HELP FILE

F5 BIG-IP APM VPN configuration for the LastPass Universal Proxy RADIUS protocol

    This is a step-by-step description of how to configure F5 BIG-IP APM VPN for LastPass Universal Proxy using the RADIUS protocol, in order to set LastPass MFA as a secondary authentication method. The following steps contain the Universal Proxy related settings.

    About this task:

    The following main steps are necessary for the configuration:

    Note: Only Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) modes are supported by the service.

    Configure your RADIUS server properties

    1. Log in to the F5 BIG-IP APM management console in a browser.
    2. In the left navigation, go to Access > Authentication.
    3. Select Radius.
    4. Click Create.

    5. In the Name field, enter a name for your server.
    6. In the Mode field, select Authentication.
    7. In the Server Connection field, select Direct.
    8. In the Server Address field, enter the IP address of LastPass Universal Proxy.
    9. In the Authentication Service Port field, enter the port number (default is 1812). This is the port that is set in the Universal Proxy configuration.
    10. In the Secret and Confirm Secret fields, enter the RADIUS secret of your RADIUS server.
    11. In the Timeout field, enter 60.
    12. In the Retries field, enter 3.
    13. Click Finished.

    Configure your Access Policy

    1. In the Main tab, go to Access > Profile / Policies > Access Profiles.
    2. In the Access Profile List tab find your policy and click Edit in the Access Policy column.

      The F5 BIG-IP APM visual policy editor opens the access policy.

    3. Click your policy.
    4. In the Properties tab set the following fields:

      Server
      Choose your server from the list.
      SearchDN
      dc=domain,dc=country_code
      SearchFilter
      (samAccountName=%{session.logon.last.username})

    5. Click Save.
    Results: You have now configured RADIUS authentication for your F5 BIG-IP APM VPN.
    What to do next: Check whether Password Authentication Protocol (PAP) is set on your server:
    show running-config auth radius-server
    auth radius-server up_radius {
        secret <secret>    
        server <IP address>
    }