Manual Chapter : Configuring Dynamic ACLs

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Manual Chapter

Overview: Applying ACLs from external servers

You can apply ACLs from Active Directory, RADIUS, or LDAP servers using the Dynamic ACL action from an Access Policy Manager® access policy.

Task summary

After you configure ACLs in a supported format on an Active Directory, LDAP, or RADIUS server, you can configure a dynamic ACL action to extract and use the ACLs.

Task list

About Dynamic ACL

A dynamic ACL is an ACL that is created on and stored in an LDAP, RADIUS, or Active Directory server. A Dynamic ACL action dynamically creates ACLs based on attributes from the AAA server. Because a dynamic ACL is associated with a user directory, this action can assign ACLs specifically per the user session.

Note: Access Policy Manager® supports dynamic ACLs in an F5® ACL format, and in a subset of the Cisco ACL format.

A Dynamic ACL action provides these configuration elements and options:

Source
Specifies an option and the attribute from which the Dynamic ACL action extracts ACLs: Custom indicates an F5 ACL from an Active Directory, RADIUS, or LDAP directory; Cisco AV-Pair VSA indicates a Cisco AV-Pair ACL from a RADIUS directory; the field is prepopulated with:  session.radius.last.attr.vendor-specific.1.9.1.
ACL
Specifies the dynamic ACL container configured on the BIG-IP® system.
Format
Specifies the format (F5 or Cisco) in which the ACL is specified.
Note: To succeed, a Dynamic ACL action must follow an authentication or query action to capture the authentication variables that contain the dynamic ACL specification.

Configuring a dynamic ACL container

A dynamic ACL container provides an unconfigured ACL that you select when you configure a dynamic ACL action in an access policy.
  1. On the Main tab, click Access Policy > ACLs. The ACLs screen opens.
  2. Click Create. The New ACL screen opens.
  3. In the Name field, type a name for the access control list.
  4. From the Type list, select Dynamic.
  5. Optional: In the Description field, add a description of the access control list.
  6. Optional: From the ACL Order list, specify the order in which to add the new ACL relative to other ACLs:
    • Select After to add the ACL after a specific ACL and select the ACL from the list.
    • Select Specify to type the specific number of the ACL in the field.
    • Select Last to add the ACL at the last position in the list.
  7. From the Match Case for Paths list, select Yes to match case for paths, or No to ignore path case. This setting specifies whether alphabetic case is considered when matching paths in an access control entry.
  8. Click the Create button. The ACL Properties screen opens; it displays the newly configured dynamic ACL container.

Adding a dynamic ACL to an access policy

Before you start this task, configure an access profile and a dynamic ACL container. Add an authentication action to the access policy before the dynamic ACL action so that APM can first capture authentication variables that contain the dynamic ACL specification.
Configure a dynamic ACL action to extract and apply an ACL from an AAA server (Active Directory, LDAP, or RADIUS).
Note: Because a dynamic ACL is associated with a user directory, you can use one to assign ACLs specifically per the user session.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. In the Access Policy column, click the Edit link for the access profile you want to configure. The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new action item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. From the Assignment tab, select Dynamic ACL, and click Add Item. A properties screen opens.
  5. To add an ACL, click the Add new entry button. A new row opens in the table.
  6. Select one of these from the list:
    • Custom Select to use an F5 ACL from an AD, RADIUS, or LDAP directory.
    • Cisco AV-Pair VSA Select to use a Cisco AV-Pair ACL from a RADIUS directory.
  7. In the Source field, type the attribute from which the Dynamic ACL action extracts ACLs. If you are using Cisco AV-Pair VSA from a RADIUS server, the field is prepopulated with session.radius.last.attr.vendor-specific.1.9.1.
  8. From the ACL list, select the dynamic ACL container that you configured previously.
  9. From the Format list, select the format in which the ACL is specified.
  10. Optional: To configure another ACL, click the Add new entry button and repeat the configuration steps.
  11. Select Save to save any changes and return to the access policy.
The access policy is configured to extract an ACL from an AAA server and apply it when processing occurs on the access policy branch. You can now configure any additional actions you need in the access policy.
Click the Apply Access Policy link to apply and activate your changes to this access policy.

F5 ACL format

Specifies F5® ACL syntax and provides examples.

Specify an F5 ACL using this syntax.

{ action [logging_options] context }

action

This is an action that the ACL takes on traffic that matches the ACL context.

allow Allows the specified traffic.

reject Rejects the specified traffic and sends a TCP RST code to the initiator.

discard Silently drops the packets.

continue Skips checking against the remaining access control entries in this ACL, and continues evaluation at the next ACL.

logging_options

Specifying a logging option is optional.

log Enables default logging for the ACL

log-packet Writes packet-level logs to the packet filter log file

log-verbose Writes verbose logs

log-summary Writes summary logs

log-config Writes configuration logs to the configuration log file

context

Context specifies a protocol followed by addresses, networks, and ports for the ACL action.

ip IP protocol traffic

http HTTP protocol traffic. Requires that you specify an HTTP or HTTPS URL in the ACL definition

udp UDP traffic only

tcp TCP traffic only

Address, network, and port specification

Specify addresses in a pair separated by a space. The first address in the pair should match the host, and the second address in the pair should match the destination. This syntax:

any[/mask][:port]

matches any host or IP address with an optional subnet mask or a port. For example,

{ allow tcp any 1.2.3.4 }

allows TCP traffic between any host and the destination IP address 1.2.3.4.

{ allow tcp any/8 1.2.3.4 }

allows TCP traffic between any host within the subnet 255.0.0.0 and the destination IP address 1.2.3.4.

{ allow tcp any/8:8000 1.2.3.4 }

allows TCP traffic between any host within the subnet 255.0.0.0 on port 8000 and the destination IP address 1.2.3.4.

This syntax:

IP address[/mask][:port]

matches a specific IP address with an optional subnet mask or a port. For example,

{ allow 1.1.1.1 1.2.3.4 }

allows TCP traffic between the host IP address 1.1.1.1 and the destination IP address 1.2.3.4.

{ allow 1.1.1.0/16 1.2.3.4 }

allows TCP traffic between host IP addresses on the network 1.1.1.0 with the subnet mask 255.255.0.0 and the destination IP address 1.2.3.4.

{ allow 1.1.1.1:22 1.2.3.4 }

allows TCP traffic between the host IP address 1.1.1.1 on port 22 and the destination IP address 1.2.3.4.

F5 ACL with the IP protocol

This example shows how to specify an IP protocol address in F5 ACL format. An IP protocol number, 51, and an address pair specification follow the context word ip. { allow ip 51 any 1.2.3.4 }

F5 ACL with the TCP or UDP protocol

This example shows how to specify a TCP or UDP protocol address in F5 ACL format. An address pair specification follows the context word (tcp or udp). { allow tcp any 1.2.3.4 } { allow udp any 1.2.3.4 }

F5 ACL with the HTTP protocol

These examples show how to specify an HTTP protocol address in F5 ACL format. A host address, destination address, and URL follow the context word http. The URL specification supports wildcards with glob matching. { allow http any 1.2.3.4 https://www.siterequest.com/* } { allow http any 1.2.3.0/24 http://*.siterequest.com/* } { allow http any 1.2.3.0/24 http://*.siterequest.???/* }

Cisco ACL format

Specifies the subset of Cisco ACL syntax that Access Policy Manager® supports and provides examples.

Usage

On a RADIUS server, Access Policy Manager supports dynamic ACLs that use the subset of the Cisco ACL format described here.

Prefix

You can specify this prefix ip:inacl#X= where X is an integer used as a rule identifier.

Keywords

These keywords are mapped with the F5 log-packet format: log and log-input.

These keywords are not supported: tosestablishedtime-range, dynamic, and precedence.

Supported specification for Cisco ACL for IP protocol

{deny|permit} ip source source-wildcard destination destination-wildcard [log|log-input]

For example:

ip:inacl#10=permit ip any any log

Supported specification for Cisco ACL for TCP protocol

{deny|permit} tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [log|log-input]

For example:

ip:inacl#10=permit tcp any host 10.168.12.100 log

Supported specification for Cisco ACL for UDP protocol

{deny|permit} udp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [log|log-input]

For example:

deny udp any any log