Applies To:

Show Versions Show Versions

Manual Chapter: Configuring General Purpose Access Policy Actions
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

In BIG-IP® Access Policy Manager, you configure access policies with general purpose actions in the visual policy editor. Use general purpose actions to add logon pages, assign resources, variables, and route domains. General purpose actions also include structural actions that you can use to further refine the flow of access policies. The general purpose actions appear in the Add Item popup screen in the order that follows.
Logon page
Adds a logon page to the access policy. You can add a number of customized fields, including password fields or other flexible fields. You can also customize messages and links on the logon page, and create custom messages for different languages.
HTTP 401 Response
Allows you to specify HTTP authentication to log on to the system.
External logon page
Adds an external logon page to the access policy. This can be used with an external logon server to provide an external logon page for the access policy.
Full resource assign
Assigns resources to the access policy branch. With this action, you can add ACLs, set the network access resource, add or remove portal access, app tunnel, and remote desktop resources, set a webtop for the access policy branch, and assign webtop links.
You must assign a network access resource, portal access resources, or application access resources for these access types to function when the user reaches an allowed ending. You must also assign a webtop with a network access connection. LTM access (access to a local traffic virtual server) does not require a resource assign action. You can assign ACLs to any access type of connection with the full resource assign action.
Resource assign
Assigns connection resources only. Use this action to assign a network access tunnel, portal access resources, app tunnel resources, and remote desktop resources.
ACL assign
Assigns static ACLs. Use this action to assign ACLs you define on the system to the access policy branch.
Webtop and links assign
Assigns a webtop and webtop links to the access policy branch. Use this to provide a webtop for your connection, and to assign webtop links to the webtop.
Variable assign
Assigns one or more variables to the access policy. Use this to modify configuration variables or session variables assigned to a session.
Virtual Keyboard
Displays a pop up window in the users browser, which provides a virtual keyboard that allows the user to enter sensitive information such as passwords, while preventing snooping from keyboard loggers and other similar attacks.
SSO Credential Mapping
Assigns an agent that allows you to map single sign-on credentials, which can be used to automatically submit user credentials to different backend servers.
Citrix SmartAccess
Adds Citrix SmartAccess filters the access policy branch, to filter access to published applications on Citrix XenApp desktops.
Route Domain selection
Selects a route domain object for policy-based routing. Route domains allow for highly configurable and complex VLAN routing. For more information on route domains, see the TMOS® Management Guide for BIG-IP® Systems.
Logging
Adds a logging agent that logs the specified session variables to the system logs.
Message box
Adds a message box that posts a message to the user. To continue, the user must click a link for which you provide the text. The user then proceeds on the same rule branch in the access policy.
Decision box
Adds a decision box that provides two options to the user for the access policy. You can then configure separate actions on the two branches, depending on user selections.
Dynamic ACL
Assigns a dynamic ACL to the access policy. Dynamic ACLs are derived from RADIUS attributes, and assigned with a dynamic ACL container. See Chapter 3, Configuring Resources, for more information.
iRule event
Adds an iRule event to the access policy.
Empty action
Adds a blank action from which you can create your own action.
In the visual policy editor, you can add and configure general purpose actions to customize your access policy. You can add a logon page, assign resources and variables, select a route domain for policy-based routing, add logging of specific session variables, or add messages and provide decisions in access policies or access policy macros. The general purpose action tasks you can do include:
You can customize the logon page with custom fields and text for different sections of the logon form. On the logon page you can also localize text messages for different languages. The logon page displays up to five logon page agents that can be fully customized. You can define a logon page agent with the following elements and options:
Split domain from full username - Select Yes to specify that when a username and domain combination is submitted (for example marketing\jsmith or jsmith@marketing.example.com), only the username portion (in this example, "jsmith") is stored in the session variable session.logon.last.username. If you select No, the entire username string is stored in the session variable.
Type - Specifies the type of logon page agent. You can specify any agent to be text, password, or none.
A text agent type displays a text field, and shows the text that is typed in that field.
A password agent type displays an input field, but displays the typed text input as asterisks.
A none agent type specifies that the field is not displayed on the logon page.
Post Variable Name - Specifies the variable name that is prepended to the data typed in the text field. For example, the POST variable username sends the user name input omaas as the POST string username=omaas.
Session Variable Name - Specifies the session variable name that the server uses to store the data typed in the text field. For example, the session variable username stores the username input omaas as the session variable string session.logon.last.username=omaas.
Read Only - Specifies whether the logon page agent is read-only, and always used in the logon process as specified. You can use this to add logon POST variables or session variables that you want to submit from the logon page for every session that uses this access policy. You can use a read only logon page field to populate a field with a value from a session variable.
For example, you can use the On-Demand Certificate agent to extract the CN (typically the user name) field from a certificate, then you can assign that variable to session.logon.last.username. In the logon page action, you can specify session.logon.last.username as the session variable for a read only logon page field that you configure. When Access Policy Manager displays the logon page, this field is populated with the information from the certificate CN field (typically the user name).
Figure 6.1 shows some items that can be customized with the logon page action.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen appears.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
5.
Select Logon Page and click Add Item.
The Logon page action popup screen opens.
6.
In the Logon Page Agent section, enable the fields you want to display on the logon page.
By default, a text field for user name, and a password field for the password are enabled and displayed.You can specify up to three more fields to display, or customize the ones enabled.
7.
From the Language list, select the language for which you want to customize messages.
The four default languages include English (en), Japanese (ja), simplified Chinese (zh-tw), and traditional Chinese (zh-cn). You can specify more languages in the Access Profile properties Language Settings section.
Form Header Text
Specifies the text that appears at the top of the logon box.
Logon Page Input Field # (1-5) - These fields specify the text that is displayed on the logon page for each of the logon page agents, defined in the Logon Page Agent screen area.
Save Password Checkbox
Specifies the text that appears adjacent to the check box that allows users to save their passwords in the logon form. This field is used only in the secure access client, and not in the web client.
Logon Button
Specifies the text that appears on the logon button, which a user clicks to post the defined logon agents.
Front Image
Specifies an image file to display on the logon page.
Click Browse to select a file from the file system. Click Show image or Hide Image to show or hide the currently selected image file. Click Revert to Default Image to discard any customization and use the default logon page image.
New Password Prompt
Specifies the prompt displayed when a new Active Directory password is requested.
Verify Password Prompt
Specifies the prompt displayed to confirm the new password when a new Active Directory password is requested.
Password and Password Verification do not Match
Specifies the prompt displayed when the new Active Directory password and verification password do not match.
9.
Click Save when the fields are customized.
The HTTP 401 response logon page allows you to send an HTTP 401 Authorization Required Response page to capture HTTP Basic or Negotiate authentication in your access policy, and provide branches for Basic and HTTP authentication. You can define the HTTP 401 response page with the following elements and options:
Split domain from full username - Select Yes to specify that when a username and domain combination is submitted (for example marketing\jsmith or jsmith@marketing.example.com), only the username portion (in this example, "jsmith") is stored in the session variable session.logon.last.username. If you select No, the entire username string is stored in the session variable.
HTTP Auth Level - Specify the authentication required for the access policy. You can specify Basic, Negotiate, Basic + Negotiate, or None.
In the Customization section, you can customize the message that appears on the HTTP 401 response page. Note that you can only select languages that are accepted in the access profile, for which you want to customize messages.
You can add a link to an external logon page to use for logon credentials. This can be used with an external solution to provide robust logon credentials to the access policy.
The access policy manager sends an HTML page containing JavasScript code that redirects users to the external server.
The client submits a post_url variable. This post variable is used by the external application to return a value to the access policy. When the user completes authentication on the external server, the external server posts back to the URL specified in this variable, to continue the session.

The value of post_url is in the format:
http(or https)://<Access_Policy_Manager_URI>/my.policy. The <Access_Policy_Manager_URI> is the URI visible to the user, taken from the HTTP Host header value sent by the browser.
Figure 6.2 shows the content of a sample submission to an external logon server from the external logon page action.
<input type=hidden name=post_url value=https://IP_address_of_virtual/my.policy>
document.external_data_post_cls.action = unescape(https://external_server_IP_address/loginform2.1.php);
After the external logon server validates the user, the external server must return the user to the URL specified in post_url, and must post the username and password variables, which are then used by Access Policy Manager to validate the user, as shown in Figure 6.3.
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-silverlight, */*
Referer: https://external_server_IP_address/loginform2.1.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: virtual_server_IP_address
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen appears.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
5.
Select External Logon Page and click Add Item.
The External Logon page action popup screen opens.
6.
In the External Logon Server URI box, type the external logon page URI.
7.
Click Save when you are finished.
You assign access control lists, a network access resource, portal access resources, a webtop, and webtop links to the access policy using one of the resource assign actions. Each resource assign action provides a similar function, with the following differences.
Full resource assign - allows you to assign all resources: network access, portal access, app tunnels, remote desktops, ACLs, webtops, and webtop links
Resource assign - assigns connection resources only: network access, portal access, app tunnels, and remote desktops
ACL assign - assigns static ACLs only
Webtop and links assign - assigns a webtop and webtop links only
Each of these resources contains configuration items. You must assign a network access resource for a network access connection. For portal access, app tunnels, or remote desktops, you must assign the appropriate resources. You can assign a network access resource for a single network access resource, a portal access resource for a portal access resource, or a full webtop to display multiple access types and webtop links. For an LTM access connection, you do not assign a connection resource or a webtop. You assign ACLs to all access types with the full resource assign action or with the ACL assign action.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
5.
Select the resource assign action you want to use, and click Add Item.
The resource assign action popup screen for the action you chose opens.
6.
For the full resource assign action, click Add new entry, then click the Add/Delete link. For all other resource assign actions, click the Add/Delete link.
Resource assignment entries appear on the same screen or on a popup screen.
7.
To add resources, select the check boxes or click the radio buttons. To remove resources, clear the check boxes or radio buttons.
For webtops and network access resources, you can only add a single resource with a resource assignment action.
8.
Click Update if you are using the Full resource assign action.
9.
Click Save to save the action.
You use the variable assign action to assign configuration variable, a predefined session variable, or a custom variable resource variable to a AAA server attribute or to a custom expression. This allows you, for example, to assign a custom lease pool for a network access resource, based on the path in an access policy.
After the procedure for how to use the variable assign action, this section includes two simple examples. For an example scenario that uses the variable assign action with a Tcl expression to provide more advanced functionality, see Using advanced access policy rules.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
5.
Select Variable Assign and click Add Item.
The Variable Assign action popup screen opens.
6.
Click Add new entry.
7.
Under Assignment, click change.
The Variable Assignment popup screen opens.
8.
In the left pane of the Variable Assignment popup screen, select the variable to assign.
Select Configuration Variable to select a variable from a network access or app tunnel resource on the system. Select Custom Variable to define a custom variable, and type the custom variable name in the box. Select Predefined Session Variable and select the type, name, and property from the current configuration.
9.
Select Secure to define the session variable as secure.
A secure session variable is stored in encrypted form in the session database. The secure session variable value is not displayed in the session report, or logged by the logging agent.
10.
In the right pane of the Variable Assignment popup screen, select the value to assign the variable.
You can select AAA Attribute and select the RADIUS, LDAP, or Active Directory agent type, attribute type, and attribute name, or you can select Custom Expression and type a custom expression in the box.
11.
Click Finished when you have assigned the variable.
12.
Click Save to save the action.
In this example, you assign a lease pool to the network access client by using the custom attribute myAttribute from the Microsoft® Active Directory® server. Access Policy Manager gets the value of myAttribute from the Active Directory server, and replaces the network access resource value for leasepool_name with the value of myAttribute. For example, if you assigned myAttribute a value of leasepool1 on the Active Directory server, the network access resource, after the variable assign action, would assign the lease pool leasepool1 to the user.
Note: To use this example, you must have a lease pool defined on the Access Policy Manager, and the name of that lease pool must be defined as the user attribute, myAttribute, on the Active Directory server.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen appears.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
5.
Select Variable Assign and click Add Item.
The Variable Assign action popup screen opens.
6.
Click Add new entry.
7.
Under Assignment, next to empty, click change.
The Variable Assignment popup screen opens.
8.
In the left pane, select Configuration Variable.
9.
From the Type list, select Network Access.
10.
From the Name list, select a network access resource.
11.
From the Property list, select leasepool_name.
12.
13.
From the Agent Type list, select AD.
14.
From the Attribute Type list, select Use users attribute.
15.
In the AD Attribute Name box, type myAttribute.
16.
Click Finished.
17.
Click Save to save the action.
When a user reaches this action in the access policy, Access Policy Manager gets the value for myAttribute from the users AAA attributes, and replaces the lease pool defined in the network access resource with this value.
In this example, you assign a lease pool to the network access client by replacing the network access resource value for leasepool_name with the value of a custom expression. Access Policy Manager evaluates the custom expression, and replaces the network access resource value for leasepool_name with the value of the custom expression. In this example, the access policy replaces the lease pool with an existing lease pool, called leasepool1, on the Access Policy Manager. The value you use for the custom expression is a simple string.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen appears.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
5.
Select Variable Assign and click Add Item.
The Variable Assign action popup screen opens.
6.
Click Add new entry.
7.
Under Assignment, next to empty, click change.
The Variable Assignment popup screen opens.
8.
In the left pane, select Configuration Variable.
9.
From the Type list, select Network Access.
10.
From the Name list, select a network access resource.
11.
From the Property list, select leasepool_name.
12.
In the right pane, select Custom Expression.
13.
In the Custom Expression box, type leasepool1 (including the quotes).
14.
Click Finished.
15.
Click Save to save the action.
When a user reaches this action in the access policy, Access Policy Manager evaluates the custom expression, in this case, a simple string with the lease pool name, and replaces the lease pool defined in the network access resource with this value.
You can add a virtual keyboard to the logon screen to prevent password characters from being typed on the physical keyboard. When you add the virtual keyboard action, the virtual keyboard appears on the logon screen when a user clicks in the password field, as shown in Figure 6.4. Users then type the password by clicking the characters on the virtual keyboard, instead of typing them on the physical keyboard.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen appears.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
Note: Add the virtual keyboard in front of a logon page action with which you want to virtual keyboard to be used.
5.
Select Virtual keyboard and click Add Item.
The Virtual keyboard action popup screen opens.
6.
From the Virtual Keyboard list, select Enabled to enable the virtual keyboard, or Disabled to disable the virtual keyboard.
7.
From the Move Keyboard After Every Keystroke list, select Enabled to move the virtual keyboard after the user clicks each keystroke, or Disabled to not move the virtual keyboard after each keystroke.
This option can further obscure the password that you type with the virtual keyboard.
8.
From the Allow Manual Input list, select Enabled to allow the user to type the password with the physical keyboard or the virtual keyboard. Select Disabled to allow the user to type the password only with the virtual keyboard.
9.
Click Save when the fields are customized.
You add the SSO credential mapping action to enable users to forward stored user names and passwords to applications and servers automatically, without having to input credentials repeatedly. This allows single sign-on (SSO) functionality for secure access users.
As different applications and resources support different authentication mechanisms, the single sign-on system may be required to store and translate credentials that differ from the user name and password that a user inputs on the logon page. The SSO credential mapping action allows for credentials to be retrieved from the logon page, or in another way for both the user name and the password.
The secure access server can cache the user name for use with single sign-on (SSO) applications in the enterprise. When configuring credential caching and mapping, the administrator can define the cached credentials for the SSO Token Username by selecting one of the following:
Username from logon page - Retrieves and caches the user name that is entered on the secure access logon page.
sAMAccountName from Active Directory - Looks up the users value for sAMAccountName in Active Directory, retrieves the value, and caches it for use as the user name.
sAMAccountName from LDAP Directory - Looks up the users value for sAMAccountName in the LDAP Directory, retrieves the value, and caches it for use as the user name. This can only be used when the session is configured to access Active Directory over LDAP.
Custom - Allows you to retrieve a custom value from a session variable.
The secure access server can cache the password for use with single sign-on applications in the enterprise. When configuring credential caching and mapping, the administrator can define the cached credentials for the SSO Token Password by selecting one of the following:
Password from logon page - Retrieves and caches the password that is entered on the secure access logon page.
Custom - Allows you to retrieve a custom value from a session variable.
For information on how to configure SSO with credential caching and proxying, refer to the BIG-IP® Access Policy Manager® Single Sign-On Configuration Guide.
Use Citrix SmartAccess filters to enable the access policy to act as the Citrix Web Interface, and send SmartAccess filters to the XenApp server, which then displays applications and applies policies based on the filter content.
For SmartAccess to work with Access Policy Manager, the Farm Name for the filter on the Citrix server must be set to APM.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
5.
Select Citrix SmartAccess and click Add Item.
The Citrix Smart Access action popup screen opens.
6.
In the Assignment field, type a Citrix SmartAccess filter name.
For example:
8.
When you have finished, click Save to save the action.
You select a route domain to use route domain-based policy routing. Add this action on a branch of the access policy when you want to send the user to a different route domain, based on the outcomes of previous branches in the access policy. You can select a SNAT to provide Secure NAT to the self IP address of the BIG-IP device, or to choose from a pool of configured internal addresses for SNAT.
If there is no SNAT defined in the Network Access resource, or the resource is another type, the SNAT is taken from this assignment in the access policy.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
5.
Select Route Domain Selection and click Add Item.
The Route Domain Selection action popup screen opens.
6.
From the Route Domain ID list, select a route domain ID to use with this access policy.
7.
From the SNAT list, select a SNAT pool, automap, or none.
Route domains and SNAT pools must be already defined on the Access Policy Manager. For more information, see Configuring policy routing.
Use access policy logging to write the values of specific session variables or session variable categories to the system logs. You can use this action to trace the session variables that are created for a specific category, or in a specific branch.
One use for access policy logging is to trace the variables created from AAA server attributes. The Access Policy Manager creates session variables for all AAA server attributes, so the session variables that are created in a session are specific to the configuration of the AAA server. As an example, to determine the session variables created from RADIUS attributes, you can set the logging action to log all RADIUS variables, by selecting RADIUS from the Session Variables category list.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
5.
Select Logging and click Add Item.
The logging action popup screen opens.
6.
Click Add new entry.
If you select a predefined category, all session variables for that session variable category are logged using wildcards. For example, for Active Directory, the session variables session.ad.last.* are logged.
If you select the Custom, category, you can type a session variable or session variable category to log in the Session Variables box.
9.
When you have finished, click Save to save the action.
You can add a message box anywhere in an access policy. A message box has no effect on the users access to the network or the access policy checks. It is used solely to present a message to the user, and to prompt the user to click a link to continue. You might use a message box to warn a user that he is going to a quarantine network, or that the client certificate failed to authenticate, or any other time you want to tell the user a message about the results of a rule branch in the access policy.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
5.
Select Message Box and click Add Item.
The Message Box action popup screen opens.
6.
From the Language list, select the language for the message.
7.
In the Message box, type the message to the user. You can use HTML tags for formatting, as in the example:
<font color=red> Please click the link below to continue. </font>
8.
In the Link box, type the text that the user must click to continue.
This text appears as a link the user can click to continue.
9.
Click Save.
You can add a decision box anywhere in an access policy. You use a decision box to present two options to the user. These options are presented as link text, preceded by images. You might use a decision box when a user fails an endpoint security check, or when a user fails to authenticate. In these cases, one branch can provide an option to allow the user to continue onto a quarantine network that provides only limited access to a segregated subnet. The other branch can provide an option to log out, and present the user with a logon denied ending. Another use of the second option branch is to allow the user to continue to a redirect ending that takes the user to a helpful URL, for example, to the web site of an antivirus vendor to download virus database updates.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
5.
In the Message box, type a message to the user. You can use HTML tags for formatting, as in the example:
<font color=red> Please choose one of the following two options below. </font>
6.
From the Field 1 image list, select the image for field one.
This image precedes the text you type in the next step.
7.
In the Option 1 box, type the text for option 1.
This text appears to the user as the first clickable link.
8.
From the Field 2 image list, select the image to use for option 2. Note that option 2 is the fallback rule branch of the access policy action. This image precedes the text you type in the next step.
9.
In the Option 2 box, type the text for option 2.
Note that option 2 is the fallback rule branch of the access policy action.This text appears to the user as the second clickable link.
10.
Click Save.
You can add a dynamic ACL after an authentication that captures attributes from the AD, LDAP, or RADIUS attribute, and before the resources are assigned. To add a dynamic ACL, you must complete several steps first.
See Configuring dynamic ACLs for more information.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
5.
Select Dynamic ACL, and click Add Item.
The Dynamic ACL action popup screen opens.
6.
7.
To use an F5 ACL from an AD, RADIUS, or LDAP directory, select Custom. To use a Cisco AV-Pair ACL from a RADIUS directory, select Cisco AV-Pair VSA.
8.
In the Source field, type the attribute from which the Dynamic ACL action extracts ACLs.
If you are using Cisco AV-Pair VSA from a RADIUS server, the field is prepopulated with session.radius.last.attr.vendor-specific.1.9.1.
9.
From the ACL list, select the dynamic ACL container.
10.
From the Format list, select the format in which the ACL is specified.
11.
To add another ACL entry, click the Add new entry button and repeat the procedure.
12.
Click Save to save the action.
You can add an iRule event anywhere in an access policy. You use an iRule event to add iRule processing to an access policy at a specific point.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
4.
Select iRule event and click Add Item.
The Custom iRule Event Agent popup screen opens.
5.
In the ID box, type the iRule event you want to insert.
6.
Click Save.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)