Manual Chapter : Editing the access policy for RADIUS with ephemeral authentication

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 16.0.0
Manual Chapter

Editing the access policy for RADIUS with ephemeral authentication

This example shows an example of a per-session policy that uses RADIUS and WebSSH with ephemeral authentication. You can tailor the policy to include other elements as needed for your network configuration.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the
    Edit
    link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the
    (+)
    icon anywhere in the access policy to add a new item.
    Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. On the General Purpose tab, select
    Message Box
    and click
    Add Item
    to create a message to warn users that they are entering a site with restricted access.
    1. In the Message Box properties, type a name for the message box.
    2. After
      Title
      , type the warning to display to users.
    3. Click
      Save
      .
  5. To the right of the message box, click + to add a logon page.
  6. On the Logon tab, select
    Logon Page
    , click
    Add Item
    , and
    Save
    .
    The logon page created uses default values that can be adjusted as needed for your environment.
  7. Right after the Logon Page, click +.
  8. From the Assignment tab, select
    Variable Assign
    and click
    Add Item
    .
    1. To add a variable, in the Variable Assign properties,click
      Add new entry
      .
    2. Click
      Change
      .
    3. If you plan to use RADIUS attributes, on the left, add the Custom Variable:
      session.custom.ephemeral.groups
      ; on the right, for
      Custom Expression
      type (as an example):
      return {hostgroup_lowpriv; hostgroup_midpriv; hostgroup_equalpriv; hostgroup_highpriv}
    4. Click
      Finished
      .
    5. To add a second variable, click
      Add new entry
      .
    6. In the new variable, click
      Change
      .
    7. On the left, add the Custom Variable:
      session.custom.ephemeral.last.username
      ; on the right, change
      Custom Expression
      to
      Session Variable
      and specify the session variable that contains the username, such as
      session.logon.last.username
      .
    8. Click
      Finished
      , then
      Save
      to complete the Variable Assign.
  9. At the end of the branch, click
    Deny
    and change it to
    Allow
    and click
    Save
    .
  10. Click
    Add New Macro
    , name it
    Admin Access
    , and click
    Save
    .
  11. To the left of the
    Macro: Admin Access
    , click + to expand the macro, then in the macro, click +.
  12. From the Assignment tab, select
    SSO Credential Mapping
    , click
    Add Item
    , then
    Save
    .
    This enables Single Sign-On (SSO) credential caching and assigns SSO variables.
  13. To the right of SSO Credential Mapping, click +.
  14. From the Assignment tab, select
    Advanced Resource Assign
    and click
    Add Item
    .
    1. To add a resource, click
      Add new entry
      , then click
      Add/Delete
      .
    2. Click
      Show more tabs
      then, on the Webtop tab, select the webtop you created previously, and click
      Update
      .
    3. To add another resource, click
      Add/Delete
      again, and on the WebSSH tab, select the WebSSH resource you created previously, and click
      Update
      .
    4. At this point, you can similarly add Portal Access and Webtop Links resources that were previously configured, if needed.
      If using Portal Access or Webtop Links as resources, in the Portal Access config or Webtop Link, enable
      Ephemeral Authentication Resource
      .
    5. Click
      Save
      .
  15. Back in the visual policy editor, to the right of Variable Assign, click +, and on the Macro tab, select the macro previously created (Admin Access), and click
    Add Item
    .
  16. At the top of the screen, above the policy, click
    Apply Access Policy
    .
The access policy has the elements needed to perform ephemeral authentication using RADIUS.