Manual Chapter : Configuring Routing for Access Policies

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

Overview: Selecting a route domain for a session (example)

A route domain is a BIG-IP system object that represents a particular network configuration. Route domains provide the capability to segment network traffic, and define separate routing paths for different network objects and applications. You can create an access policy that assigns users to different route domains using the Route Domain and SNAT Selection action based on whatever criteria you determine appropriate.

You might use policy routing in a situation such as this: your company has switched from RADIUS authentication to Active Directory authentication, but has not yet completed the full transition. Because of the state of the authentication changeover, you would like your legacy RADIUS users to pass through to a portal access connection on a separate router, instead of allowing full access to your network.

This implementation provides configuration steps for this example.

Task summary

Creating a route domain on the BIG-IP system

Before you create a route domain:
  • Ensure that an external and an internal VLAN exist on the BIG-IP system.
  • Verify that you have set the current partition on the system to the partition in which you want the route domain to reside.
You can create a route domain on BIG-IP system to segment (isolate) traffic on your network. Route domains are useful for multi-tenant configurations.
  1. On the Main tab, click Network > Route Domains. The Route Domain List screen opens.
  2. Click Create. The New Route Domain screen opens.
  3. In the Name field, type a name for the route domain. This name must be unique within the administrative partition in which the route domain resides.
  4. In the ID field, type an ID number for the route domain. This ID must be unique on the BIG-IP system; that is, no other route domain on the system can have this ID.
  5. For the Parent Name setting, retain the default value.
  6. For the VLANs setting, from the Available list, select a VLAN name and move it to the Members list. Select the VLAN that processes the application traffic relevant to this route domain. Configuring this setting ensures that the BIG-IP system immediately associates any self IP addresses pertaining to the selected VLANs with this route domain.
  7. Click Finished. The system displays a list of route domains on the BIG-IP system.
You now have another route domain on the BIG-IP system.

Creating an access profile

You create an access profile to provide the access policy configuration for a virtual server that establishes a secured session.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. Click Create. The New Profile screen opens.
  3. Type a name for the access profile.
  4. From the Profile Type list, select one:
    • APM-LTM - Select for a web access management configuration.
    • SSO - Select only when you do not need to configure an access policy.
    • SWG - Explicit - Select to configure access using Secure Web Gateway explicit forward proxy.
    • SWG - Transparent - Select to configure access using Secure Web Gateway transparent forward proxy.
    • SSL-VPN - Select for other types of access, such as network access, portal access, application access. (Most access policy items are available for this type.)
    • ALL - Select for any type of access.
    Additional settings display.
  5. In the Language Settings area, add and remove accepted languages, and set the default language. A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  6. Click Finished.
This creates an access profile with a default access policy.

Configuring policy routing

To follow the steps in this example, you must have Access Policy Manager AAA server objects created for Active Directory and RADIUS as well.
You configure an access policy similar to this one to route users depending on whether they pass Active Directory authentication or RADIUS authentication. This example illustrates one way to handle a company-wide transition between one type of authentication and another, and to ensure that users get access to the correct resources, however they authenticate.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. Click the name of the access profile for which you want to edit the access policy. The properties screen opens for the profile you want to edit.
  3. On the menu bar, click Access Policy. The Access Policy screen opens.
  4. Click Edit Access Policy for Profile profile_name. The visual policy editor opens the access policy in a separate screen.
  5. On an access policy branch, click the (+) icon to add an item to the access policy. A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
  6. On the Logon tab, select Logon Page and click the Add Item button. The Logon Page Agent properties screen opens.
  7. Make any changes that you require to the logon page properties and click Save. The properties screen closes and the visual policy editor displays.
  8. On the fallback branch after the previous action, click the (+) icon to add an item to the access policy. A popup screen opens.
  9. On the Authentication tab, select AD Auth. A properties screen displays.
  10. From the Server list, select a server.
  11. Click Save. The properties screen closes and the visual policy editor displays.
  12. On the Successful branch after the previous action, click the (+) icon. A popup screen opens.
  13. Assign resources to the users that successfully authenticated with Active Directory.
    1. On the Assignment tab, select the Advanced Resource Assign agent, and click Add Item. The Resource Assignment window opens.
    2. Click Add new entry. An Empty entry displays.
    3. Click the Add/Delete link below the entry. The screen changes to display resources on multiple tabs.
    4. On the Network Access tab, select a network access resource.
    5. Optional: Optionally, on the Webtop tab, select a network access webtop.
    6. Click Update. The popup screen closes.
    7. Click Save. The properties screen closes and the visual policy editor is displayed.
    8. Click the ending that follows the Advanced Resource Assign action and change it to an allow ending, by selecting Allow and clicking Save.
  14. On the fallback branch after the Active Directory action, click the (+) icon to add an item to the access policy. In this case, fallback indicates failure. For users that did not pass Active Directory authentication, you can configure RADIUS authentication and select a route domain for them so that they go to a different gateway. A popup screen opens.
  15. Type radi in the search box, select RADIUS Auth from the results, and click Add Item. A popup screen opens.
  16. From the AAA Server list, select a RADIUS server and click Save. The popup screen closes and the visual policy editor displays.
  17. On the Successful branch after the previous action, click the (+) icon. A popup screen opens.
  18. On the Assignment tab, select Route Domain and SNAT Selection and click the Add Item button. This opens the popup screen for the action.
  19. From the Route Domain list, select a route domain and click Save. The popup screen closes and the visual policy editor displays.
  20. On the successful branch after the route domain selection action, click the (+) icon. A popup screen opens.
  21. Assign resources to the users that successfully authenticated with RADIUS.
    1. On the Assignment tab, select the Advanced Resource Assign agent, and click Add Item. The Resource Assignment window opens.
    2. Click Add new entry. An Empty entry displays.
    3. Click the Add/Delete link below the entry. The screen changes to display resources on multiple tabs.
    4. On the Network Access tab, select a network access resource. Note that you can assign the same network access resource to clients whether they authenticate with Active Directory or RADIUS. You assigned a different route domain to the clients that successfully authenticated with RADIUS. As a result, both types of clients will reach separate routers.
    5. Optional: Optionally, on the Webtop tab, select a network access webtop.
    6. Click Update. The popup screen closes.
    7. Click Save. The properties screen closes and the visual policy editor is displayed.
    8. Click the ending that follows the Advanced Resource Assign action and change it to an allow ending, by selecting Allow and clicking Save.
  22. Click the Apply Access Policy link to apply and activate the changes to the access policy.