Lab – Set up Google Authenticator (GA)

This lab will teach you how to configure Google Authenticator as Second Auth Factor. Estimated completion time: 30 minutes

Task - Create the VS used to generate GA tokens

1. Log in to the BIG IP then go to Local Traffic -> Virtual Servers -> Virtual Server List. Click on Create.
2. Enter the following values (leave others default) and then finished. Name: VS_GENERATE_TOKEN Destination Address: 10.1.10.80 Service Port: 443 HTTP Profile: http SSL Profile (Client): f5demo_client_ssl iRules: generate_ga_code

Task - Generate a token

1. Open a Chrome browser and click on generategacode bookmark. You should see the GA generator App.
2. Enter the account: sales_manager and domain: f5demo.com. Also check the generate QR code, and then click Submit
3. Open up your Google Authenticator app and touch the “plus sign”, select scan barcode and scan the QR code. Save the secret, we will need it soon.
4. Go to Local Traffic -> iRules -> Data Group List .Click on google_auth_keys.
5. Create a new record, using the info saved in step 3. Click Add and then Update. String: sales_manager Value: use the secret ie (G4ZEIWDJLBJE4ZCM)
Repeat the steps 1 to 5, for the users: sales_user and partner_user

Task - Update the VS with the verification iRule

1. Go to Local Traffic -> Virtual Servers -> Virtual Server List, then find the Virtual Server webtop_demo_vs and click on it.
2. In the following page, choose Resources and click on manage in the iRules section
3. Find the ga_code_verify irule in the right list and click on the arrows pointing left. The irule should now moved to the left side. Then Click finished.

Task - Update the Access Policy

1. Go to Access -> Profiles/Policies -> Access Profiles. Find the webtop_demo policy and click on Edit.
2. In the VPE (Visual Policy Editor), click the + between AD Auth and AD Query.
In the Logon tab, choose Logon Page and then Add Item
4. Modify the values according to the picture (leave others default) and then Save. Name: Get Ga Code Post Variabl:e ga_code_attempt Session Variable: ga_code_attempt Form Header Text: Empty Logon Page Input Field: Google Authenticator Token Logon Button: Submit
5. Click on Add New Macro, name it as Verify Google Token and click Save
Click on Edit Terminals in the Macro Settings
Click on Add Terminal, and name the terminal Failure.
Rename the terminal called Out to Successful
9. Click on the Set default tab and set the default to Failure, then Save
10. Change the order in the terminals using the arrows, Successful should be the number one.
11. Edit the new macro by clicking on the + in the macro settings
12. Go to the General Purpose Tab, click on iRule Event and then Add Item
13. Name it Google Auth Verification and use the ID ga_code_verify.
14. Then click on Branch Rules, Add Branch Rule. Name and change the expression (advanced tab) according to the image. Then Save Name: Successful Expression: expr { [mcget {session.custom.ga_result}] == 0 } Name: No Google Auth Key Found Expression: expr { [mcget {session.custom.ga_result}] == 2 } Name: Invalid Google Auth Key Expression: expr { [mcget {session.custom.ga_result}] == 3 } Name: User locked out Expression: expr { [mcget {session.custom.ga_result}] == 4 } Note: It’s very important the order.
15. Click on the terminals and set Successful to Successful and the rest to Failure
16. Now, we’re going to insert the Macro in the main policy. Click on the + between Get Ga Code and AD Query.
17. Click on the Macros Tab and select your Verify Google Token macro, then click Add Item. Click on Apply Policy
Go to https://webtop.vlab.f5demo.com from the jump host, You can login with any user: sales_user sales_manager partner_user You should see the Google Authenticator page as Second Auth Factor.