Manual Chapter : Editing the access policy for LDAP with ephemeral authentication

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 16.0.0
Manual Chapter

Editing the access policy for LDAP with ephemeral authentication

This example shows an example of a per-session policy that uses LDAP with ephemeral authentication. You can tailor the policy to include other elements as needed for your network configuration.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the
    Edit
    link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the
    (+)
    icon anywhere in the access policy to add a new item.
    Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. On the General Purpose tab, select
    Message Box
    and click
    Add Item
    to create a message to warn users that they are entering a site with restricted access.
    1. In the Message Box properties, type a name for the message box.
    2. After
      Title
      , type the warning to display to users.
    3. Click
      Save
      .
  5. To the right of the message box, click + to add a logon page.
  6. On the Logon tab, select
    Logon Page
    , click
    Add Item
    , and
    Save
    .
    The logon page created uses default values that can be adjusted as needed for your environment.
  7. Right after the Logon Page, click + to add an LDAP query.
  8. On the Authentication tab, select
    LDAP Query
    and click
    Add Item
    .
    1. From the
      Server
      list, select the LDAP pool created for LDAP authentication.
    2. Add the
      SearchDN
      (for example,
      dc=example,dc=org
      ) and
      SearchFilter
      (for example,
      cn=%{session.logon.last.username})
      .
    3. Enable
      Show Extended Error
      .
    4. Set
      Fetch groups to which the user or group belong
      to
      Direct
      .
    5. Click the Branch Rules tab, click the x on the right to remove the default option, click
      Add Branch Rule,
      , name the rule, for example
      Passed
      , and select
      Change
      .
    6. Click
      Add Expression
      , change
      Context
      to
      LDAP Query
      , change
      Condition
      to
      LDAP Query Passed
      , and set
      LDAP Query has
      to
      Passed
      , then click
      Finished
      .
  9. At the end of the Successful branch marked passed, click
    Deny
    and change it to
    Allow
    .
    If the LDAP Query is successful, the user is allowed in the restricted area.
  10. Right after the LDAP Query before Allow, click +.
  11. From the Assignment tab, select
    Variable Assign
    and click
    Add Item
    .
    1. To add a variable, in the Variable Assign properties,click
      Add new entry
      .
    2. Click
      Change
      , then
      Add Item
      .
    3. On the left, add the Custom Variable:
      session.custom.ephemeral.last.dn
      ; this session variable is the same one used in
      User LDAP DN
      when configuring
      Access
      Ephemeral Authentication
      Access Configuration
      .
      On the right, change
      Custom Expression
      to
      AAA Attribute
      , and select
      LDAP
      for
      Agent Type
      ,
      Use LDAP attribute
      for
      Attribute Type
      , and type an
      LDAP attribute name
      .
    4. Click
      Finished
      .
    5. Add a second variable; click
      Add new entry
      .
    6. On the left, add the Custom Variable:
      session.custom.ephemeral.last.username
      ; on the right, change
      Custom Expression
      to
      Session Variable
      and specify the session variable that contains the username, such as
      session.logon.last.username
      .
    7. Click
      Finished
      , then
      Save
      to complete the Variable Assign.
  12. Right after
    LDAP Query
    on the Deny branch, click +.
  13. On the General Purpose tab, select
    Message Box
    to create a message that informs unauthenticated users that they have been denied access.
    Type a name for the box such as
    No
    , and click
    Save
    .
  14. Click
    Add New Macro
    , name it
    Admin Access
    , and click
    Save
    .
  15. To the left of the
    Macro: Admin Access
    , click + to expand the macro, then in the macro, click +.
  16. From the Assignment tab, select
    SSO Credential Mapping
    and click
    Save
    .
    This enables Single Sign-On (SSO) credential caching and assigns SSO variables.
  17. To the right of SSO Credential Mapping, click +.
  18. From the Assignment tab, select
    Advanced Resource Assign
    and click
    Add Item
    .
    1. To add a resource, click
      Add new entry
      , then click
      Add/Delete
      .
    2. Click
      Show more tabs
      then, on the Webtop tab, select the webtop you created previously, and click
      Update
      .
    3. To add another resource, click
      Add/Delete
      again, and on the WebSSH tab, select the WebSSH resource you created previously, and click
      Update
      .
    4. At this point, you can similarly add Portal Access and Webtop Links resources that were previously configured, if needed.
      If using Portal Access or Webtop Links as resources, in the Portal Access config or Webtop Link, enable
      Ephemeral Authentication Resource
      .
    5. Click
      Save
      .
  19. Back in the visual policy editor, to the right of Variable Assign, click +, and on the Macro tab, select the macro previously created (Admin Access), and click
    Add Item
    .
  20. At the top of the screen, above the policy, click
    Apply Access Policy
    .
The access policy has the elements needed to perform ephemeral authentication using LDAP.