Manual Chapter : Common Elements for the Visual Policy Editor in Access Policy Manager

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.0.0
Manual Chapter

Common Elements for the Visual Policy Editor in Access Policy Manager

When configured in a per-request policy subroutine, some screen elements and options described here might not be available.
Max Logon Attempts Allowed
Specifies the number of user authentication logon attempts to allow. A complete logon and password challenge and response is considered as one attempt.
For a per-request policy subroutine, equivalent functionality is supported through subroutine settings.
Show Extended Error
When enabled, causes comprehensive error messages generated by the authentication server to display on the user's logon page. This setting is intended only for use in testing, in a production or debugging environment. If enabled in a live environment, your system might be vulnerable to malicious attacks. (When disabled, displays non-comprehensive error messages generated by the authentication server on the user's logon page.)
Basic Auth Realm
Specifies the authentication realm for use with Basic authentication.
HTTP Auth Level
Specifies the authentication required for the access policy.
  • none
    - specifies no authentication.
  • basic
    - specifies Basic authentication only.
  • negotiate
    - specifies Kerberos authentication only.
  • basic+negotiate
    - specifies either Basic or Kerberos authentication.
HTTP Auth Level
Specifies the authentication required for the access policy.
  • none
    - specifies no authentication.
  • basic
    - specifies Basic authentication only.
  • negotiate
    - specifies Kerberos authentication only.
  • basic+negotiate
    - specifies either Basic or Kerberos authentication.
Split domain from full username
Specifies
Yes
or
No
.
  • Yes
    - specifies that when a username and domain combination is submitted (for example,
    marketing\jsmith
    or
    jsmith@marketing.example.com
    ), only the username portion (in this example,
    jsmith
    ) is stored in the session variable
    session.logon.last.username
    .
  • No
    - specifies that the entire username string is stored in the session variable.
Logon Page Input Field #1
Specifies the text to display on the logon page to prompt for input for the first field. When
Language
is set to
en
, this defaults to
Username
.
Logon Page Input Field #2
Specifies the text to display on the logon page to prompt for input for the second field. When
Language
is set to
en
, this defaults to
Password
.
Complexity check for Password Reset
Specifies whether Access Policy Manager (APM) performs a password policy check. APM supports these Active Directory password policies:
  • Maximum password age
  • Minimum password age
  • Minimum password length
  • Password must meet complexity requirements
APM must retrieve all related password policies from the domain to make the appropriate checks on the new password.
Because this option might require administrative privileges, the administrator name and password might be required on the AAA Active Directory server configuration page.
Enabling this option increases overall authentication traffic significantly because APM must retrieve password policies using LDAP protocol and must retrieve user information during the authentication process to properly check the new password.
Resources
Specifies Static ACLS, Network Access resources, App Tunnels, and so on to assign to the selected groups. Any resource on the system can be assigned to a group. The system limits apply; for example, only one webtop should be assigned to a group.
Store information about client software in session variables
Specifies
Enabled
or
Disabled
.
Continuously check the result and end the session if it changes
Specifies
Enabled
or
Disabled
.
When
Enabled
, if the client does not respond for five minutes, the server ends the session.
Vendor ID
Specifies a vendor ID (from the list of supported vendors) or
Any
.
Product ID
Specifies a product ID (from the list of supported products) or
Any
.
MD5
Specifies the MD5 checksum. An MD5 checksum provides easily computable verification of the identity of a file using a cryptographic hash algorithm. The MD5 checksum is a 32-digit hexadecimal value. For example, the checksum for a zero-byte file is always
d41d8cd98f00b204e9800998ecf8427e
.
Size
Specifies the size of the file in bytes. The default value is
0
which is the same as not specifying a size; a size of zero (0) is not verified.
A zero-byte file is specified with the MD5 checksum for a zero-byte file in the
MD5
field.
Date
Specifies the file last modified date.
The date must be translated first to GMT, and then to a 24-hour clock.
You must have already configured the access profile to which you want to add OCSP authentication.