

  7. Click the Classes tab at the top of the page.

  8. Scroll down the page until you see 201- 15.1 Zero Trust - Identity Aware Proxy on the left

    image087

  9. Hover over tile Configure Identity Aware Proxy(15.1). A start and stop icon should appear within the tile. Click the Play Button to start the automation to build the environment

    image088

  10. The screen should refresh displaying the progress of the automation within 30 seconds. Scroll to the bottom of the automation workflow to ensure all requests succeeded. If you you experience errors try running the automation a second time or open an issue on the Access Labs Repo.

    image089

Section 1.1 - Access Guided Configuration

The first step in deploying the IAP is accessing Guided Configuration

Task 1 - Access the Zero Trust IAP guided configuration

  1. From the webbrowser, click on the Access tab located on the left side.

    image000

  2. Click Guided Configuration

    image001

  3. Click Zero Trust

    image002

  4. Click Identity Aware Proxy

    image003

  5. Click Next

    Note

    Review the design considerations for deploying IAP in a Single Proxy versus a Multi-proxy solution.

    image004

Section 1.2 - Device Posture

In this section, you will configure the IAP to perform posture assessment from client devices.

Task 1 - Configure name of IAP Policy and enable Posture Checks

  1. Define the configuration name IAP_DEMO

  2. Check Enable F5 Client Posture Check

  3. select ca.f5lab.local from the CA Trust Certificate dropdown list

  4. Select add to create a posture assessment group

    image005

Task 2 - Define a firewall Posture Assessment

  1. Define the Posture Group Name FW_CHECK

  2. Check the enable a Firewall box

  3. Check the enable a Domain Managed Devices box

  4. Enter the Domain Name f5lab.local

  5. Click Done

    image006

Task 3 - Verify the posture assessment

  1. The Posture Settings box should contain FW_CHECK

  2. Click Save & Next

    image007

Section 1.3 - Virtual Server

In this section, you will define the virtual server IP address and its SSL profile settings

Task 1 - Create a virtual server

  1. Click Show Advanced Setting located in the top right corner to expose the Server-Side SSL profile settings

  2. Enter the IP address 10.1.10.100

    image008

  3. Click the Create New radio button under Client SSL Profile

  4. Select acme.com-wildcard from the Client SSL certificate dropdown box

  5. Select acme.com-wildcard from the Associated Private Key dropdown box

  6. Select ca.f5lab.local from the Trusted Certificate Authorities for Client Authentication drop down box

    image009

  7. In the Server SSL Profile section, move the serverssl SSL Profile to the Selected side (select item and then click the right-arrow)

  8. Click Save & Next

    image010

Section 1.4 - User Identity

In this section you will configure a single User Identity using Active Directory.

Task 1 - Configure Active Directory AAA

  1. Enter “ad” for the name
  2. Ensure the Authentication Type is AAA
  3. Ensure the Choose Authentication Server Type is set to Active Directory
  4. Select ad-servers from the Choose Authentication Server dropdown box
  5. Check Active Directory Query Properties
  6. Select the memberOf in the Required Attributes box
  7. Click Save
  8. Click Save & Next

image011

Section 1.5 - MFA

In this section you will configure a RADIUS server to enable simulated MFA capabilities.

Task 1 - Configure a RADIUS AAA Server

  1. Check Enable MultiFactor Authentication

    image013

  2. Select Custom Radius Based

    image014

  3. Select Create New from the Choose RADIUS Server dropdown

    image015

  4. Enter the Server Pool Name radius_pool

  5. Enter the Server Address 10.1.20.8

  6. Enter the Secret secret

  7. Click Save

    image016

  8. Verify Custom RADIUS based Authentication appears

  9. Click Save & Next

    image017

Section 1.6 - SSO & HTTP Header

In this section you will configure HTTP Basic SSO.

Task 1 - Create a HTTP basic SSO object

  1. Check Enable Single Sign-On(Optional)

    image018

  2. Enter the name basic_sso

  3. Verify HTTP Basic is selected

  4. Select Create New from the SSO Configuration Object dropdown box

    image019

  5. Verify the Username Source is session.sso.token.last.username

  6. Verify the Password Source is session.sso.token.last.password

  7. Click Save

    image020

  8. Verify the basic_sso object was created

  9. click Save & Next

    image021

Section 1.7 - Applications

In this section you will define a single application

Task 1 - Create basic.acme.com application

  1. Enter the basic.acme.com for the application name

  2. Enter the basic.acme.com for the FQDN

  3. Enter the IP address 10.1.20.6 for the pool member

  4. Click Save

    image022

Section 1.8 - Application Groups

Application Groups will be covered in a later section of the lab.

Task 1 - Skip Application Group Section

  1. Click Save & Next

image028

Section 1.9 - Contextual Access

In this section you will define contextual access for the previously created application. Context access is where all of the previously created objects are put together to provide fine-grain access control.

Task 1 - Create Contextual Access for basic.acme.com

  1. Enter basic.acme.com for the contextual access name

  2. Select basic.acme.com from the Resource dropdown box

  3. Select fw_check from the Device Posture dropdown box

  4. Select ad from the Primary Authentication dropdown box

  5. Select basic_sso from the Single Sign-On dropdown box

  6. Check Enable Additional Checks

    image023

  7. For the Default Fallback rule, select Step Up from the dropdown box under Match Action

  8. Select Custom Radius based Authentication (MFA) from the Step Up Authentication box

    image024

  9. Click Save & Next

    image025

Section 1.10 - Customization

The Customization section allows an administrator to define the images, colors, and messages that are presented to a user.

Task 1 - Customize the Remediation Page URL

The default remediation Page URL uses the hostname site request.com. This should be changed to reference a real host where users can download and install the EPI updates.

  1. Scroll down to the Remediation Page Section

    image029

  2. Enter the URL https://iap1.acme.com/epi/downloads

    image030

  3. Click Save & Next

  4. On the Logon Protection menu, Click Save & Next

Section 1.11 - Summary

The Summary page allows you to review the configuration that is about to be deployed. In the event a change is required anywhere in the configuration the pencil icon on the right side can be selected to quickly edit the appropriate section.

Task 1 - Deploy the configuration

  1. Click Deploy

    image031

  2. Once the deployment is complete, click Finish

Section 1.12 - Testing

In this section you will access the application basic.acme.com and watch how the BIG-IP restricts access when a device fails it’s posture assessment.

Task 1 - Access basic.acme.com

Note

Posture Assessments in a Per-Request Policy use F5 Access Guard(running on clients) to perform posture assessments prior to accessing an application. This improves the user experience since posture checks do not introduce any delay when accessing the application. This also improves security by allowing posture assessments to occur continuously throughout the life of the session.

  1. From the jumpbox, browse to https://basic.acme.com

  2. At the logon page enter the Username:user1 and Password:user1

  3. Click Logon

    image033

  4. The RADIUS logon page, prepopulates the username:user1. Enter the PIN: 123456

    image034

  5. The SSO profile passes the username and password to the website for logon.

    image035

  6. Close the browser Window to ensure there is not cached data

Task 2 - Disable Windows Firewall

  1. Right click the computer icon in the taskbar and open Network and Sharing Center

    image036

  2. Click Windows Firewall

    image037

  3. Click Turn Windows Firewall on or off

    image038

  4. Click the radio button Turn off Windows Firewall under Public Network Settings

  5. Click Ok

    image039

Task 3 - See Deny Page basic.acme.com

  1. From the jumpbox, browse to https://basic.acme.com

  2. Refresh the screen using the F5 key until the deny page appears.

  3. After approximately 15 seconds you will receive a deny page from the IAP stating that you have failed the network firewall check

    image040

  4. Close the browser Window to ensure there is no cached data

Task 4 - Enable Windows Firewall

  1. Right click the computer icon in the taskbar and open Network and Sharing Center

    image036

  2. Click Windows Firewall

    image037

  3. Click Turn Windows Firewall on or off

    image038

  4. Click the radio button Turn on Windows Firewall under Public Network Settings

  5. Click Ok

    image041

  6. From the jumpbox, browse to https://basic.acme.com to sure you can connect.

  7. This concludes lab 1.

    image100