Lab 1: SSL VPN - AD Authentication and MFA

Section 1.1 - Setup Lab Environment

To access your dedicated student lab environment, you will need a web browser and Remote Desktop Protocol (RDP) client software. The web browser will be used to access the Unified Demo Framework (UDF) Training Portal. The RDP client will be used to connect to the jumphost, where you will be able to access the BIG-IP management interfaces (HTTPS, SSH). #. Click DEPLOYMENT located on the top left corner to display the environment

1. Click ACCESS next to jumphost.f5lab.local

   

2. Select your RDP resolution.

3. The RDP client on your local host establishes a RDP connection to the jumphost.

4. Login with the following credentials:

   • User: f5lab\user1
   • Password: user1

5. After successful logon the Chrome browser will auto launch opening the site https://portal.f5lab.local. This process usually takes 30 seconds after logon.

6. Click the Classes tab at the top of the page.

   

7. Scroll down the page until you see 309 SSL VPN on the left

   

8. Hover over tile SSL VPN - AD Authentication + MFA. A start and stop icon should appear within the tile. Click the Play Button to start the automation to build the environment

9. The screen should refresh displaying the progress of the automation within 30 seconds. Scroll to the bottom of the automation workflow to ensure all requests succeeded. If you experience errors try running the automation a second time or open an issue on the Access Labs Repo.

   

Task 1 - Build Network Access Components

1. While in the jumphost, launch Chrome and click on the bigip1 bookmark.

2. Log in to bigip1.f5lab.local

   • User: admin
   • Password: admin

3. Navigate to Access –> Connectivity/VPN –> Network Access (VPN) –> Network Access Lists

4. Click the create button

   

5. Give the Network Access list a name and caption

   Name	vpn-lab01-vpn
   Caption	Corp VPN

6. Click Finished

   

7. Click on the Network Settings tab

8. Click the + next to IPV4 Lease Pool to create a lease Pool

9. Give the pool a name vpn-lab01-vpn_pool

10. Click the radio button next to IP address

11. Enter 10.1.20.254

12. Click Add

13. Click Update

    

    Note

    For the purposes of this lab we are only going to use a single IP address for the lease pool. In a production environment you should set this range to as many as you need.

14. Back at the Network Access object we will configure VPN for split tunneling only accepting traffic destined to the internal network through the VPN tunnel. Click the radio button Use split tunneling for traffic.

15. Enter IP Address 10.1.20.0

16. Enter Mask 255.255.255.0

17. Click Update

    

18. Navigate to Access –> Connectivity/VPN –> Connectivity –> Profiles

19. Click Add

20. Profile Name vpn-lab01-cp and Parent Profile /Common/connectivity

21. Click OK

    

22. Navigate to Access –> Webtops –> Webtop Sections

23. Click Create

24. Enter name vpn-lab01-network_access

25. Change caption to be Network Access

26. Click Finished

    

27. Navigate to Access –> Webtops –> Webtop Lists

28. Click Create

29. Click on vpn-lab01-webtop

30. Select Full from the drop down menu

31. Customization type Modern

32. Click Finished

    

Task 2 - Per Session Access Policy

1. Navigate to Access –> Profiles/Policies –> Access Profiles (Per-Session Policies)

2. Click Create to create a new per session policy for VPN

   Name	vpn-lab01-psp
   Profile Type	All
   Customization Type	Modern

3. Scroll to the bottom choose English from the right menu and slide move it to the left and click Finished

   

4. Locate profile vpn-lab01-psp and click on Edit. This opens the Visual Policy Editor (VPE) and we can take a look at the policy

   

5. Click the + between Start and Deny

   

6. Click the Logon Page Radio button and click Add Item

   

7. Accept the defaults for Logon Page and click Save

   

8. Click the + between Logon Page and Deny

9. Click the Authentication Tab and click the AD Auth radio button. Cick Add Item

10. Click the drop down for Server and select /common/vpn-lab01-ad-servers. Click Save

    

    Note

    AAA Active Directory object was created through automation. If you want more details on how to create this object see APM 100 Series labs.

11. Click on the + between AD Auth and Deny

12. Click on the Assignment tab and choose Advanced Resource Assign. Click Add Item

13. Click Add new entry Button

14. Click the Add/Delete link

    

15. Click the Network Access tab and check the box for /Common/vpn-lab01-vpn

16. Click the Webtop tab and click the radio button for /Common/vpn-lab01-webtop

17. Click the Webtop Sections tab and check the box for /Common/vpn-lab01-network_access

18. Click Update

    

19. Click Save

20. Click the Deny end point on the branch with Advanced Resource Assign and select Allow then Save

    

21. Click Apply Access Policy and Close

Task 3 - Apply Policy and profiles to Virtual Server

1. Navigate to Local Traffic –> Virtual Servers –> Virtual Server List

   Note

   Due to how the automation is deployed in the lab the Virtual Server has been deployed in it’s own partition. In your own environment you can choose to deploy the Virtual Server in a specific parition or in Common.

2. From the Partition drop down in the upper right choose vpn-lab01

   

3. Click on vpn-lab01 Virtual Server (not the redirect server)

4. Scroll down to the Access Policy section

5. Select the vpn-lab01-psp from the Access Profile drop down menu

6. Click the drop down for “”Connectivity Profle** and choose the vpn-lab01-cp from the menu

   

7. Scroll down and click Update*

Task 4 - Test VPN Access

1. The connects to https://vpn.acme.com with the following credentials

   Username:	user1
   Password:	user1

   

2. Once authenticated the user is presented a Webtop with a single VPN icon.

   

3. Assuming the VPN has already been installed the user is notified that the client is attempting to start

   

   Note

   You may be prompted to download the VPN update. This is what a user will experience if you have auto-update enabled in the VPN Connectivity Profile. Click Download and wait for the components to update.

4. A popup opens displaying the status of the VPN connection. The status will eventually become Connected

   

   Note

   If you lose the pop-up check the system tray for the little red ball. Right click and choose restore

5. Click Disconnect

Task 5 - Adding Radius MFA

1. Navigate to Access –> Authentication –> RADIUS

2. From the Partition drop down menu at the top right change your partition back to Common

   Note

   The Radius server has already been built.

3. Click on vpn-lab01-radius-server and examine the properties

   Name:	vpn-lab01-radius
   Mode:	Authentication
   Server Connection:	Use Pool
   Server Pool Name:	vpn-lab01-radius-pool
   Server Address:	10.1.20.8
   Authentication Service Port:	1812
   Secret:	secret

4. Navigate to Access –> Profiles/Policies –> Access Profiles (Per-Session Policies)

5. Click on Edit next to the vpn-lab01-psp Profile

6. Click on the + between AD Auth and Advanced Resource Assign

7. From the Logon tab select Logon Page and click Add Item

8. In the name field enter MFA Prompt

9. On row 1 the Username field change the Read Only value to Yes

   

10. Under Customization change Logon Page Input Field #2 to **PIN and Logon Button to Validate

11. Click Save

    Note

    In this lab we are using FreeRadius with a pre-configured users and PINs. For this particular setup we need to present two login pages. One for AD Auth and one for MFA. Setting the Username entry to Read Only will ensure we will reuse the sanem username. If you were to add MFA via Radius for other MFA vendors please follow the vendors integration documentation.

    

12. Click on the + between MFA Prompt and Advanced Resource Assign.

13. Click on the Authentication tab and choose Radius Auth

14. Under AAA Server click the drop down menu and select the vpn-lab01-radius server we created earlier

15. Click Save

16. You policy should now be complete. Click Apply Access Policy

    

Task 5 - Test VPN Access (again)

1. The connects to https://vpn.acme.com with the following credentials

   Username:	user1
   Password:	user1

   

2. You will be prompted to enter the PIN

   PNI:

   123456

   

   Note

   Other MFA providers will operate differently. They may prompt with an auto enrollment for the first login and then present options to send a PUSH or enter a PIN. This is just an example of how to integrate Radius as a second form of auth.

3. Once we have passed Auth and MFA the user is presented a Webtop with a single VPN icon.

   

4. Assuming the VPN has already been installed the user is notified that the client is attempting to start

   

   Note

   You may be prompted to download the VPN update. This is what a user will experience if you have auto-update enabled in the VPN Connectivity Profile. Click Download and wait for the components to update.

5. A popup opens displaying the status of the VPN connection. The status will eventually become Connected

   

   Note

   If you lose the pop-up check the system tray for the little red ball. Right click and choose restore

6. Click Disconnect