Applies To:

Show Versions Show Versions

Archived Manual Chapter: Configuring General Purpose Access Policy
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

This article has been archived, and is no longer maintained.

In BIG-IP® Secure Access Manager, you use general purpose actions to configure general access policy functions, such as adding logon pages, and assigning resources, variables, and VLANs. General purpose actions also include structural actions that you can use to further refine the flow of access policies. The descriptions of these general purpose actions follow.
Logon page
Adds a logon page to the access policy. You can customize the messages and link text on the logon page, and create custom messages for different languages.
Resource assign
Assigns an access control list (ACL), a resource group, or both to the access policy. A resource group includes a network access resource, which can include traffic settings, a lease pool, and ACL, DNS and host settings, drive mappings, and applications to start.
Important: You must assign a resource group that includes a network access resource, using the resource assign action, in the access policy, to provide the user with a working network access connection when the user reaches a webtop ending.
Variable assign
Assigns one or more variables to the access policy. Use this to replace existing network access variables or custom variables with existing AAA attributes or results generated by custom expressions.
VLAN selection
Selects a VLAN gateway for policy-based routing.
Logging
Adds a logging agent that logs the specified session variables to the system logs.
Message box
Adds a message box that posts a message to the user. To continue, the user must click a link for which you provide the text. The user then proceeds on the same rule branch in the access policy.
Decision box
Adds a decision box that provides two options to the user for the access policy. You can then configure separate actions on the two branches, depending on user selections.
Empty action
A blank action from which you can create your own action.
In the visual policy editor, you can add and configure general purpose actions to customize your access policy. You can add a logon page, assign resources and variables, select a VLAN for policy-based routing, add logging of specific session variables, or add messages and provide decisions in access policies or access policy macros. General purpose action tasks include:
You can customize the logon page with your custom text messages for different sections of the logon form. On the logon page you can also localize messages for different languages.
1.
On the Main tab of the navigation pane, expand Access Control, then click Access Profiles.
The Access Profiles screen appears.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
5.
Select Logon Page and click Add Item.
The Logon page action popup screen opens.
6.
From the Language list, select the language for which you want to customize messages.
Four default languages, English, Japanese, Chinese (Cantonese) and Chinese (Taiwanese), are included. You can specify more languages in the Access Profile properties Language Settings section.
Form Header Text
Specifies the text that appears at the top of the logon box.
Retry Message
Specifies the text that appears when the user enters incorrect credentials in either the user field, the password field, or both.
User Prompt
Specifies the text that appears in the prompt above the user name entry field.
Password Prompt
Specifies the text that appears in the prompt above the password entry field.
Save Password Checkbox
Specifies the text that appears adjacent to the check box that allows users to save their passwords in the logon form. This field is used only in the standalone client, and not in the web client.
Logon Button
Specifies the text that appears on the logon button, which submits the user credentials to the access policy.
8.
Click Save when the fields are customized.
You assign a resource group, an ACL, or both to the access policy. A resource group includes a network access resource, which can include traffic settings, a lease pool, and ACL, DNS and host settings, drive mappings, and applications to launch. You must assign a resource group that includes a network access resource, to provide the user with a working network access connection when the user reaches a webtop ending.
1.
On the Main tab of the navigation pane, expand Access Control, then click Access Profiles.
The Access Profiles screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
5.
Select Resource Assign, and click Add Item.
The Resource Assign action popup screen opens.
6.
Click Add new entry.
A new resource assign entry appears in the popup screen.
7.
From the ACL list, select an ACL to assign.
ACL assignment is optional.
8.
From the Resource Group list, select a resource group to assign.
A working network access connection must include a resource group that contains a network access resource.
9.
To add an expression to the resource assign action, in the Expression column click change, and configure the expression.
Adding an expression is optional. If the expression evaluates to a non-zero value, an ACL and resource group are assigned, if selected. If the expression evaluates to zero, the selected resources are not assigned.
10.
Click Save to save the action.
You use the variable assign action to assign a custom variable or an existing network access resource variable to a AAA server attribute or to a custom expression. This allows you, for example, to assign a custom lease pool for a network access resource, based on the path in an access policy.
After the procedure for how to use the variable assign action, this section includes two simple examples. For an example scenario that uses the variable assign action with a Tcl expression to provide more advanced functionality, see Using advanced access policy rules.
For a list of the network access resource configuration variables you can assign with the variable assign action, and the accepted formats for replacement values, see Network access resource variable attributes.
1.
On the Main tab of the navigation pane, expand Access Control, then click Access Profiles.
The Access Profiles screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
5.
Select Variable Assign and click Add Item.
The Variable Assign action popup screen opens.
6.
Click Add new entry.
7.
Under Assignment, click change.
The Variable Assignment popup screen opens.
8.
In the left pane of the Variable Assignment popup screen, select the variable to assign.
You can select Custom Variable and type the custom variable name in the box, or you can select Configuration Variable and select the type, name, and property from the current configuration.
9.
In the right pane of the Variable Assignment popup screen, select the value to assign the variable.
You can select AAA Attribute and select the agent type, attribute type, and attribute name, or you can select Custom Expression and type a custom expression in the box.
10.
Click Finished when you have assigned the variable.
11.
Click Save to save the action.
In this example, you assign a lease pool to the network access client by using the custom attribute myAttribute from the Microsoft® Active Directory® server. Secure Access Manager gets the value of myAttribute from the Active Directory server, and replaces the network access resource value for leasepool_name with the value of myAttribute. For example, if you assigned myAttribute a value of leasepool1 on the Active Directory server, the network access resource, after the variable assign action, would assign the lease pool leasepool1 to the user.
Note: To use this example, you must have a lease pool defined on the Secure Access Manager, and the name of that lease pool must be defined as the user attribute, myAttribute, on the Active Directory server.
1.
On the Main tab of the navigation pane, expand Access Control, then click Access Profiles.
The Access Profiles screen appears.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
5.
Select Variable Assign and click Add Item.
The Variable Assign action popup screen opens.
6.
Click Add new entry.
7.
Under Assignment, next to empty, click change.
The Variable Assignment popup screen opens.
8.
In the left pane, select Configuration Variable.
9.
From the Name list, select a network access resource.
10.
From the Property list, select leasepool_name.
11.
12.
From the Agent Type list, select AD.
13.
From the Attribute Type list, select Use users attribute.
14.
In the AD Attribute Name box, type myAttribute.
15.
Click Finished.
16.
Click Save to save the action.
When a user reaches this action in the access policy, Secure Access Manager gets the value for myAttribute from the users AAA attributes, and replaces the lease pool defined in the network access resource with this value.
In this example, you assign a lease pool to the network access client by replacing the network access resource value for leasepool_name with the value of a custom expression. Secure Access Manager evaluates the custom expression, and replaces the network access resource value for leasepool_name with the value of the custom expression. In this example, the access policy replaces the lease pool with an existing lease pool, called leasepool1, on the Secure Access Manager. The value you use for the custom expression is a simple string.
1.
On the Main tab of the navigation pane, expand Access Control, then click Access Profiles.
The Access Profiles screen appears.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
5.
Select Variable Assign and click Add Item.
The Variable Assign action popup screen opens.
6.
Click Add new entry.
7.
Under Assignment, next to empty, click change.
The Variable Assignment popup screen opens.
8.
In the left pane, select Configuration Variable.
9.
From the Name list, select a network access resource.
10.
From the Property list, select leasepool_name.
11.
In the right pane, select Custom Expression.
12.
In the Custom Expression box, type "leasepool1" (including the quotes).
13.
Click Finished.
14.
Click Save to save the action.
When a user reaches this action in the access policy, Secure Access Manager evaluates the custom expression, in this case, a simple string with the lease pool name, and replaces the lease pool defined in the network access resource with this value.
You select a VLAN gateway to use VLAN-based policy routing. Add this action on a branch of the access policy when you want to send the user to a different VLAN or gateway, based on the outcomes of previous branches in the access policy.
1.
On the Main tab of the navigation pane, expand Access Control, then click Access Profiles.
The Access Profiles screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
5.
Select VLAN Selection and click Add Item.
The VLAN Selection action popup screen opens.
6.
From the VLAN Gateway list, select a VLAN gateway to use with this access policy.
Use access policy logging to write the values of specific session variables or session variable categories to the system logs. You can use this action to trace the session variables that are created for a specific category, or in a specific branch.
One use for access policy logging is to trace the variables created from AAA server attributes. The Secure Access Manager creates session variables for all AAA server attributes, so the session variables that are created in a session are specific to the configuration of the AAA server. As an example, to determine the session variables created from RADIUS attributes, you can set the logging action to log all RADIUS variables, by selecting RADIUS from the Session Variables category list.
1.
On the Main tab of the navigation pane, expand Access Control, then click Access Profiles.
The Access Profiles screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
5.
Select Logging and click Add Item.
The logging action popup screen opens.
6.
Click Add new entry.
If you select a predefined category, all session variables for that session variable category are logged using wildcards. For example, for Active Directory, the session variables session.ad.last.* are logged.
If you select the Custom, category, you can type a session variable or session variable category to log in the Session Variables box.
9.
When you have finished, click Save to save the action.
You can add a message box anywhere in an access policy. A message box has no effect on the users access to the network or the access policy checks. It is used solely to present a message to the user, and to prompt the user to click a link to continue. You might use a message box to warn a user that he is going to a quarantine network, or that the client certificate failed to authenticate, or any other time you want to tell the user a message about the results of a rule branch in the access policy.
1.
On the Main tab of the navigation pane, expand Access Control, then click Access Profiles.
The Access Profiles screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
5.
Select Message Box and click Add Item.
The Message Box action popup screen opens.
6.
From the Language list, select the language for the message.
7.
In the Message box, type the message to the user. You can use HTML tags for formatting, as in the example:
<font color=red> Please click the link below to continue. </font>
8.
In the Link box, type the text that the user must click to continue.
This text appears as a link the user can click to continue.
9.
Click Save.
You can add a decision box anywhere in an access policy. You use a decision box to present two options to the user. These options are presented as link text, preceded by images. You might use a decision box when a user fails an endpoint security check, or when a user fails to authenticate. In these cases, one branch can provide an option to allow the user to continue onto a quarantine network that provides only limited access to a segregated subnet. The other branch can provide an option to log out, and present the user with a logon denied ending. Another use of the second option branch is to allow the user to continue to a redirect ending that takes the user to a helpful URL, for example, to the web site of an antivirus vendor to download virus database updates.
1.
On the Main tab of the navigation pane, expand Access Control, then click Access Profiles.
The Access Profiles screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
5.
In the Message box, type a message to the user. You can use HTML tags for formatting, as in the example:
<font color=red> Please choose one of the following two options below. </font>
6.
From the Field 1 image list, select the image for field one.
This image precedes the text you type in the next step.
7.
In the Option 1 box, type the text for option 1.
This text appears to the user as the first clickable link.
8.
From the Field 2 image list, select the image to use for option 2. Note that option 2 is the fallback rule branch of the access policy action. This image precedes the text you type in the next step.
9.
In the Option 2 box, type the text for option 2.
Note that option 2 is the fallback rule branch of the access policy action.This text appears to the user as the second clickable link.
10.
Click Save.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)