Applies To:
Show VersionsBIG-IP APM
- 13.0.1, 13.0.0
Overview: Applying ACLs from external servers
You can apply ACLs from Active Directory, RADIUS, or LDAP servers using the Dynamic ACL action from an Access Policy Manager® access policy.
Task summary
After you configure ACLs in a supported format on an Active Directory, LDAP, or RADIUS server, you can configure a dynamic ACL action to extract and use the ACLs.
Task list
About Dynamic ACL
A dynamic ACL is an ACL that is created on and stored in an LDAP, RADIUS, or Active Directory server. A Dynamic ACL action dynamically creates ACLs based on attributes from the AAA server. Because a dynamic ACL is associated with a user directory, this action can assign ACLs specifically per the user session.
A Dynamic ACL action provides these configuration elements and options:
- Source
- Specifies an option and the attribute from which the Dynamic ACL action extracts ACLs: Custom indicates an F5 ACL from an Active Directory, RADIUS, or LDAP directory; Cisco AV-Pair VSA indicates a Cisco AV-Pair ACL from a RADIUS directory; the field is prepopulated with: session.radius.last.attr.vendor-specific.1.9.1.
- ACL
- Specifies the dynamic ACL container configured on the BIG-IP® system.
- Format
- Specifies the format (F5 or Cisco) in which the ACL is specified.
Configuring a dynamic ACL container
Adding a dynamic ACL to an access policy
F5 ACL format
Specifies F5® ACL syntax and provides examples. This syntax applies to both static and dynamic ACLs.
Specify an F5 ACL using this syntax.
comment { action [logging_options] context } comment { action [logging_options] context }...
The syntax allows multiple ACLs in a single string along with comments.
comment
Any characters before an open curly brace ({) or after a closed curly brace (}) are treated as comments. Comments are optional. They have no effect on the ACLs. These examples show identical ACLs with different comments; APM® interprets them as being the same.
String comments
This is my HTTP server ACL { allow tcp any 1.2.3.4:80 } This is my default ACL { reject ip any any }
A space as a comment
{ allow tcp any 1.2.3.4:80 } { reject ip any any }
Newline comments
{ allow tcp any 1.2.3.4:80 }\n
{ reject ip any any }\n
Vertical bar comments
| { allow tcp any 1.2.3.4:80 } | { reject ip any any } |
action
This is an action that the ACL takes on traffic that matches the ACL context.
allow Allows the specified traffic.
reject Rejects the specified traffic and sends a TCP RST code to the initiator.
discard Silently drops the packets.
continue Skips checking against the remaining access control entries in this ACL, and continues evaluation at the next ACL.
logging_options
Specifying a logging option is optional.
log Enables default logging for the ACL
log-packet Writes packet-level logs to the packet filter log file
log-verbose Writes verbose logs
log-summary Writes summary logs
log-config Writes configuration logs to the configuration log file
context
Context specifies a protocol followed by addresses, networks, and ports for the ACL action.
http HTTP protocol traffic. Requires that you specify an HTTP or HTTPS URL in the ACL definition
udp UDP traffic only
tcp TCP traffic only
ip IP protocol traffic
For example, { reject ip 0 any any } is the equivalent of { reject ip any any }.
Address, network, and port specification
Specify addresses in a pair separated by a space. The first address in the pair should match the host, and the second address in the pair should match the destination. This syntax:
any[/mask][:port]
matches any host or IP address with an optional subnet mask or a port. For example,
{ allow tcp any 1.2.3.4 }
allows TCP traffic between any host and the destination IP address 1.2.3.4.
{ allow tcp any/8 1.2.3.4 }
allows TCP traffic between any host within the subnet 255.0.0.0 and the destination IP address 1.2.3.4.
{ allow tcp any/8:8000 1.2.3.4 }
allows TCP traffic between any host within the subnet 255.0.0.0 on port 8000 and the destination IP address 1.2.3.4.
This syntax:
IP address[/mask][:port]
matches a specific IP address with an optional subnet mask or a port. For example,
{ allow tcp 1.1.1.1 1.2.3.4 }
allows TCP traffic between the host IP address 1.1.1.1 and the destination IP address 1.2.3.4.
{ allow tcp 1.1.1.1:22 1.2.3.4 }
allows TCP traffic between the host IP address 1.1.1.1 on port 22 and the destination IP address 1.2.3.4.
F5 ACL with the IP protocol
This example shows how to specify an IP protocol address in F5 ACL format. An IP protocol number, 51, and an address pair specification follow the context word ip.{ allow ip 51 any 1.2.3.4 }
F5 ACL with the TCP or UDP protocol
This example shows how to specify a TCP or UDP protocol address in F5 ACL format. An address pair specification follows the context word (tcp or udp).{ allow tcp any 1.2.3.4 } { allow udp any 1.2.3.4 }
F5 ACL with the HTTP protocol
These examples show how to specify an HTTP protocol address in F5 ACL format. A host address, destination address, and URL follow the context word http. The URL specification supports wildcards with glob matching.{ allow http any 1.2.3.4 https://www.siterequest.com/* } { allow http any 1.2.3.0/24 http://*.siterequest.com/* } { allow http any 1.2.3.0/24 http://*.siterequest.???/* }
Cisco ACL format
Specifies the subset of Cisco ACL syntax that Access Policy Manager® supports and provides examples.
Usage
On a RADIUS server, Access Policy Manager supports dynamic ACLs that use the subset of the Cisco ACL format described here.Prefix
You must specify a prefix. For IPv4, use ip:inacl#X= where X is an integer used as a rule identifier. For IPv6, use ipv6:inacl#X=.
Keywords
These keywords are mapped with the F5 log-packet format: log and log-input.
These keywords are not supported: tos, established, time-range, dynamic, and precedence.
Supported specification for Cisco ACL for IP protocol
{ip|ipv6}:inacl# X={deny|permit} {ip|ipv6} source source-wildcard destination destination-wildcard [log|log-input]
For example:
ipv6:inacl#10=permit ipv6 any any log
Supported specification for Cisco ACL for TCP protocol
{ip|ipv6}:inacl# X={deny|permit} tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [log|log-input]
For example:
ip:inacl#10=permit tcp any host 10.168.12.100 log
Supported specification for Cisco ACL for UDP protocol
{ip|ipv6}:inacl# X={deny|permit} udp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [log|log-input]
For example:
ip:inacl#2=deny udp any any log