Manual Chapter :
Editing the access policy for RADIUS with ephemeral
authentication
Applies To:
Show Versions
BIG-IP APM
- 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
Editing the access policy for RADIUS with ephemeral
authentication
This example shows an example of a
per-session policy that uses RADIUS and WebSSH with ephemeral authentication. You can
tailor the policy to include other elements as needed for your network configuration.
- On the Main tab, click .The Access Profiles (Per-Session Policies) screen opens.
- In the Per-Session Policy column, click theEditlink for the access profile you want to configure.The visual policy editor opens the access policy in a separate screen.
- Click the(+)icon anywhere in the access policy to add a new item.Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
- On the General Purpose tab, selectMessage Boxand clickAdd Itemto create a message to warn users that they are entering a site with restricted access.
- In the Message Box properties, type a name for the message box.
- AfterTitle, type the warning to display to users.
- ClickSave.
- To the right of the message box, click + to add a logon page.
- On the Logon tab, selectLogon Page, clickAdd Item, andSave.The logon page created uses default values that can be adjusted as needed for your environment.
- Right after the Logon Page, click +.
- From the Assignment tab, selectVariable Assignand clickAdd Item.
- To add a variable, in the Variable Assign properties,clickAdd new entry.
- ClickChange.
- If you plan to use RADIUS attributes, on the left, add the Custom Variable:session.custom.ephemeral.groups; on the right, forCustom Expressiontype (as an example):return {hostgroup_lowpriv; hostgroup_midpriv; hostgroup_equalpriv; hostgroup_highpriv}
- ClickFinished.
- To add a second variable, clickAdd new entry.
- In the new variable, clickChange.
- On the left, add the Custom Variable:session.custom.ephemeral.last.username; on the right, changeCustom ExpressiontoSession Variableand specify the session variable that contains the username, such assession.logon.last.username.
- ClickFinished, thenSaveto complete the Variable Assign.
- At the end of the branch, clickDenyand change it toAllowand clickSave.
- ClickAdd New Macro, name itAdmin Access, and clickSave.
- To the left of theMacro: Admin Access, click + to expand the macro, then in the macro, click +.
- From the Assignment tab, selectSSO Credential Mapping, clickAdd Item, thenSave.This enables Single Sign-On (SSO) credential caching and assigns SSO variables.
- To the right of SSO Credential Mapping, click +.
- From the Assignment tab, selectAdvanced Resource Assignand clickAdd Item.
- To add a resource, clickAdd new entry, then clickAdd/Delete.
- ClickShow more tabsthen, on the Webtop tab, select the webtop you created previously, and clickUpdate.
- To add another resource, clickAdd/Deleteagain, and on the WebSSH tab, select the WebSSH resource you created previously, and clickUpdate.
- At this point, you can similarly add Portal Access and Webtop Links resources that were previously configured, if needed.If using Portal Access or Webtop Links as resources, in the Portal Access config or Webtop Link, enableEphemeral Authentication Resource.
- ClickSave.
- Back in the visual policy editor, to the right of Variable Assign, click +, and on the Macro tab, select the macro previously created (Admin Access), and clickAdd Item.
- At the top of the screen, above the policy, clickApply Access Policy.
The access policy has the elements needed to
perform ephemeral authentication using RADIUS.
