Manual Chapter : Configuring Routing for Access Policies

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.0.0
Manual Chapter

Configuring Routing for Access Policies

Overview: Selecting a route domain for a session (example)

A
route domain
is a BIG-IP® system object that represents a particular network configuration. Route domains provide the capability to segment network traffic, and define separate routing paths for different network objects and applications. You can create an access policy that assigns users to different route domains using the Route Domain and SNAT Selection action based on whatever criteria you determine appropriate.
You might use policy routing in a situation such as this: your company has switched from RADIUS authentication to Active Directory authentication, but has not yet completed the full transition. Because of the state of the authentication changeover, you would like your legacy RADIUS users to pass through to a portal access connection on a separate router, instead of allowing full access to your network.
This implementation provides configuration steps for this example.

Task summary

Creating a route domain on the BIG-IP system

Before you create a route domain:
  • Ensure that an external and an internal VLAN exist on the BIG-IP system.
  • Verify that you have set the current partition on the system to the partition in which you want the route domain to reside.
You can create a route domain on BIG-IP system to segment (isolate) traffic on your network. Route domains are useful for multi-tenant configurations.
  1. On the Main tab, click
    Network
    Route Domains
    .
    The Route Domain List screen opens.
  2. Click
    Create
    .
    The New Route Domain screen opens.
  3. In the
    Name
    field, type a name for the route domain.
    This name must be unique within the administrative partition in which the route domain resides.
  4. In the
    ID
    field, type an ID number for the route domain.
    This ID must be unique on the BIG-IP system; that is, no other route domain on the system can have this ID.
    An example of a route domain ID is
    1
    .
  5. For the
    Parent Name
    setting, retain the default value.
  6. For the
    VLANs
    setting, from the
    Available
    list, select a VLAN name and move it to the
    Members
    list.
    Select the VLAN that processes the application traffic relevant to this route domain.
    Configuring this setting ensures that the BIG-IP system immediately associates any self IP addresses pertaining to the selected VLANs with this route domain.
  7. Click
    Finished
    .
    The system displays a list of route domains on the BIG-IP system.
You now have another route domain on the BIG-IP system.

Creating an access profile

You create an access profile to provide the access policy configuration for a virtual server that establishes a secured session.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click
    Create
    .
    The New Profile screen opens.
  3. In the
    Name
    field, type a name for the access profile.
    A access profile name must be unique among all access profile and any per-request policy names.
  4. From the
    Profile Type
    list, select one these options:
    • LTM-APM
      : Select for a web access management configuration.
    • SSL-VPN
      : Select to configure network access, portal access, or application access. (Most access policy items are available for this type.)
    • ALL
      : Select to support LTM-APM and SSL-VPN access types.
    • SSO
      : Select to configure matching virtual servers for Single Sign-On (SSO).
      No access policy is associated with this type of access profile
    • RDG-RAP
      : Select to validate connections to hosts behind APM when APM acts as a gateway for RDP clients.
    • SWG - Explicit
      : Select to configure access using Secure Web Gateway explicit forward proxy.
    • SWG - Transparent
      : Select to configure access using Secure Web Gateway transparent forward proxy.
    • System Authentication
      : Select to configure administrator access to the BIG-IP system (when using APM as a pluggable authentication module).
    • Identity Service
      : Used internally to provide identity service for a supported integration. Only APM creates this type of profile.
      You can edit Identity Service profile properties.
    Depending on licensing, you might not see all of these profile types.
    Additional settings display.
  5. From the
    Profile Scope
    list, select one these options to define user scope:
    • Profile
      : Access to resources behind the profile.
    • Virtual Server
      : Access to resources behind the virtual server.
    • Global
      : Access to resources behind any access profile with global scope.
    • Named
      : Access for SSL Orchestrator users to resources behind any access profile with global scope.
    • Public
      : Access to resources that are behind the same access profile when the Named scope has configured the session and is checked based on the value and string configured in the Named scope field.
  6. In the Language Settings area, add and remove accepted languages, and set the default language.
    A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  7. Click
    Finished
    .
The access profile displays in the Access Profiles List. Default-log-setting is assigned to the access profile.

Configuring policy routing

To follow the steps in this example, you must have Access Policy Manager AAA server objects created for Active Directory and RADIUS as well.
You configure an access policy similar to this one to route users depending on whether they pass Active Directory authentication or RADIUS authentication. This example illustrates one way to handle a company-wide transition between one type of authentication and another, and to ensure that users get access to the correct resources, however they authenticate.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click the name of the access profile for which you want to edit the access policy.
    The properties screen opens for the profile you want to edit.
  3. On the menu bar, click
    Access Policy
    .
  4. In the General Properties area, click the
    Edit Access Policy for Profile
    profile_name
    link.
    The visual policy editor opens the access policy in a separate screen.
  5. On a policy branch, click the
    (+)
    icon to add an item to the policy.
    A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
  6. On the Logon tab, select
    Logon Page
    and click the
    Add Item
    button.
    The Logon Page Agent properties screen opens.
  7. Make any changes that you require to the logon page properties and click
    Save
    .
    The properties screen closes and the policy displays.
  8. On the fallback branch after the previous action, click the
    (+)
    icon to add an item to the policy.
    A popup screen opens.
  9. On the Authentication tab, select
    AD Auth
    .
    A properties screen displays.
  10. From the
    Server
    list, select a server.
  11. Click
    Save
    .
    The properties screen closes and the policy displays.
  12. On the Successful branch after the previous action, click the
    (+)
    icon.
    A popup screen opens.
  13. Assign resources to the users that successfully authenticated with Active Directory.
    1. On the Assignment tab, select the
      Advanced Resource Assign
      agent, and then click
      Add Item
      .
      The Resource Assignment window opens.
    2. Click
      Add new entry
      .
      An
      Empty
      entry displays.
    3. Click the
      Add/Delete
      link below the entry.
      The screen changes to display resources on multiple tabs.
    4. On the Network Access tab, select a network access resource.
    5. Optionally, on the Webtop tab, select a network access webtop.
    6. Click
      Update
      .
      The popup screen closes.
    7. Click
      Save
      .
      The properties screen closes and the policy displays.
    8. Click the ending that follows the Advanced Resource Assign action and change it to an allow ending, by selecting
      Allow
      and clicking
      Save
      .
  14. On the fallback branch after the Active Directory action, click the
    (+)
    icon to add an item to the access policy.
    In this case, fallback indicates failure. For users that did not pass Active Directory authentication, you can configure RADIUS authentication and select a route domain for them so that they go to a different gateway.
    A popup screen opens.
  15. Type
    radi
    in the search field, select
    RADIUS Auth
    from the results, and click
    Add Item
    .
    A popup screen opens.
  16. From the
    AAA Server
    list, select a RADIUS server and click
    Save
    .
    The popup screen closes and the visual policy editor displays.
  17. On the Successful branch after the previous action, click the
    (+)
    icon.
    A popup screen opens.
  18. On the Assignment tab, select
    Route Domain and SNAT Selection
    and click the
    Add Item
    button.
    This opens the popup screen for the action.
  19. From the Route Domain list, select a route domain and click
    Save
    .
    The popup screen closes and the visual policy editor displays.
  20. On the successful branch after the route domain selection action, click the
    (+)
    icon.
    A popup screen opens.
  21. Assign resources to the users that successfully authenticated with RADIUS.
    1. On the Assignment tab, select the
      Advanced Resource Assign
      agent, and then click
      Add Item
      .
      The Resource Assignment window opens.
    2. Click
      Add new entry
      .
      An
      Empty
      entry displays.
    3. Click the
      Add/Delete
      link below the entry.
      The screen changes to display resources on multiple tabs.
    4. On the Network Access tab, select a network access resource.
      Note that you can assign the same network access resource to clients whether they authenticate with Active Directory or RADIUS. You assigned a different route domain to the clients that successfully authenticated with RADIUS. As a result, both types of clients will reach separate routers.
    5. Optionally, on the Webtop tab, select a network access webtop.
    6. Click
      Update
      .
      The popup screen closes.
    7. Click
      Save
      .
      The properties screen closes and the policy displays.
    8. Click the ending that follows the Advanced Resource Assign action and change it to an allow ending, by selecting
      Allow
      and clicking
      Save
      .
  22. Click the
    Apply Access Policy
    link to apply and activate the changes to the policy.
To apply this access policy to network traffic, add the access profile to a virtual server.
To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.