Manual Chapter : Configuring Routing for Access Policies

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Manual Chapter

Configuring Routing for Access Policies

Overview: Selecting a route domain for a session (example)

A route domain is a BIG-IP® system object that represents a particular network configuration. Route domains provide the capability to segment network traffic, and define separate routing paths for different network objects and applications. You can create an access policy that assigns users to different route domains using the Route Domain and SNAT Selection action based on whatever criteria you determine appropriate.

You might use policy routing in a situation such as this: your company has switched from RADIUS authentication to Active Directory authentication, but has not yet completed the full transition. Because of the state of the authentication changeover, you would like your legacy RADIUS users to pass through to a portal access connection on a separate router, instead of allowing full access to your network.

This implementation provides configuration steps for this example.

Task summary

Creating a route domain on the BIG-IP system

Before you create a route domain:
  • Ensure that an external and an internal VLAN exist on the BIG-IP® system.
  • Verify that you have set the current partition on the system to the partition in which you want the route domain to reside.
You can create a route domain on BIG-IP system to segment (isolate) traffic on your network. Route domains are useful for multi-tenant configurations.
  1. On the Main tab, click Network > Route Domains .
    The Route Domain List screen opens.
  2. Click Create.
    The New Route Domain screen opens.
  3. In the Name field, type a name for the route domain.
    This name must be unique within the administrative partition in which the route domain resides.
  4. In the ID field, type an ID number for the route domain.
    This ID must be unique on the BIG-IP system; that is, no other route domain on the system can have this ID.
    An example of a route domain ID is 1.
  5. For the Parent Name setting, retain the default value.
  6. For the VLANs setting, from the Available list, select a VLAN name and move it to the Members list.
    Select the VLAN that processes the application traffic relevant to this route domain.
    Configuring this setting ensures that the BIG-IP system immediately associates any self IP addresses pertaining to the selected VLANs with this route domain.
  7. Click Finished.
    The system displays a list of route domains on the BIG-IP system.
You now have another route domain on the BIG-IP system.

Creating an access profile

You create an access profile to provide the access policy configuration for a virtual server that establishes a secured session.
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. Click Create.
    The New Profile screen opens.
  3. In the Name field, type a name for the access profile.
    Note: An access profile name must be unique among all access profile and any per-request policy names.
  4. From the Profile Type list, select one these options:
    • LTM-APM: Select for a web access management configuration.
    • SSL-VPN: Select to configure network access, portal access, or application access. (Most access policy items are available for this type.)
    • ALL: Select to support LTM-APM and SSL-VPN access types.
    • SSO: Select to configure matching virtual servers for Single Sign-On (SSO).
      Note: No access policy is associated with this type of access profile
    • RDG-RAP: Select to validate connections to hosts behind APM when APM acts as a gateway for RDP clients.
    • SWG - Explicit: Select to configure access using Secure Web Gateway explicit forward proxy.
    • SWG - Transparent: Select to configure access using Secure Web Gateway transparent forward proxy.
    • System Authentication: Select to configure administrator access to the BIG-IP® system (when using APM as a pluggable authentication module).
    • Identity Service: Used internally to provide identity service for a supported integration. Only APM creates this type of profile.
      Note: You can edit Identity Service profile properties.
    Note: Depending on licensing, you might not see all of these profile types.
    Additional settings display.
  5. In the Language Settings area, add and remove accepted languages, and set the default language.
    A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  6. Click Finished.
The access profile displays in the Access Profiles List. Default-log-setting is assigned to the access profile.

Verifying log settings for the access profile

Confirm that the correct log settings are selected for the access profile to ensure that events are logged as you intend.
Note: Log settings are configured in the Access Policy Event Logs area of the product. They enable and disable logging for access system and URL request filtering events. Log settings also specify log publishers that send log messages to specified destinations.
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. Click the name of the access profile that you want to edit.
    The properties screen opens.
  3. On the menu bar, click Logs.
    The access profile log settings display.
  4. Move log settings between the Available and Selected lists.
    You can assign up to three log settings that enable access system logging to an access profile. You can assign additional log settings to an access profile provided that they enable logging for URl request logging only.
    Note: Logging is disabled when the Selected list is empty.
  5. Click Update.
An access profile is in effect when it is assigned to a virtual server.

Configuring policy routing

To follow the steps in this example, you must have Access Policy Manager® AAA server objects created for Active Directory and RADIUS as well.
You configure an access policy similar to this one to route users depending on whether they pass Active Directory authentication or RADIUS authentication. This example illustrates one way to handle a company-wide transition between one type of authentication and another, and to ensure that users get access to the correct resources, however they authenticate.
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. Click the name of the access profile for which you want to edit the access policy.
    The properties screen opens for the profile you want to edit.
  3. On the menu bar, click Access Policy.
    The Access Policy screen opens.
  4. In the General Properties area, click the Edit Access Policy for Profile profile_name link.
    The visual policy editor opens the access policy in a separate screen.
  5. On an access policy branch, click the (+) icon to add an item to the access policy.
    A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
  6. On the Logon tab, select Logon Page and click the Add Item button.
    The Logon Page Agent properties screen opens.
  7. Make any changes that you require to the logon page properties and click Save.
    The properties screen closes and the visual policy editor displays.
  8. On the fallback branch after the previous action, click the (+) icon to add an item to the access policy.
    A popup screen opens.
  9. On the Authentication tab, select AD Auth.
    A properties screen displays.
  10. From the Server list, select a server.
  11. Click Save.
    The properties screen closes and the visual policy editor displays.
  12. On the Successful branch after the previous action, click the (+) icon.
    A popup screen opens.
  13. Assign resources to the users that successfully authenticated with Active Directory.
    1. On the Assignment tab, select the Advanced Resource Assign agent, and click Add Item.
      The Resource Assignment window opens.
    2. Click Add new entry.
      An Empty entry displays.
    3. Click the Add/Delete link below the entry.
      The screen changes to display resources on multiple tabs.
    4. On the Network Access tab, select a network access resource.
    5. Optional: Optionally, on the Webtop tab, select a network access webtop.
    6. Click Update.
      The popup screen closes.
    7. Click Save.
      The properties screen closes and the visual policy editor displays.
    8. Click the ending that follows the Advanced Resource Assign action and change it to an allow ending, by selecting Allow and clicking Save.
  14. On the fallback branch after the Active Directory action, click the (+) icon to add an item to the access policy.
    In this case, fallback indicates failure. For users that did not pass Active Directory authentication, you can configure RADIUS authentication and select a route domain for them so that they go to a different gateway.
    A popup screen opens.
  15. Type radi in the search field, select RADIUS Auth from the results, and click Add Item.
    A popup screen opens.
  16. From the AAA Server list, select a RADIUS server and click Save.
    The popup screen closes and the visual policy editor displays.
  17. On the Successful branch after the previous action, click the (+) icon.
    A popup screen opens.
  18. On the Assignment tab, select Route Domain and SNAT Selection and click the Add Item button.
    This opens the popup screen for the action.
  19. From the Route Domain list, select a route domain and click Save.
    The popup screen closes and the visual policy editor displays.
  20. On the successful branch after the route domain selection action, click the (+) icon.
    A popup screen opens.
  21. Assign resources to the users that successfully authenticated with RADIUS.
    1. On the Assignment tab, select the Advanced Resource Assign agent, and click Add Item.
      The Resource Assignment window opens.
    2. Click Add new entry.
      An Empty entry displays.
    3. Click the Add/Delete link below the entry.
      The screen changes to display resources on multiple tabs.
    4. On the Network Access tab, select a network access resource.
      Note that you can assign the same network access resource to clients whether they authenticate with Active Directory or RADIUS. You assigned a different route domain to the clients that successfully authenticated with RADIUS. As a result, both types of clients will reach separate routers.
    5. Optional: Optionally, on the Webtop tab, select a network access webtop.
    6. Click Update.
      The popup screen closes.
    7. Click Save.
      The properties screen closes and the visual policy editor displays.
    8. Click the ending that follows the Advanced Resource Assign action and change it to an allow ending, by selecting Allow and clicking Save.
  22. Click the Apply Access Policy link to apply and activate the changes to the access policy.
To apply this access policy to network traffic, add the access profile to a virtual server.
Note: To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.