Manual Chapter :
Per-Request Policy Item Reference
Applies To:
Show VersionsBIG-IP APM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Per-Request Policy Item Reference
About per-request policy items
When configuring a per-request policy, a few access policy items are available for inclusion in
the policy. Most per-request policy items are unique to a per-request policy.
About Protocol Lookup
A Protocol Lookup item determines whether the protocol of the request is HTTP or HTTPS. It
provides two default branches: HTTPS and fallback. Use the Protocol Lookup item early in a
per-request policy to process HTTPS traffic before processing HTTP traffic.
About SSL Bypass Set
The SSL Bypass Set item provides a read-only element,
Action
, that
specifies the Bypass
option. For an SSL Bypass Set item
to be effective, the client and server SSL profiles on the virtual server must enable SSL
forward proxy and SSL forward proxy bypass; the client SSL profile must set the default bypass
action to
Intercept
; and the SSL Bypass Set item must occur in the
policy before any items that process HTTP traffic. About AD Group
Lookup
An AD Group Lookup item can branch based on Active Directory group.
The item provides one default advanced branch rule expression, , as an example.
expr
{ [mcget
{session.ad.last.attr.primaryGroupID
}] == 100
}A branch rule expression can include any populated session variable,
such as is
a valid expression.
session.ad.last.attr.primaryGroupID
, session.ad.last.attrmemberOf
,
session.ad.last.attr.lastLogon
,
session.ad.last.attr.groupType
,
session.ad.last.attr.member
, and
so on. As an example, expr
{ [mcget
{session.ad.last.attr.memberOf
}] contains "CN=Administrators"
An AD
Query action in the access policy can populate the session variables.
About LDAP Group
Lookup
An LDAP Group Lookup item compares a specified string against the
session.ldap.last.attr.memberOf
session variable. The specified string is
configurable in a branch rule. The default simple branch rule expression is User is a member of CN=MY_GROUP, CN=USERS, CN=MY_DOMAIN
; the values MY_GROUP
, USERS
, MY_DOMAIN
, must be replaced with values used in
the LDAP group configuration at the user site.An LDAP
Query action is required in the access policy to populate the session variable.
About LocalDB Group
Lookup
A per-request policy LocalDB Group Lookup item compares a specified string
against a specified session variable.
The string is specified in a branch rule of the LocalDB Group Lookup item.
The default simple branch rule expression is . In either the simple or the advanced rule, the variable,
User
is a member of
MY_GROUP
.
The default advanced rule expression is expression
is
expr
{ [mcget
{session.localdb.groups
}] contains
"MY_GROUP
" }MY_GROUP
, must be replaced with a valid group name. The session variable must initially be specified and populated by a Local
Database action in the access policy. A Local Database action reads groups from a local database
instance into a user-specified session variable. It can be
session.localdb.groups
(used by default in the LocalDB Group Lookup advanced rule
expression) or any other name. The same session variable name must be used in the Local Database
action and the LocalDB Group Lookup advanced rule expression.About RADIUS Class Lookup
The RADIUS Class Lookup access policy item compares a user-specified class name against the
session.radius.last.attr.class
session variable. The specified class name
is configurable in a branch rule. The default simple branch rule expression is
RADIUS Class attribute
contains
MY_CLASS
. The variable MY_CLASS
must be replaced with
the name of an actual class. A RADIUS Acct or RADIUS Auth action is required in the access policy to
populate the session variable.
About Dynamic Date
Time
The Dynamic Date Time action enables branching based on the day, date, or
time on the server. It provides two default branch rules:
- Weekend
- Defined as Saturday and Sunday.
- Business Hours
- Defined as 8:00am to 5:00pm.
The Dynamic Date Time action provides these conditions for defining branch
rules.
- Time From
- Specifies a time of day. The condition is true at or after the specified time.
- Time To
- Specifies a time of day. This condition is true before or at the specified time.
- Date From
- Specifies a date. This condition is true at or after the specified date.
- Date To
- Specifies a date. This condition is true before or at the specified date
- Day of Week
- Specifies a day. The condition is true for the entire day (local time zone).
- Day of Month
- Specifies the numeric day of month. This condition is true for this day every month (local time zone).
About SSL Intercept Set
The SSL Intercept Set item provides a read-only element,
Action
, that
specifies the Intercept
option.For an SSL Intercept Set
item to be effective, the client and server SSL profiles on the virtual server must enable SSL
forward proxy and SSL forward proxy bypass; the client SSL profile must set the default bypass
action to
Intercept
; and the SSL Intercept Set item must occur in the
policy before any items that process HTTP traffic.About the Logging action
The Logging action can be used in an access policy or in a per-request policy. In an access
policy, the Logging action adds logging for session variables to the access policy. In a
per-request policy, the Logging action can add logging for both session variables and per flow
variables to the per-request policy.
This action is useful for tracing the variables that are created for a specific category, or in
a specific branch.
A session variable might or might not exist at the time of logging; depending on
the result of the access policy branch, or results of processing the access policy.
The Logging action provides these configuration elements and options:
- Log Message
- For an access policy, specifies text to add to the log file. For a per-request policy, specifies the message text and the session and per-flow variables to add to the message. Complete variable names must be typed. Wildcards are not supported for per-request policies. An example log message for a per-request policy follows.The system found this URL %{perflow.category_lookup.result.url} in these categories %{perflow.category_lookup.result.categories} and placed it into this category %{perflow.category_lookup.result.primarycategory}.An HTTPS request was made to this host %{perflow.category_lookup.result.hostname}; the per-request policy set SSL bypass to %{perflow.ssl_bypass_set}.Requests from this platform %{session.client.platform} were made during this session %{perflow.session.id}.
- Session Variables
- Specifies a session variable from a list of predefined session variables or a custom session variable.This option is available only when adding the Logging action to an access policy.
About Category
Lookup
A Category Lookup item looks up URL categories for a request and obtains a
web response page.
The Category Lookup item provides these elements and options.
- Categorization Input
- The list specifies these options:
- Use HTTP URI (cannot be used for SSL Bypass decisions): For HTTP traffic, this option specifies performing a URL-based lookup. When selected, on a BIG-IP system with an SWG subscription theSafeSearch Modesetting displays.
- Use SNI in Client Hello (if SNI is not available, use Subject.CN): For HTTPS traffic, this option specifies performing a host-based lookup.
- Use Subject.CN in Server Cert: For HTTPS traffic, this option specifies performing a host-based lookup. (This option is not for use in a reverse proxy configuration.)
- SafeSearch Mode
- The options areEnabled(default) andDisabled. When enabled, SWG enables Safe Search for supported search engines.SafeSearch is available only with an SWG subscription.
- Category Lookup Type
- Select the category types in which to search for the requested URL. On a BIG-IP system with an SWG subscription, options are:
- Select one from Custom categories first, then standard categories if not found
- Always process full list of both custom and standard categories
- Process standard categories only
Process custom categories only. Depending on the selection, the Category Lookup Type item looks through custom categories or standard categories or both, and compiles a list of one or more categories from them. The list is available for subsequent processing by the URL Filter Assign item. - Reset on Failure
- When enabled, specifies that SWG send a TCP reset to the client in the event of a server failure.
About Response Analytics
A Response Analytics item inspects a web response page for malicious embedded contents.
Response Analytics must be preceded by a Category Lookup item because it obtains a web response
page.
Response Analytics works only on a BIG-IP® system with an
SWG subscription.
Response Analytics provides these elements and options.
- Max Buffer Size
- Specifies the maximum amount of response data (in bytes) to collect before sending it for content scanning. The system sends the content for analysis when the buffer reaches this size or when the buffer contains all of the response content. Otherwise, the system retains the response data in the buffer.
- Max Buffer Time
- Specifies the maximum amount of time (in seconds) for buffering and analyzing response data. If the time elapses at any point in this process, the agent sets theperflow.response_analytics.failurevariable to 1 (which indicates an ANTserver failure) and discards the response data.
- Reset on Failure
- When enabled, specifies that SWG send a TCP reset to the client in the event of an ANTserver failure. If disabled and an ANTserver failure occurs, SWG logs all perflow variables and provides the SWG block page to the client.
- Exclude Types
- Specifies one entry for each type of content to be excluded from content analysis. Images, theAll-Imagestype, do not get analyzed.
About Request Analytics
A Request Analytics item inspects an outgoing web request for malicious embedded contents. In a
per-request policy, a Request Analytics item must be preceded by a Category Lookup item and
followed by a URL Filter Assign item. To block outgoing traffic from chat applications, a Request
Analytics item is required.
Request Analytics works only on a BIG-IP® system with an
SWG subscription.
Request Analytics provides these elements and options.
- Max Buffer Size
- Specifies the maximum amount of request data (in bytes) to collect before sending it for content scanning. The system sends the content for analysis when the buffer reaches this size or when the buffer contains all of the request content. Otherwise, the system retains the request data in the buffer.
- Max Buffer Time
- Specifies the maximum amount of time (in seconds) for buffering and analyzing request data. If the time elapses at any point in this process, the agent sets theperflow.request_analytics.failurevariable to 1 (which indicates an ANTserver failure) and discards the request data.
- Reset on Failure
- When enabled, specifies that SWG send a TCP reset to the client in the event of an ANTserver failure. If disabled and an ANTserver failure occurs, SWG logs all perflow variables and provides the SWG block page to the client.
About URL Filter Assign
A URL Filter Assign item looks up the URL filter action for each category that the Category
Lookup item found for a request. If any filter action is set to Block, the request is blocked.
In a configuration with an SWG subscription, the URL Filter Assign item also uses the analysis
from the Response Analytics item, if used, to determine whether to block the request.
By default, the URL Filter Assign item has three branches: Allow, Confirm, and fallback. If the
request is not blocked and any filter action is set to Confirm, the per-request policy takes the
Confirm branch.
A URL Filter Assign item provides the
URL Filter
element, with a list of
filters from which to select.A Category Lookup item must precede the URL Filter Assign item.
About Application
Lookup
An Application Lookup item obtains the name of the application that is being
requested and looks up the application family that matches it. By default, this item has a
fallback branch only.
Application Lookup can be used to branch by application family or by
application name; branch rules are required to do this. If an Application Filter Assign item is
included in the per-request policy, an Application Lookup must complete before it.
About Application
Filter Assign
An Application Filter Assign item matches an application or application
family against an application filter. Application Filter Assign provides one configuration
element. The
Application Filter
element
specifies the application filter to use in determining whether to block access to an application
or allow it. The Application Filter Assign item exits on the Allow branch if the filter action
specifies allow. Otherwise, Application Filter Assign exits on the fallback branch. To
supply input for the Application Filter Assign agent, an Application Lookup item must run in the
per-request policy sometime prior to it.
About HTTP
Headers
An HTTP Headers action supports modifying an outgoing HTTP request to a
back-end server. The action supports manipulation of HTTP and cookie headers being sent to
back-end servers.
The
HTTP Headers item cannot manipulate HTTP cookies in outgoing HTTP requests to any portal
access application.
The HTTP Headers item provides these configuration options and
elements.
An entry in the HTTP Header Modify table includes these elements.
- Header Operation
- Specifiesinsert,append,replace, orremove.
- Header Name
- Specifies the header name on which to operate.
- Header Value
- Specifies the value on which to operate.Any per-flow or session variable can be used as a header value, for example, %{session.user.clientip} or %{perflow.session.id}.
- Header Delimiter
- Specifies the separator to use when appending a header.
An entry in the HTTP Cookie Modify table includes these elements.
- Cookie Operation
- Specifiesupdateordelete.Whenupdateis selected and a cookie that matches the name and value does not exist, HTTP Header adds the specified cookie.
- Cookie Name
- Specifies the name to match.
- Cookie Value
- Specifies the value to match when deleting a cookie or the new value to set when updating a cookie.Any per-flow or session variable can be used as a cookie value.
About Select SSO Configuration
The Select SSO Configuration agent enables per-request selection of an SSO configuration from
these SSO configuration types:
- HTTP Basic
- NTLMv1
- NTLMv2
- Kerberos
The Select SSO Configuration agent provides these configuration elements and options:
- SSO Configuration Name
- Select an SSO configuration name from the list.
About OAuth Client
An OAuth Client agent is a policy item that requests authorization and tokens from an OAuth
server. An OAuth Client can also get scope data on a per-request basis. The OAuth Client agent
provides these configuration elements and options:
- Server
- Specifies the OAuth server to which this OAuth client directs requests.
- Grant Type
- Specifies the type of grant that the OAuth client uses.
- Authorization code - The client redirects the resource owner to the OAuth server to request an authorization code.
- Password - The client uses resource owner password credentials to request an access token from the OAuth server.
- OpenID Connect
- Specifies whether the agent uses OpenID Connect for authorization. Displays whenGrant Typeis set toAuthorization code.To function correctly when enabled, the OAuth provider (associated with the selectedServer) must be configured to support JSON web tokens.
- OpenID Connect Flow Type
- Specifies the OpenID Connect flow type to use:Authorization codeorHybrid.
- OpenID Connect Hybrid Response Type
- Specifies the response type to use for an OpenID Connect hybrid flow:code-idtoken,code-token, orcode-idtoken-token.
- Authentication Redirect Request
- Specifies an auth-redirect-request type request, which redirects a user to an OAuth server. Displays whenGrant Typeis set toAuthorization code.
- Token Request
- Specifies a token-request type of request.
- Refresh Token Request
- Specifies a token-refresh-request type of request. APM uses this request on a per-request basis.
- OpenID Connect UserInfo Request
- Specifies an openid-userinfo-request type of request. Displays whenOpenID Connectis set toEnabled.
- Redirection URI
- Specifies the URI for the OAuth server to redirect a user back to the OAuth client. Displays whenGrant Typeis set toAuthorization code.
- Scope
- Specifies one or more strings separated by spaces; for examplecontacts photo email. The strings are defined by the OAuth authorization server. Your best source of information for the strings that a particular OAuth authorization server defines could be APIs for OAuth 2.0 scopes on developer sites for OAuth providers.For theAuthorization codegrant type, an OAuth authorization server prompts the user to grant or deny access to the scopes. For thePasswordgrant type, an OAuth authorization server grants permission to the requested scopes based on the user providing resource owner password credentials.
Requests are configured in the
area of the product.About OAuth Scope
The OAuth Scope agent validates JSON web tokens (JWT) or validates scopes for opaque tokens.
The OAuth Scope item provides these elements and options:
- Token Validation Mode
- Internal- In this mode, the agent validates JSON web tokens (JWT).
- External- In this mode, the agent makes requests to an OAuth authorization server to get scopes associated with a token and to get scope data, such as a user's email address or contact list.
- JWT Provider List
- Specifies a list of OAuth providers that support JWT. The agent validates JWT from any of these providers when configured. ForInternalmode.
- Server
- Specifies an OAuth server. OAuth servers in resource server, or client and resource server modes are available for selection. ForExternalmode.
- Scopes Request
- Specifies a validation-scopes-request type request. This request type retrieves a list of scopes associated with the token. ForExternalmode.
In
External
mode, there can be multiple scope data requests in this
agent with these elements:- Scope Name
- Specifies the name of a scope for which you are requesting data. (The external OAuth provider specifies the names of the scopes that it supports.)
- Request
- Specifies a scope-data-request type request. This is optional. If the provider does not require this type of request to obtain additional information from an authorization server, you do not need to fill in this field.
Requests are configured in the
area of the product.About per-request policy subroutine items
When configuring a per-request policy subroutine, a few access policy items are available for
inclusion in the subroutine. A Confirm Box action (for use with Secure Web Gateway forward proxy
configurations) is unique to a per-request policy subroutine.
Per-session
policy and subroutine agent differences
The agents in this table are available
toper-session
policies and to per-request policy subroutines. In a per-request policy subroutine, not all
options for an agent are supported and support for some options is implemented
differently.
Agent |
Description |
---|---|
HTTP 401 Response |
Supports no authentication or HTTP Basic authentication only. |
Logon Page |
A Subsession Variable field replaces the
Session Variable field. Split domain from full
Username and CAPTCHA Configuration fields do not
display because the functionalities are not supported. |
AD Auth |
Support for multiple logon attempts can be implemented using a macro loop. The
Max Logon Attempts Allowed property does not display. The
Show Extended Error property is not supported. |
LDAP Auth |
Support for multiple logon attempts can be implemented using a macro loop. The
Max Logon Attempts Allowed property does not display. The
Show Extended Error property is not supported. |
RADIUS Auth |
Support for multiple logon attempts can be implemented using a macro loop. The
Max Logon Attempts Allowed property does not display. The
Show Extended Error property is not supported. |
About AD Auth
An AD Auth action authenticates a user against an AAA Active Directory
server. An authentication action typically follows a logon action that collects credentials.
When configured in a
per-request policy subroutine, some screen elements and options described here might not be
available.
- Type
- Specifies Authentication, the type of this Active Directory action.
- Server
- Specifies an Active Directory server; servers are defined in thearea of the Configuration utility.
- Cross Domain Support
- Specifies whether AD cross domain authentication support is enabled for this action.
- Complexity check for Password Reset
- Specifies whether Access Policy Manager (APM) performs a password policy check. APM supports these Active Directory password policies:
- Maximum password age
- Minimum password age
- Minimum password length
- Password must meet complexity requirements
Because this option might require administrative privileges, the administrator name and password might be required on the AAA Active Directory server configuration page.Enabling this option increases overall authentication traffic significantly because APM must retrieve password policies using LDAP protocol and must retrieve user information during the authentication process to properly check the new password. - Show Extended Error
- When enabled, causes comprehensive error messages generated by the authentication server to display on the user's logon page. This setting is intended only for use in testing, in a production or debugging environment. If enabled in a live environment, your system might be vulnerable to malicious attacks. (When disabled, displays non-comprehensive error messages generated by the authentication server on the user's logon page.)
- Max Logon Attempts Allowed
- Specifies the number of user authentication logon attempts to allow. A complete logon and password challenge and response is considered as one attempt.For a per-request policy subroutine, equivalent functionality is supported through subroutine settings.
- Max Password Reset Attempts Allowed
- Specifies the number of times that APM allows the user to try to reset password.
About Confirm
Box
A Confirm Box action presents links for these options:
Continue
and Cancel
. The action is available for a per-request
policy subroutine only and is for use in a Secure Web Gateway (SWG) configuration. Confirm Box
offers these elements and options for customization.- Language
- Specifies the language to use to customize the Confirm Box page. Selecting a language causes the content in the remaining fields display in the selected language.Languages on the list reflect those that are configured in the access profile.
- Message
- Specifies the message to display.
- Field 1 image
- Specifies the icon (red, green, or none) to display with theContinueoption.
- Continue
- Specifies the text to display for this option.
- Field 2 image
- Specifies the icon (red, green, or none) to display with theCanceloption.
- Cancel
- Specifies the text to display for this option.
About CRLDP Auth
A CRLDP Auth action retrieves a Certificate Revocation List (CRL) from a
network location (
distribution point
). A distribution point is
either an LDAP Uniform Resource Identifier (URI), a directory path that identifies the location
where the CRLs are published, or a fully qualified HTTP URL. An CRLDP Auth action provides these
configuration elements and options:- CRLDP Server
- Specifies a CRLDP server; servers are defined in thearea of the Configuration utility.
A CRLDP
Auth action is valid for use in a per-request policy subroutine when placed after an On-Demand
Cert Auth action.
About HTTP Auth
A HTTP Auth action authenticates a user against an HTTP AAA server. An HTTP
Auth action provides these configuration elements and options:
- AAA Server
- Specifies an HTTP AAA server; servers are defined in thearea of the Configuration utility.
About HTTP 401
Response
The HTTP 401 Response action sends an HTTP 401 Authorization Required
Response page to capture HTTP Basic or Negotiate authentication.
For a
per-request policy subroutine, HTTP 401 Response supports HTTP Basic authentication only.
The HTTP 401 Response action provides up to three branches: Basic,
Negotiate, and fallback. Typically, a basic type of authentication follows on the Basic branch
and a Kerberos Auth action follows on the Negotiate branch.
An HTTP 401 Response action provides these configuration elements and
options.
- Basic Auth Realm
- Specifies the authentication realm for use with Basic authentication.
- HTTP Auth Level
- Specifies the authentication required for the policy.
- none- specifies no authentication.
- basic- specifies Basic authentication only.
- negotiate- specifies Kerberos authentication only.This option is not available for a per-request policy subroutine.
- basic+negotiate- specifies either Basic or Kerberos authentication.This option is not available for a per-request policy subroutine.
The action provides customization options that specify the text to display
on the screen.
- Language
- Specifies the language to use to customize this HTTP 401 response page. Selecting a language causes the content in the remaining fields display in the selected language.Languages on the list reflect those that are configured in the access profile.
- Logon Page Input Field #1
- Specifies the text to display on the logon page to prompt for input for the first field. WhenLanguageis set toen, this defaults toUsername.
- Logon Page Input Field #2
- Specifies the text to display on the logon page to prompt for input for the second field. WhenLanguageis set toen, this defaults toPassword.
- HTTP response message
- Specifies the text that appears when the user receives the 401 response, requesting authentication.
About iRule Event
An iRule Event action adds iRule processing to an access policy or to a
per-request policy subroutine at a specific point. An iRule Event provides one configuration
option: ID, which specifies an iRule event ID.
iRule event
access policy items must be processed and completed before the access policy can continue.
An iRule Event action can occur anywhere in an access policy or a
per-request policy subroutine.
About LDAP Auth
An LDAP Auth action authenticates a user against an AAA LDAP server. An LDAP
Auth action provides these configuration elements and options.
When configured in a
per-request policy subroutine, some screen elements and options described here might not be
available.
- Type
- Specifies Authentication, the type of this LDAP action.
- Server
- Specifies an LDAP server; servers are defined in thearea of the Configuration utility.
- SearchDN
- Specifies the base node of the LDAP server search tree to start the search with.
- SearchFilter
- Specifies the search criteria to use when querying the LDAP server for the user's information. Session variables are supported as part of the search query string. Parentheses are required around search strings; (sAmAccountName=%{session.logon.last.username})
- UserDN
- Specifies the Distinguished Name (DN) of the user. The DN can be derived from session variables.
- Show Extended Error
- When enabled, causes comprehensive error messages generated by the authentication server to display on the user's logon page. This setting is intended only for use in testing, in a production or debugging environment. If enabled in a live environment, your system might be vulnerable to malicious attacks. (When disabled, displays non-comprehensive error messages generated by the authentication server on the user's logon page.)
- Max Logon Attempts Allowed
- Specifies the number of user authentication logon attempts to allow. A complete logon and password challenge and response is considered as one attempt.For a per-request policy subroutine, equivalent functionality is supported through subroutine settings.
About LocalDB Auth
The LocalDB Auth action can authenticate a user against a local user
database instance. The LocalDB Auth action can lock a user out of a local user database instance
if they fail to log on within a specified number of attempts.
For
enhanced security, typically, Local Database actions should be placed before and after a LocalDB
Auth action to read and write user information to track non-static users (those not created by an
administrator) that attempt repeatedly to logon and fail.
A LocalDB Auth action provides these configuration elements and options.
- LocalDB Instance
- Specifies a local user database instance.
- Max Logon Attempts Allowed
- A number from 1 to 5.For a per-request policy subroutine, equivalent functionality is supported through subroutine settings.
About Logon
Page
A logon page action prompts for a user name and password, or other
identifying information. The logon page action typically precedes the authentication action
that checks the credentials provided on the logon page. The logon page action provides up to
five customizable fields and enables localization.
The logon page action provides these configuration options and
elements.
When
configured in a per-request subroutine, some screen elements and options described here might
not be available.
- Split domain from full username
- SpecifiesYesorNo.
- Yes- specifies that when a username and domain combination is submitted (for example,marketing\jsmithorjsmith@marketing.example.com), only the username portion (in this example,jsmith) is stored in the session variablesession.logon.last.username.
- No- specifies that the entire username string is stored in the session variable.
- CAPTCHA configuration
- Specifies a CAPTCHA configuration to present for added CAPTCHA security on the logon page.
- Type
- Specifies the type of logon page input field:text,password,select,checkbox, ornone.
- textDisplays a text field, and shows the text that is typed in that field.
- passwordDisplays an input field, but displays the typed text input as asterisks.
- selectDisplays a list. The list is populated with values that are configured for this field.
- checkboxDisplays a check box.
- noneSpecifies that the field is not displayed on the logon page.
- Post Variable Name
- Specifies the variable name that is prepended to the data typed in the text field. For example, the POST variableusernamesends the user name inputomaasas the POST stringusername=omaas.
- Session Variable Name (or Subsession Variable Name)
- Specifies the session variable name that the server uses to store the data typed in the text field. For example, the session variableusernamestores the username inputomaasas the session variable stringsession.logon.last.username=omaas.A per-request policy subroutine uses subsession variables in place of session variables.
- Clean Variable
- Specifies whether to clear any value from the variable before presenting the logon page to the user; to clean the variable, selectYes. Defaults toNo.
- Values
- Specifies values for use on the list when the input field type isselect.
- Read Only
- Specifies whether the logon page agent is read-only, and always used in the logon process as specified. You can useRead Onlyto add logon POST variables or session variables that you want to submit from the logon page for every session that uses this access policy, or to populate a field with a value from a session variable. For example, you can use the On-Demand Certificate agent to extract theCN(typically the user name) field from a certificate, then you can assign that variable tosession.logon.last.username. In the logon page action, you can specifysession.logon.last.usernameas the session variable for a read only logon page field that you configure. When Access Policy Manager displays the logon page, this field is populated with the information from the certificateCNfield (typically the user name).
Additionally, customization options specify text and an image to display
on the screen.
- Language
- Specifies the language to use to customize this logon page. Selecting a language causes the content in the remaining fields to display in the selected language.Languages on the list reflect those that are configured in the access profile.
- Form Header Text
- Specifies the text that appears at the top of the logon box.
- Logon Page Input Field #number
- Specifies the text to display for each input field (number 1 through 5) that is defined in the Logon Page Agent area withTypeset to other thannone.
- Logon Button
- Specifies the text that appears on the logon button, which a user clicks to post the defined logon agents.
- Front Image
- Specifies an image file to display on the logon page. TheReplace Imagelink enables customization and theRevert to Default Imagediscards any customization and use the default logon page image.
- Save Password Check Box
- Specifies the text that appears adjacent to the check box that allows users to save their passwords in the logon form. This field is used only in the secure access client, and not in the web client.
- New Password Prompt
- Specifies the prompt displayed when a new Active Directory password is requested.
- Verify Password Prompt
- Specifies the prompt displayed to confirm the new password when a new Active Directory password is requested.
- Password and Password Verification do not Match
- Specifies the prompt displayed when a new Active Directory password and verification password do not match.
- Don't Change Password
- Specifies the prompt displayed when a user should not change password.
About On-Demand Cert Auth
Typically, when a client makes an HTTPS request, an SSL handshake request occurs at the start
of an SSL session. If the client SSL profile skips the initial SSL handshake, an On-Demand
Cert Auth action can re-negotiate the SSL connection from an access policy by sending a
certificate request to the user. This prompts a certificate screen to open. After the user
provides a valid certificate, the On-Demand Cert Auth action checks the result of certificate
authentication. The agent verifies the value of the session variable
session.ssl.cert.valid
to determine whether authentication was a
success. The On-Demand Cert Auth action provides one configuration option,
Auth
Mode
, with two supported modes: - Request
- With this mode, the system requests a valid certificate from the client, but the connection does not terminate if the client does not provide a valid certificate. Instead, this action takes the fallback route in the access policy. This is the default option.
- Require
- With this mode, the system requires that a client provides a valid certificate. If the client does not provide a valid certificate, the connection terminates and the client browser stops responding.For an iPod or an iPhone, theRequiresetting must be used for On-Demand certificate authentication. To pass a certificate check using Safari, the user is asked to select the certificate multiple times. This is expected behavior.
On-demand certificate authentication does not work when added to a subroutine
for a per-request policy that is part of a forward proxy configuration.
About OAuth Client
An OAuth Client agent is a policy item that requests authorization and tokens from an OAuth
server. An OAuth Client can also get scope data on a per-request basis. The OAuth Client agent
provides these configuration elements and options:
- Server
- Specifies the OAuth server to which this OAuth client directs requests.
- Grant Type
- Specifies the type of grant that the OAuth client uses.
- Authorization code - The client redirects the resource owner to the OAuth server to request an authorization code.
- Password - The client uses resource owner password credentials to request an access token from the OAuth server.
- OpenID Connect
- Specifies whether the agent uses OpenID Connect for authorization. Displays whenGrant Typeis set toAuthorization code.To function correctly when enabled, the OAuth provider (associated with the selectedServer) must be configured to support JSON web tokens.
- OpenID Connect Flow Type
- Specifies the OpenID Connect flow type to use:Authorization codeorHybrid.
- OpenID Connect Hybrid Response Type
- Specifies the response type to use for an OpenID Connect hybrid flow:code-idtoken,code-token, orcode-idtoken-token.
- Authentication Redirect Request
- Specifies an auth-redirect-request type request, which redirects a user to an OAuth server. Displays whenGrant Typeis set toAuthorization code.
- Token Request
- Specifies a token-request type of request.
- Refresh Token Request
- Specifies a token-refresh-request type of request. APM uses this request on a per-request basis.
- OpenID Connect UserInfo Request
- Specifies an openid-userinfo-request type of request. Displays whenOpenID Connectis set toEnabled.
- Redirection URI
- Specifies the URI for the OAuth server to redirect a user back to the OAuth client. Displays whenGrant Typeis set toAuthorization code.
- Scope
- Specifies one or more strings separated by spaces; for examplecontacts photo email. The strings are defined by the OAuth authorization server. Your best source of information for the strings that a particular OAuth authorization server defines could be APIs for OAuth 2.0 scopes on developer sites for OAuth providers.For theAuthorization codegrant type, an OAuth authorization server prompts the user to grant or deny access to the scopes. For thePasswordgrant type, an OAuth authorization server grants permission to the requested scopes based on the user providing resource owner password credentials.
Requests are configured in the
area of the product.About OAuth Scope
The OAuth Scope agent validates JSON web tokens (JWT) or validates scopes for opaque tokens.
The OAuth Scope item provides these elements and options:
- Token Validation Mode
- Internal- In this mode, the agent validates JSON web tokens (JWT).
- External- In this mode, the agent makes requests to an OAuth authorization server to get scopes associated with a token and to get scope data, such as a user's email address or contact list.
- JWT Provider List
- Specifies a list of OAuth providers that support JWT. The agent validates JWT from any of these providers when configured. ForInternalmode.
- Server
- Specifies an OAuth server. OAuth servers in resource server, or client and resource server modes are available for selection. ForExternalmode.
- Scopes Request
- Specifies a validation-scopes-request type request. This request type retrieves a list of scopes associated with the token. ForExternalmode.
In
External
mode, there can be multiple scope data requests in this
agent with these elements:- Scope Name
- Specifies the name of a scope for which you are requesting data. (The external OAuth provider specifies the names of the scopes that it supports.)
- Request
- Specifies a scope-data-request type request. This is optional. If the provider does not require this type of request to obtain additional information from an authorization server, you do not need to fill in this field.
Requests are configured in the
area of the product.About OCSP Auth
An OCSP Auth action retrieves the revocation status of an X.509 certificate by sending the
certificate information to a remote Online Certificate Status Protocol (OCSP) responder.
Typically, an OCSP Auth action follows an action that receives an X.509 certificate. Either a
Client Cert Inspection or On-Demand Cert Auth action can receive the X.509 certificate from a
user. Either action populates session variables with data that OCSP Auth uses. Similarly, a
Machine Cert Auth action can receive an X.509 certificate from a machine and populate session
variables.
A CRLDP Auth action is valid for
use in a per-request policy subroutine when placed after an On-Demand Cert Auth action.
An OCSP Auth action provides these configuration elements and options:
- OCSP Responder
- Specifies the OCSP Responder AAA configuration object, defined in the Access Policy AAA servers area of the Configuration utility.
- Certificate Type
- Specifies the expected type of certificate:UserorMachine.
About Proxy Select
The Proxy Select agent is for use in selecting the next hop in forward proxy chaining. The
Proxy Select agent provides these elements and options:
- Pool
- Specifies a pool of one or more proxy servers from which to select the next hop. All proxy servers in the pool that you select must support the forward proxy mode that you specify in theUpstream Proxy Modesetting.
- Upstream Proxy Mode
- Specifies whether the next hop is to a forward proxy server that supportsExplicitforward proxy orTransparentforward proxy.
- Username
- Specifies the name of a user account on the proxy server. To use static credentials to authenticate the user at the next hop, provide the username and password .
- Password
- Specifies the password for the user account on the proxy server.
About RADIUS Auth
A RADIUS Auth action authenticates a client against an external RADIUS server. A RADIUS Auth
action provides these configuration elements and options.
When configured in a
per-request policy subroutine, some screen elements and options described here might not be
available.
- AAA Server
- Specifies the RADIUS accounting server; servers are defined in thearea of the Configuration utility.
- Show Extended Error
- When enabled, causes comprehensive error messages generated by the authentication server to display on the user's logon page. This setting is intended only for use in testing, in a production or debugging environment. If enabled in a live environment, your system might be vulnerable to malicious attacks. (When disabled, displays non-comprehensive error messages generated by the authentication server on the user's logon page.)
- Max Logon Attempts Allowed
- Specifies the number of user authentication logon attempts to allow. A complete logon and password challenge and response is considered as one attempt.For a per-request policy subroutine, equivalent functionality is supported through subroutine settings.
About Select SSO Configuration
The Select SSO Configuration agent enables per-request selection of an SSO configuration from
these SSO configuration types:
- HTTP Basic
- NTLMv1
- NTLMv2
- Kerberos
The Select SSO Configuration agent provides these configuration elements and options:
- SSO Configuration Name
- Select an SSO configuration name from the list.
About URL Branching
The URL Branching action is useful for treating a few URLs differently from others. The action
provides an Allow branch and a fallback branch. The URL Branching action provides these
conditions for defining branch rules.
- Equals
- The URL must exactly match the specified URL.
- Substring
- The URL must contain the specified string.
- Prefix Match
- The URL must start with the specified string.
- Suffix Match
- The URL must end with the specified string.
- Glob match
- The URL must match the specified globbing pattern. These globbing patterns are supported:
- *Matches any number of characters (none or one or more).
- ?Matches a single character in these sets: [a-z] or [0-9] or [A-Za-z].
- [characters]Matches one of the specified characters.
- [^characters]Matches any characters except for those specified.
- [!characters]Matches any characters except for those specified.
To match many URLs, you might
consider configuring URL categories in the
area of the product and using Category Lookup in your per-request policy.About per-request policy endings
An ending provides a result for a per-request policy branch. An ending for a per-request
policy branch is one of two types.
- Allow
- Allows the user to continue to the requested URL.
- Reject
- Blocks the user from continuing and triggers the access profile Logout screen.