Manual Chapter : Configuring Logon Assignment and General Purpose Actions

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 11.4.1, 11.4.0
Manual Chapter
In the visual policy editor, you can add and configure general purpose actions to customize your access policy. You can add logon pages, assign resources and variables, select a route domain for policy-based routing, add logging of specific session variables, or add messages and provide decisions in access policies or access policy macros. The action tasks you can do include:
You can customize the logon page with custom fields and text for different sections of the logon form. On the logon page you can also localize text messages for different languages. The logon page displays up to five logon page agents that can be fully customized. You can define a logon page agent with the following elements and options:
CAPTCHA configuration - Select a configuration from the list to display a CAPTCHA challenge on the logon page. The challenge is displayed after the number of logon failures exceeds a configured limit. A CAPTCHA challenge generates and grades tests, such as the ability to decipher distorted text.
Split domain from full username - Select Yes to specify that when a username and domain combination is submitted (for example marketing\jsmith or jsmith@marketing.example.com), only the username portion (in this example, "jsmith") is stored in the session variable session.logon.last.username. If you select No, the entire username string is stored in the session variable.
Type - Specifies the type of logon page agent. You can specify any agent to be text, password, or none.
A text agent type displays a text field, and shows the text that is typed in that field.
A password agent type displays an input field, but displays the typed text input as asterisks.
A none agent type specifies that the field is not displayed on the logon page.
Post Variable Name - Specifies the variable name that is prepended to the data typed in the text field. For example, the POST variable username sends the user name input omaas as the POST string username=omaas.
Session Variable Name - Specifies the session variable name that the server uses to store the data typed in the text field. For example, the session variable username stores the username input omaas as the session variable string session.logon.last.username=omaas.
Read Only - Specifies whether the logon page agent is read-only, and always used in the logon process as specified. You can use this to add logon POST variables or session variables that you want to submit from the logon page for every session that uses this access policy. You can use a read only logon page field to populate a field with a value from a session variable.
For example, you can use the On-Demand Certificate agent to extract the CN (typically the user name) field from a certificate, then you can assign that variable to session.logon.last.username. In the logon page action, you can specify session.logon.last.username as the session variable for a read only logon page field that you configure. When Access Policy Manager displays the logon page, this field is populated with the information from the certificate CN field (typically the user name).
Figure 6.1 shows some items that can be customized with the logon page action.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen appears.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
4.
On the Logon tab, select Logon Page and click Add Item.
The Logon page action popup screen opens.
5.
To present a CAPTCHA challenge on the logon page, select a configuration from the CAPTCHA configuration list.
6.
In the Logon Page Agent section, enable the fields you want to display on the logon page.
By default, a text field for user name, and a password field for the password are enabled and displayed. You can specify up to three more fields to display, or customize the ones enabled.
7.
From the Language list, select the language for which you want to customize messages.
The four default languages include English (en), Japanese (ja), simplified Chinese (zh-tw), and traditional Chinese (zh-cn). You can specify more languages in the Access Profile properties Language Settings section.
Form Header Text
Specifies the text that appears at the top of the logon box.
Logon Page Input Field # (1-5) - These fields specify the text that is displayed on the logon page for each of the logon page agents, defined in the Logon Page Agent screen area.
Save Password Checkbox
Specifies the text that appears adjacent to the check box that allows users to save their passwords in the logon form. This field is used only in the secure access client, and not in the web client.
Logon Button
Specifies the text that appears on the logon button, which a user clicks to post the defined logon agents.
Front Image
Specifies an image file to display on the logon page.
Click Browse to select a file from the file system. Click Show image or Hide Image to show or hide the currently selected image file. Click Revert to Default Image to discard any customization and use the default logon page image.
New Password Prompt
Specifies the prompt displayed when a new Active Directory password is requested.
Verify Password Prompt
Specifies the prompt displayed to confirm the new password when a new Active Directory password is requested.
Password and Password Verification do not Match
Specifies the prompt displayed when the new Active Directory password and verification password do not match.
1.
On the Main tab of the navigation pane, expand Access Policy, click Access Profiles and click CAPTCHA Configurations.
The CAPTCHA Configurations List screen displays.
2.
Click Create.
The New CAPTCHA Configuration screen displays.
3.
In the General Properties area:
a)
In the Name field, type a name for the configuration.
b)
In the Description field, type a description.
4.
In the Configuration area, configure these settings:
Private Key - Type the string that was provided as the private key when you signed up for CAPTCHA service.
Public Key - Type the string that was provided as the public key when you signed up for CAPTCHA service.
Verification URL - Type the URL of the service that verifies the response to the CAPTCHA challenge. Defaults to www.google.com/recaptcha/api/verify.
Do not start this URL with https.
Challenge URL - Type the URL of the service that provides the CAPTCHA challenge. Defaults to www.google.com/recaptcha/api/challenge.
Do not start this URL with https.
Noscript URL - Type the URL to use for obtaining the challenge picture if  JavaScript  is disabled. Defaults to www.google.com/recaptcha/api/noscript.
Do not start this URL with https.
Display CAPTCHA after - Type the number of unsuccessful logon attempts to allow before issuing a CAPTCHA challenge. Defaults to 0 (zero), in which case APM always issues a challenge on logon failure.
Track Failures - Choose one or more options to specify how to track logon failure attempts:
IP address - Checks whether the configured number of unsuccessful logon attempts has been exceeded for this IP address.
Username - Checks whether the configured number of unsuccessful logon attempts has been exceeded for the provided username.
Theme - To control the appearance of the CAPTCHA widget, select a standard theme or select Custom. Defaults to Red. When you select Custom, you must do some coding to implement the look and feel that you want for the CAPTCHA challenge; for information, refer to the site you use for CAPTCHA service.
If you select the Custom theme, but do not add code to the logon page, the CAPTCHA challenge is not displayed. However, the CAPTCHA challenge requires a response. In this case, users cannot respond and cannot log in.
5.
Click Finished.
The HTTP 401 response logon page allows you to send an HTTP 401 Authorization Required Response page to capture HTTP Basic or Negotiate authentication in your access policy, and provide branches for Basic and HTTP authentication. You can define the HTTP 401 response page with the following elements and options:
Split domain from full username - Select Yes to specify that when a username and domain combination is submitted (for example marketing\jsmith or jsmith@marketing.example.com), only the username portion (in this example, "jsmith") is stored in the session variable session.logon.last.username. If you select No, the entire username string is stored in the session variable.
HTTP Auth Level - Specify the authentication required for the access policy. You can specify Basic, Negotiate, Basic + Negotiate, or None.
In the Customization section, you can customize the message that appears on the HTTP 401 response page. Note that you can only select languages that are accepted in the access profile, for which you want to customize messages.
You can add a link to an external logon page to use for logon credentials. This can be used with an external solution to provide robust logon credentials to the access policy.
The Access Policy Manager sends an HTML page containing JavaScript code that redirects users to the external server.
The client submits a post_url variable. This post variable is used by the external application to return a value to the access policy. When the user completes authentication on the external server, the external server posts back to the URL specified in this variable, to continue the session.

The value of post_url is in the format:
http(or https)://<Access_Policy_Manager_URI>/my.policy. The <Access_Policy_Manager_URI> is the URI visible to the user, taken from the HTTP Host header value sent by the browser.
Figure 6.2 shows the content of a sample submission to an external logon server from the external logon page action.
<input type=hidden name=post_url value=https://IP_address_of_virtual/my.policy>
document.external_data_post_cls.action = unescape(https://external_server_IP_address/loginform2.1.php);
After the external logon server validates the user, the external server must return the user to the URL specified in post_url, and must post the username and password variables, which are then used by Access Policy Manager to validate the user, as shown in Figure 6.3.
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-silverlight, */*
Referer: https://external_server_IP_address/loginform2.1.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: virtual_server_IP_address
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen appears.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
4.
On the Logon tab, select External Logon Page and click Add Item.
The External Logon page action popup screen opens.
5.
In the External Logon Server URI box, type the external logon page URI.
6.
Click Save when you are finished.
You assign access control lists, a network access resource, portal access resources, a webtop, and webtop links to the access policy using one of the resource assign actions. Each resource assign action provides a similar function, with the following differences.
Advanced resource assign - allows you to assign all resources: network access, portal access, app tunnels, remote desktops, ACLs, webtops, and webtop links
Resource assign - assigns connection resources only: network access, portal access, app tunnels, and remote desktops
ACL assign - assigns static ACLs only
Webtop and links assign - assigns a webtop and webtop links only
Each of these resources contains configuration items. You must assign a network access resource for a network access connection. For portal access, app tunnels, or remote desktops, you must assign the appropriate resources. You can assign a network access resource for a single network access resource, a portal access resource for a portal access resource, or a full webtop to display multiple access types and webtop links. For a web access management connection, you do not assign a connection resource or a webtop. You assign ACLs to all access types with the full resource assign action or with the ACL assign action.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
4.
On the Assignment tab, select the resource assign action you want to use, and click Add Item.
The resource assign action popup screen for the action you chose opens.
5.
For the full resource assign action, click Add new entry, then click the Add/Delete link. For all other resource assign actions, click the Add/Delete link.
Resource assignment entries appear on the same screen or on a popup screen.
6.
To add resources, select the check boxes or click the radio buttons. To remove resources, clear the check boxes or radio buttons.
For webtops and network access resources, you can only add a single resource with a resource assignment action.
7.
Click Update if you are using the Advanced resource assign action.
8.
Click Save to save the action.
You use the variable assign action to assign configuration variable, a predefined session variable, or a custom variable resource variable to a AAA server attribute or to a custom expression. This allows you, for example, to assign a custom lease pool for a network access resource, based on the path in an access policy.
After the procedure for how to use the variable assign action, this section includes two simple examples. For an example scenario that uses the variable assign action with a Tcl expression to provide more advanced functionality, see Using advanced access policy rules.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
4.
On the Assignment tab, select Variable Assign and click Add Item.
The Variable Assign action popup screen opens.
5.
Click Add new entry.
6.
Under Assignment, click change.
The Variable Assignment popup screen opens.
7.
In the left pane of the Variable Assignment popup screen, select the variable to assign.
Select Configuration Variable to select a variable from a network access or app tunnel resource on the system. Select Custom Variable to define a custom variable, and type the custom variable name in the box. Select Predefined Session Variable and select the type, name, and property from the current configuration.
8.
Select Secure to define the session variable as secure.
A secure session variable is stored in encrypted form in the session database. The secure session variable value is not displayed in the session report, or logged by the logging agent.
9.
In the right pane of the Variable Assignment popup screen, select the value to assign the variable.
You can select AAA Attribute and select the RADIUS, LDAP, or Active Directory agent type, attribute type, and attribute name, or you can select Custom Expression and type a custom expression in the box.
10.
Click Finished when you have assigned the variable.
11.
Click Save to save the action.
In this example, you assign a lease pool to the network access client by using the custom attribute myAttribute from the Microsoft Active Directory server. Access Policy Manager gets the value of myAttribute from the Active Directory server, and replaces the network access resource value for leasepool_name with the value of myAttribute. For example, if you assigned myAttribute a value of leasepool1 on the Active Directory server, the network access resource, after the variable assign action, would assign the lease pool leasepool1 to the user.
Note: To use this example, you must have a lease pool defined on the Access Policy Manager, and the name of that lease pool must be defined as the user attribute, myAttribute, on the Active Directory server.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen appears.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
4.
On the Assignment tab, select Variable Assign and click Add Item.
The Variable Assign action popup screen opens.
5.
Click Add new entry.
6.
Under Assignment, next to empty, click change.
The Variable Assignment popup screen opens.
7.
In the left pane, select Configuration Variable.
8.
From the Type list, select Network Access.
9.
From the Name list, select a network access resource.
10.
From the Property list, select leasepool_name.
11.
12.
From the Agent Type list, select AD.
13.
From the Attribute Type list, select Use users attribute.
14.
In the AD Attribute Name box, type myAttribute.
15.
Click Finished.
16.
Click Save to save the action.
When a user reaches this action in the access policy, Access Policy Manager gets the value for myAttribute from the users AAA attributes, and replaces the lease pool defined in the network access resource with this value.
In this example, you assign a lease pool to the network access client by replacing the network access resource value for leasepool_name with the value of a custom expression. Access Policy Manager evaluates the custom expression, and replaces the network access resource value for leasepool_name with the value of the custom expression. In this example, the access policy replaces the lease pool with an existing lease pool, called leasepool1, on the Access Policy Manager. The value you use for the custom expression is a simple string.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen appears.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
4.
On the Assignment tab, select Variable Assign and click Add Item.
The Variable Assign action popup screen opens.
5.
Click Add new entry.
6.
Under Assignment, next to empty, click change.
The Variable Assignment popup screen opens.
7.
In the left pane, select Configuration Variable.
8.
From the Type list, select Network Access.
9.
From the Name list, select a network access resource.
10.
From the Property list, select leasepool_name.
11.
In the right pane, select Custom Expression.
12.
In the Custom Expression box, type leasepool1 (including the quotes).
13.
Click Finished.
14.
Click Save to save the action.
When a user reaches this action in the access policy, Access Policy Manager evaluates the custom expression, in this case, a simple string with the lease pool name, and replaces the lease pool defined in the network access resource with this value.
You can add a virtual keyboard to the logon screen to prevent password characters from being typed on the physical keyboard. When you add the virtual keyboard action, the virtual keyboard appears on the logon screen when a user clicks in the password field, as shown in Figure 6.4. Users then type the password by clicking the characters on the virtual keyboard, instead of typing them on the physical keyboard.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen appears.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
Note: Add the virtual keyboard in front of a logon page action with which you want to virtual keyboard to be used.
4.
On the General Purpose tab, select Virtual keyboard and click Add Item.
The Virtual keyboard action popup screen opens.
5.
From the Virtual Keyboard list, select Enabled to enable the virtual keyboard, or Disabled to disable the virtual keyboard.
6.
From the Move Keyboard After Every Keystroke list, select Enabled to move the virtual keyboard after the user clicks each keystroke, or Disabled to not move the virtual keyboard after each keystroke.
This option can further obscure the password that you type with the virtual keyboard.
7.
From the Allow Manual Input list, select Enabled to allow the user to type the password with the physical keyboard or the virtual keyboard. Select Disabled to allow the user to type the password only with the virtual keyboard.
8.
Click Save when the fields are customized.
You add the SSO credential mapping action to enable users to forward stored user names and passwords to applications and servers automatically, without having to input credentials repeatedly. This allows single sign-on (SSO) functionality for secure access users.
As different applications and resources support different authentication mechanisms, the single sign-on system may be required to store and translate credentials that differ from the user name and password that a user inputs on the logon page. The SSO credential mapping action allows for credentials to be retrieved from the logon page, or in another way for both the user name and the password.
The secure access server can cache the user name for use with single sign-on (SSO) applications in the enterprise. When configuring credential caching and mapping, the administrator can define the cached credentials for the SSO Token Username by selecting one of the following:
Username from logon page - Retrieves and caches the user name that is entered on the secure access logon page.
sAMAccountName from Active Directory - Looks up the users value for sAMAccountName in Active Directory, retrieves the value, and caches it for use as the user name.
sAMAccountName from LDAP Directory - Looks up the users value for sAMAccountName in the LDAP Directory, retrieves the value, and caches it for use as the user name. This can only be used when the session is configured to access Active Directory over LDAP.
Custom - Allows you to retrieve a custom value from a session variable.
The secure access server can cache the password for use with single sign-on applications in the enterprise. When configuring credential caching and mapping, the administrator can define the cached credentials for the SSO Token Password by selecting one of the following:
Password from logon page - Retrieves and caches the password that is entered on the secure access logon page.
Custom - Allows you to retrieve a custom value from a session variable.
For information on how to configure SSO with credential caching and proxying, refer to the BIG-IP® Access Policy Manager® Single Sign-On Configuration Guide.
Use Citrix SmartAccess filters to enable the access policy to act as the Citrix Web Interface, and send SmartAccess filters to the XenApp server, which then displays applications and applies policies based on the filter content.
For SmartAccess to work with Access Policy Manager, the Farm Name for the filter on the Citrix server must be set to APM.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
4.
On the Assignment tab, select Citrix SmartAccess and click Add Item.
The Citrix Smart Access action popup screen opens.
5.
In the Assignment field, type a Citrix SmartAccess filter name.
For example:
7.
When you have finished, click Save to save the action.
You select a route domain to use route domain-based policy routing. Add this action on a branch of the access policy when you want to send the user to a different route domain, based on the outcomes of previous branches in the access policy. You can select a SNAT to provide Secure NAT to the self IP address of the BIG-IP device, or to choose from a pool of configured internal addresses for SNAT.
If there is no SNAT defined in the Network Access resource, or the resource is another type, the SNAT is taken from this assignment in the access policy.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
4.
On the Assignment tab, select Route Domain and SNAT Selection and click Add Item.
The Route Domain Selection action popup screen opens.
5.
From the Route Domain ID list, select a route domain ID to use with this access policy.
6.
From the SNAT list, select a SNAT pool, automap, or none.
Route domains and SNAT pools must be already defined on the Access Policy Manager. For more information, see Configuring policy routing.
Use access policy logging to write the values of specific session variables or session variable categories to the system logs. You can use this action to trace the session variables that are created for a specific category, or in a specific branch.
One use for access policy logging is to trace the variables created from AAA server attributes. The Access Policy Manager creates session variables for all AAA server attributes, so the session variables that are created in a session are specific to the configuration of the AAA server. As an example, to determine the session variables created from RADIUS attributes, you can set the logging action to log all RADIUS variables, by selecting RADIUS from the Session Variables category list.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
4.
On the General Purpose tab, select Logging and click Add Item.
The logging action popup screen opens.
5.
Click Add new entry.
If you select a predefined category, all session variables for that session variable category are logged using wildcards. For example, for Active Directory, the session variables session.ad.last.* are logged.
If you select the Custom, category, you can type a session variable or session variable category to log in the Session Variables box.
8.
When you have finished, click Save to save the action.
You can add a message box anywhere in an access policy. A message box has no effect on the users access to the network or the access policy checks. It is used solely to present a message to the user, and to prompt the user to click a link to continue. You might use a message box to warn a user that he is going to a quarantine network, or that the client certificate failed to authenticate, or any other time you want to tell the user a message about the results of a rule branch in the access policy.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
4.
On the General Purpose tab, select Message Box and click Add Item.
The Message Box action popup screen opens.
5.
From the Language list, select the language for the message.
6.
In the Message box, type the message to the user. You can use HTML tags for formatting, as in the example:
<font color=red> Please click the link below to continue. </font>
7.
In the Link box, type the text that the user must click to continue.
This text appears as a link the user can click to continue.
8.
Click Save.
You can add a decision box anywhere in an access policy. You use a decision box to present two options to the user. These options are presented as link text, preceded by images. You might use a decision box when a user fails an endpoint security check, or when a user fails to authenticate. In these cases, one branch can provide an option to allow the user to continue onto a quarantine network that provides only limited access to a segregated subnet. The other branch can provide an option to log out, and present the user with a logon denied ending. Another use of the second option branch is to allow the user to continue to a redirect ending that takes the user to a helpful URL, for example, to the web site of an antivirus vendor to download virus database updates.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
5.
In the Message box, type a message to the user. You can use HTML tags for formatting, as in the example:
<font color=red> Please choose one of the following two options below. </font>
6.
From the Field 1 image list, select the image for field one.
This image precedes the text you type in the next step.
7.
In the Option 1 box, type the text for option 1.
This text appears to the user as the first clickable link.
8.
From the Field 2 image list, select the image to use for option 2. Note that option 2 is the fallback rule branch of the access policy action. This image precedes the text you type in the next step.
9.
In the Option 2 box, type the text for option 2.
Note that option 2 is the fallback rule branch of the access policy action.This text appears to the user as the second clickable link.
10.
Click Save.
You can add a dynamic ACL after an authentication that captures attributes from the AD, LDAP, or RADIUS attribute, and before the resources are assigned. To add a dynamic ACL, you must complete several steps first.
See Configuring dynamic ACLs for more information.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
4.
On the Assignment tab, select Dynamic ACL, and click Add Item.
The Dynamic ACL action popup screen opens.
5.
6.
To use an F5 ACL from an AD, RADIUS, or LDAP directory, select Custom. To use a Cisco AV-Pair ACL from a RADIUS directory, select Cisco AV-Pair VSA.
7.
In the Source field, type the attribute from which the Dynamic ACL action extracts ACLs.
If you are using Cisco AV-Pair VSA from a RADIUS server, the field is prepopulated with session.radius.last.attr.vendor-specific.1.9.1.
8.
From the ACL list, select the dynamic ACL container.
9.
From the Format list, select the format in which the ACL is specified.
10.
To add another ACL entry, click the Add new entry button and repeat the procedure.
11.
Click Save to save the action.
You can add an iRule event anywhere in an access policy. You use an iRule event to add iRule processing to an access policy at a specific point.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
4.
Select iRule event and click Add Item.
The Custom iRule Event Agent popup screen opens.
5.
In the ID box, type the iRule event you want to insert.
6.
Click Save.