Manual Chapter : Per-Request Policy Reference

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Manual Chapter

Per-Request Policy Reference

About access and per-request policies

Access Policy Manager® (APM®) provides two types of policies.

Access policy
The access policy runs when a client initiates a session. Depending on the actions you include in the access policy, it can authenticate the user and perform group or class queries to populate session variables with data for use throughout the session.
Per-request policy
After a session starts, a per-request policy runs each time the client makes an HTTP or HTTPS request. A per-request policy can include a subroutine, which starts a subsession. Multiple subsessions can exist at one time.

One access policy and one per-request policy are specified in a virtual server.

About per-request policies and the Apply Access Policy link

The Apply Access Policy link has no effect on a per-request policy. Conversely, updates made to a per-request policy do not affect the state of the Apply Access Policy link.

About per-request policies and nested macros

Access Policy Manager® (APM®) supports calling a macro from a per-request policy and calling a subroutine macro from a per-request policy subroutine. However, APM does not support calling any type of macro from a per-request policy macro or from a per-request policy subroutine macro.

Access policy and subroutine agent differences

The agents in this table are available to access policies and to per-request policy subroutines. In a per-request policy subroutine, not all options for an agent are supported and support for some options is implemented differently.

Table 1. Per-Request Policy Subroutine Agents with Differences
Agent Description
HTTP 401 Response Supports no authentication or HTTP Basic authentication only.
Logon Page A Subsession Variable field replaces the Session Variable field. Split domain from full Username and CAPTCHA Configuration fields do not display because the functionalities are not supported.
AD Auth Support for multiple logon attempts can be implemented using a macro loop. The Max Logon Attempts Allowed property does not display. The Show Extended Error property is not supported.
LDAP Auth Support for multiple logon attempts can be implemented using a macro loop. The Max Logon Attempts Allowed property does not display. The Show Extended Error property is not supported.
RADIUS Auth Support for multiple logon attempts can be implemented using a macro loop. The Max Logon Attempts Allowed property does not display. The Show Extended Error property is not supported.

Per-request policy items that read session variables

This table lists per-request policy items that read session variables and lists the access policy items that populate the variables.

Per-request policy item Session variable Access policy item
AD Group Lookup session.ad.last.attr.primaryGroupID AD Query
LDAP Group Lookup session.ldap.last.attr.memberOf LDAP Query
LocalDB Group Lookup session.localdb.groups
Note: This session variable is a default in the expression for LocalDB Group Lookup; any session variable in the expression must match the session variable used in the Local Database action in the access policy.
Local Database
RADIUS Class Lookup session.radius.last.attr.class RADIUS Auth

Per-request policy items for APM and LTM

The table specifies the per-request policy items that Access Policy Manager (APM®) supports with APM and LTM reverse proxy configurations and, alternatively in forward proxy configurations.

Per-request policy item Supported with APM and APM+LTM in reverse proxy Supported with APM and APM+LTM in forward proxy
Protocol Lookup Yes Yes
SSL Intercept Set No Yes
SSL Bypass Set No Yes
Response Analytics No No
Application Lookup Yes Yes
Application Filter Assign Yes Yes
Category Lookup Yes, provided that custom categories is the lookup type and that the input type is not subject.cn Yes
URL Filter Assign Yes Yes
HTTP Headers Yes Yes
Logging Yes Yes
Dynamic Date Time Yes Yes
AD Group Lookup Yes Yes
LDAP Group Lookup Yes Yes
LocalDB Group Lookup Yes Yes
RADIUS Class Lookup Yes Yes
HTTP 401 Response Yes (in per-request policy subroutine) Yes (in per-request policy subroutine)
Logon Page Yes (in per-request policy subroutine) Yes (in per-request policy subroutine)
AD Auth Yes (in per-request policy subroutine) Yes (in per-request policy subroutine)
LDAP Auth Yes (in per-request policy subroutine) Yes (in per-request policy subroutine)
On-Demand Cert Auth Yes (in per-request policy subroutine) Yes (in per-request policy subroutine)
Note: Using On-Demand Cert Auth in a subroutine does not work for a forward proxy configuration.
RADIUS Auth Yes (in per-request policy subroutine) Yes (in per-request policy subroutine)
Confirm Box No No
iRule Event Yes (in per-request policy subroutine) Yes (in per-request policy subroutine)

Per-flow and subsession variables

Per-flow variables exist only while a per-request policy runs. Per-flow variables for a per-request policy subroutine exist while the subsession exists. Multiple subsessions can run simultaneously. The table lists per-flow variables and their values.

Name Value
perflow.agent_ending.result 0 (success) or 1 (failure).
perflow.application_lookup.result.families Comma-separated list of application families.
perflow.application_filter_lookup.result.action 0 (reject) or 1 (allow).
perflow.application_lookup.result.effective_application Name of the application that is ultimately used.
perflow.application_lookup.result.effective_family Name of the application family that is ultimately used.
perflow.application_lookup.result.names Comma-separated list of application names.
perflow.application_lookup.result.primary_application Name of the application that APM® determines is the primary one.
perflow.application_lookup.result.primary_family Name of the application family that Access Policy Manager® (APM) determines is the primary one. (An application might fit into more than one application family.)
perflow.bypass_lookup.result.ssl 0 (http) or 1 (https).
perflow.category_lookup.failure 0 (success) or 1 (server failure).
perflow.category_lookup.result.categories Comma-separated list of categories.
perflow.category_lookup.result.customcategory Unique number that identifies a custom category; used internally.
perflow.category_lookup.result.effective_category Name of the category that is ultimately used.
perflow.category_lookup.result.filter_name Name of the URL filter.
perflow.category_lookup.result.hostname Host name retrieved from SSL input.
perflow.category_lookup.result.numcategories Integer. Total number of categories in the comma-separated list of categories.
perflow.category_lookup.result.primarycategory Name of the category that APM determines is the primary one. (A URL might fit into more than one category, such as news and sports.)
perflow.category_lookup.result.url Requested URL.
perflow.protocol_lookup.result http or https. Defaults to https.
perflow.response_analytics.failure 0 (success) or 1 (server failure).
perflow.session.id Session ID.
perflow.ssl_bypass_set 0 (bypass) or 1 (intercept). SSL Bypass Set and SSL Intercept Set items update this value.
perflow.ssl.bypass_default 0 (bypass) or 1 (intercept). Specified in the client SSL profile, used when SSL Bypass Set and SSL Intercept Set items not included in per-request policy.
perflow.urlfilter_lookup.result.action 0 (reject) or 1 (allow).
perflow.username User name.
perflow.on_demand_cert.result 0 (success) or 1 (failure) of On-Demand Certificate authentication in the subroutine.
perflow.decision_box.result 0 (continue) or 1 (cancel) selected for the Confirm Box action in the subroutine.
perflow.subroutine.out_terminal Name of the subroutine out terminal.
perflow.subroutine.invalidated 0 (validated) or 1 (invalidated) subroutine.
perflow.subroutine.loop_countdown Number of iterations remaining on a subroutine loop.
subsession.logon.last.username User name for the last login.
subsession.logon.last.authtype Last authentication type
subsession.ad.last.actualdomain Domain name for the last login.
subsession.ad.last.authresult 0 (success) or 1 (failure) of Active Directory authentication in the subroutine.
subsession.ad.last.errmsg Displays the error message for the last login.
subsession.ldap.last.authresult 0 (success) or 1 (failure) of LDAP authentication in the subroutine.
subsession.ldap.last.errmsg Displays the error message for the last login.
subsession.radius.last.attr.filter-id RADIUS attribute filter ID
subsession.radius.last.attr.framed-compression RADIUS attribute framed compression
subsession.radius.last.attr.framed-mtu RADIUS attribute framed MTU
subsession.radius.last.attr.framed-protocol RADIUS attribute framed protocol
subsession.radius.last.attr.service-type RADIUS attribute service type.
subsession.radius.last.errmsg Displays the error message for the last login.
subsession.radius.last.result 0 (success) or 1 (failure) of RADIUS authentication in the subroutine.

About per-request policy items

When configuring a per-request policy, a few access policy items are available for inclusion in the policy. Most per-request policy items are unique to a per-request policy.

About Protocol Lookup

A Protocol Lookup item determines whether the protocol of the request is HTTP or HTTPS. It provides two default branches: HTTPS and fallback. Use the Protocol Lookup item early in a per-request policy to process HTTPS traffic before processing HTTP traffic.

About SSL Bypass Set

The SSL Bypass Set item provides a read-only element, Action, that specifies the Bypass option.

Note: For an SSL Bypass Set item to be effective, the client and server SSL profiles on the virtual server must enable SSL forward proxy and SSL forward proxy bypass; the client SSL profile must set the default bypass action to Intercept; and the SSL Bypass Set item must occur in the policy before any items that process HTTP traffic.

About AD Group Lookup

An AD Group Lookup item can branch based on Active Directory group. The item provides one default advanced branch rule expression, expr { [mcget {session.ad.last.attr.primaryGroupID}] == 100 }, as an example.

A branch rule expression can include any populated session variable, such as session.ad.last.attr.primaryGroupID, session.ad.last.attrmemberOf, session.ad.last.attr.lastLogon, session.ad.last.attr.groupType, session.ad.last.attr.member, and so on. As an example, expr { [mcget {session.ad.last.attr.memberOf}] contains "CN=Administrators" is a valid expression.

Note: An AD Query action in the access policy can populate the session variables.

About LDAP Group Lookup

An LDAP Group Lookup item compares a specified string against the session.ldap.last.attr.memberOf session variable. The specified string is configurable in a branch rule. The default simple branch rule expression is User is a member of CN=MY_GROUP, CN=USERS, CN=MY_DOMAIN ; the values MY_GROUP, USERS, MY_DOMAIN, must be replaced with values used in the LDAP group configuration at the user site.

Note: An LDAP Query action is required in the access policy to populate the session variable.

About LocalDB Group Lookup

A per-request policy LocalDB Group Lookup item compares a specified string against a specified session variable.

The string is specified in a branch rule of the LocalDB Group Lookup item. The default simple branch rule expression is User is a member of MY_GROUP. The default advanced rule expression is expression is expr { [mcget {session.localdb.groups}] contains "MY_GROUP" }. In either the simple or the advanced rule, the variable, MY_GROUP, must be replaced with a valid group name.

The session variable must initially be specified and populated by a Local Database action in the access policy. A Local Database action reads groups from a local database instance into a user-specified session variable. It can be session.localdb.groups (used by default in the LocalDB Group Lookup advanced rule expression) or any other name. The same session variable name must be used in the Local Database action and the LocalDB Group Lookup advanced rule expression.

About RADIUS Class Lookup

The RADIUS Class Lookup access policy item compares a user-specified class name against the session.radius.last.attr.class session variable. The specified class name is configurable in a branch rule.

The default simple branch rule expression is RADIUS Class attribute contains MY_CLASS . The variable MY_CLASS must be replaced with the name of an actual class.

Note: A RADIUS Acct or RADIUS Auth action is required in the access policy to populate the session variable.

About Dynamic Date Time

The Dynamic Date Time action enables branching based on the day, date, or time on the server. It provides two default branch rules:

Weekend
Defined as Saturday and Sunday.
Business Hours
Defined as 8:00am to 5:00pm.

The Dynamic Date Time action provides these conditions for defining branch rules.

Time From
Specifies a time of day. The condition is true at or after the specified time.
Time To
Specifies a time of day. This condition is true before or at the specified time.
Date From
Specifies a date. This condition is true at or after the specified date.
Date To
Specifies a date. This condition is true before or at the specified date
Day of Week
Specifies a day. The condition is true for the entire day (local time zone).
Day of Month
Specifies the numeric day of month. This condition is true for this day every month (local time zone).

About SSL Intercept Set

The SSL Intercept Set item provides a read-only element, Action, that specifies the Intercept option.

Note: For an SSL Intercept Set item to be effective, the client and server SSL profiles on the virtual server must enable SSL forward proxy and SSL forward proxy bypass; the client SSL profile must set the default bypass action to Intercept; and the SSL Intercept Set item must occur in the policy before any items that process HTTP traffic.

About the Logging action

The Logging action can be used in an access policy or in a per-request policy. In an access policy, the Logging action adds logging for session variables to the access policy. In a per-request policy, the Logging action can add logging for both session variables and per flow variables to the per-request policy.

This action is useful for tracing the variables that are created for a specific category, or in a specific branch.

Note: A session variable might or might not exist at the time of logging; depending on the result of the access policy branch, or results of processing the access policy.

The Logging action provides these configuration elements and options:

Log Message
For an access policy, specifies text to add to the log file. For a per-request policy, specifies the message text and the session and per-flow variables to add to the message. Complete variable names must be typed. Wildcards are not supported for per-request policies. An example log message for a per-request policy follows.
The system found this URL %{perflow.category_lookup.result.url} in these categories %{perflow.category_lookup.result.categories} and placed it into this category %{perflow.category_lookup.result.primarycategory}.
An HTTPS request was made to this host %{perflow.category_lookup.result.hostname}; the per-request policy set SSL bypass to %{perflow.ssl_bypass_set}.
Requests from this platform %{session.client.platform} were made during this session %{perflow.session.id}.
Session Variables
Specifies a session variable from a list of predefined session variables or a custom session variable.
Note: This option is available only when adding the Logging action to an access policy.

About Category Lookup

A Category Lookup item looks up URL categories for a request and obtains a web response page.

The Category Lookup item provides these elements and options.

Categorization Input
The list specifies these options:
  • Use HTTP URI (cannot be used for SSL Bypass decisions): For HTTP traffic, this option specifies performing a URL-based lookup. When selected, on a BIG-IP® system with an SWG subscription the SafeSearch Mode setting displays.
  • Use SNI in Client Hello (if SNI is not available, use Subject.CN): For HTTPS traffic, this option specifies performing a host-based lookup.
  • Use Subject.CN in Server Cert: For HTTPS traffic, this option specifies performing a host-based lookup. (This option is not for use in a reverse proxy configuration.)
SafeSearch Mode
The options are Enabled (default) and Disabled. When enabled, SWG enables Safe Search for supported search engines.
Note: SafeSearch is available only with an SWG subscription.
Category Lookup Type
Select the category types in which to search for the requested URL. On a BIG-IP® system with an SWG subscription, options are:
  • Select one from Custom categories first, then standard categories if not found
  • Always process full list of both custom and standard categories
  • Process standard categories only
On a BIG-IP® system without an SWG subscription, the available option is Process custom categories only. Depending on the selection, the Category Lookup Type item looks through custom categories or standard categories or both, and compiles a list of one or more categories from them. The list is available for subsequent processing by the URL Filter Assign item.
Reset on Failure
When enabled, specifies that SWG send a TCP reset to the client in the event of a server failure.

About Response Analytics

A Response Analytics item inspects a web response page for malicious embedded contents. Response Analytics must be preceded by a Category Lookup item because it obtains a web response page.

Note: Response Analytics works only on a BIG-IP® system with an SWG subscription.

Response Analytics provides these elements and options.

Max Buffer Size
Specifies the maximum amount of response data (in bytes) to collect before sending it for content scanning. The system sends the content for analysis when the buffer reaches this size or when the buffer contains all of the response content. Otherwise, the system retains the response data in the buffer.
Max Buffer Time
Specifies the maximum amount of time (in seconds) for buffering and analyzing response data. If the time elapses at any point in this process, the agent sets the perflow.response_analytics.failure variable to 1 (which indicates an ANTserver failure) and discards the response data.
Reset on Failure
When enabled, specifies that SWG send a TCP reset to the client in the event of an ANTserver failure. If disabled and an ANTserver failure occurs, SWG logs all perflow variables and provides the SWG block page to the client.
Exclude Types
Specifies one entry for each type of content to be excluded from content analysis. Images, the All-Images type, do not get analyzed.

About Request Analytics

A Request Analytics item inspects an outgoing web request for malicious embedded contents. In a per-request policy, a Request Analytics item must be preceded by a Category Lookup item and followed by a URL Filter Assign item. To block outgoing traffic from chat applications, a Request Analytics item is required.

Note: Request Analytics works only on a BIG-IP® system with an SWG subscription.

Request Analytics provides these elements and options.

Max Buffer Size
Specifies the maximum amount of request data (in bytes) to collect before sending it for content scanning. The system sends the content for analysis when the buffer reaches this size or when the buffer contains all of the request content. Otherwise, the system retains the request data in the buffer.
Max Buffer Time
Specifies the maximum amount of time (in seconds) for buffering and analyzing request data. If the time elapses at any point in this process, the agent sets the perflow.request_analytics.failure variable to 1 (which indicates an ANTserver failure) and discards the request data.
Reset on Failure
When enabled, specifies that SWG send a TCP reset to the client in the event of an ANTserver failure. If disabled and an ANTserver failure occurs, SWG logs all perflow variables and provides the SWG block page to the client.

About URL Filter Assign

A URL Filter Assign item looks up the URL filter action for each category that the Category Lookup item found for a request. If any filter action is set to Block, the request is blocked. In a configuration with an SWG subscription, the URL Filter Assign item also uses the analysis from the Response Analytics item, if used, to determine whether to block the request.

By default, the URL Filter Assign item has three branches: Allow, Confirm, and fallback. If the request is not blocked and any filter action is set to Confirm, the per-request policy takes the Confirm branch.

A URL Filter Assign item provides the URL Filter element, with a list of filters from which to select.

Note: A Category Lookup item must precede the URL Filter Assign item.

About Application Lookup

An Application Lookup item obtains the name of the application that is being requested and looks up the application family that matches it. By default, this item has a fallback branch only.

Application Lookup can be used to branch by application family or by application name; branch rules are required to do this. If an Application Filter Assign item is included in the per-request policy, an Application Lookup must complete before it.

About Application Filter Assign

An Application Filter Assign item matches an application or application family against an application filter. Application Filter Assign provides one configuration element. The Application Filter element specifies the application filter to use in determining whether to block access to an application or allow it. The Application Filter Assign item exits on the Allow branch if the filter action specifies allow. Otherwise, Application Filter Assign exits on the fallback branch.

Important: To supply input for the Application Filter Assign agent, an Application Lookup item must run in the per-request policy sometime prior to it.

About HTTP Headers

An HTTP Headers action supports modifying an outgoing HTTP request to a back-end server. The action supports manipulation of HTTP and cookie headers being sent to back-end servers.

Important: The HTTP Headers item cannot manipulate HTTP cookies in outgoing HTTP requests to any portal access application.

The HTTP Headers item provides these configuration options and elements.

An entry in the HTTP Header Modify table includes these elements.

Header Operation
Specifies insert, append, replace, or remove.
Header Name
Specifies the header name on which to operate.
Header Value
Specifies the value on which to operate.
Note: Any per-flow or session variable can be used as a header value, for example, %{session.user.clientip} or %{perflow.session.id}.
Header Delimiter
Specifies the separator to use when appending a header.

An entry in the HTTP Cookie Modify table includes these elements.

Cookie Operation
Specifies update or delete.
Note: When update is selected and a cookie that matches the name and value does not exist, HTTP Header adds the specified cookie.
Cookie Name
Specifies the name to match.
Cookie Value
Specifies the value to match when deleting a cookie or the new value to set when updating a cookie.
Note: Any per-flow or session variable can be used as a cookie value.

About per-request policy subroutine items

When configuring a per-request policy subroutine, a few access policy items are available for inclusion in the subroutine. A Confirm Box action (for use with Secure Web Gateway forward proxy configurations) is unique to a per-request policy subroutine.

Access policy and subroutine agent differences

The agents in this table are available to access policies and to per-request policy subroutines. In a per-request policy subroutine, not all options for an agent are supported and support for some options is implemented differently.

Table 2. Per-Request Policy Subroutine Agents with Differences
Agent Description
HTTP 401 Response Supports no authentication or HTTP Basic authentication only.
Logon Page A Subsession Variable field replaces the Session Variable field. Split domain from full Username and CAPTCHA Configuration fields do not display because the functionalities are not supported.
AD Auth Support for multiple logon attempts can be implemented using a macro loop. The Max Logon Attempts Allowed property does not display. The Show Extended Error property is not supported.
LDAP Auth Support for multiple logon attempts can be implemented using a macro loop. The Max Logon Attempts Allowed property does not display. The Show Extended Error property is not supported.
RADIUS Auth Support for multiple logon attempts can be implemented using a macro loop. The Max Logon Attempts Allowed property does not display. The Show Extended Error property is not supported.

About Confirm Box

A Confirm Box action presents links for these options: Continue and Cancel. The action is available for a per-request policy subroutine only and is for use in a Secure Web Gateway (SWG) configuration. Confirm Box offers these elements and options for customization.

Language
Specifies the language to use to customize the Confirm Box page. Selecting a language causes the content in the remaining fields display in the selected language.
Note: Languages on the list reflect those that are configured in the access profile.
Message
Specifies the message to display.
Field 1 image
Specifies the icon (red, green, or none) to display with the Continue option.
Continue
Specifies the text to display for this option.
Field 2 image
Specifies the icon (red, green, or none) to display with the Cancel option.
Cancel
Specifies the text to display for this option.

About AD Auth

An AD Auth action authenticates a user against an AAA Active Directory server. In an access policy, an authentication action typically follows a logon action that collects credentials.

Note: When configured in a per-request subroutine, some screen elements and options described here might not be available.
Type
Specifies Authentication, the type of this Active Directory action.
Server
Specifies an Active Directory server; servers are defined in the Access Policy AAA servers area of the Configuration utility.
Cross Domain Support
Specifies whether AD cross domain authentication support is enabled for this action.
Complexity check for Password Reset
Specifies whether Access Policy Manager® (APM®) performs a password policy check. APM supports these Active Directory password policies:
  • Maximum password age
  • Minimum password age
  • Minimum password length
  • Password must meet complexity requirements
APM must retrieve all related password policies from the domain to make the appropriate checks on the new password.
Note: Because this option might require administrative privileges, the administrator name and password might be required on the AAA Active Directory server configuration page.
Note: Enabling this option increases overall authentication traffic significantly because APM must retrieve password policies using LDAP protocol and must retrieve user information during the authentication process to properly check the new password.
Show Extended Error
When enabled, causes comprehensive error messages generated by the authentication server to display on the user's logon page. This setting is intended only for use in testing, in a production or debugging environment. If enabled in a live environment, your system might be vulnerable to malicious attacks. (When disabled, displays non-comprehensive error messages generated by the authentication server on the user's logon page.)
Max Logon Attempts Allowed
Specifies the number of user authentication logon attempts to allow. A complete logon and password challenge and response is considered as one attempt.
Max Password Reset Attempts Allowed
Specifies the number of times that APM allows the user to try to reset password.

About HTTP 401 Response

The HTTP 401 Response action sends an HTTP 401 Authorization Required Response page to capture HTTP Basic or Negotiate authentication.

Note: For a per-request policy subroutine, HTTP 401 Response supports HTTP Basic authentication only.

The HTTP 401 Response action provides up to three branches: Basic, Negotiate, and fallback. Typically, a basic type of authentication follows on the Basic branch and a Kerberos Auth action follows on the Negotiate branch.

An HTTP 401 Response action provides these configuration elements and options.

Basic Auth Realm
Specifies the authentication realm for use with Basic authentication.
HTTP Auth Level
Specifies the authentication required for the policy.
  • none - specifies no authentication.
  • basic - specifies Basic authentication only.
  • negotiate - specifies Kerberos authentication only.
    Note: This option is not available for a per-request policy subroutine.
  • basic+negotiate - specifies either Basic or Kerberos authentication.
    Note: This option is not available for a per-request policy subroutine.

The action provides customization options that specify the text to display on the screen.

Language
Specifies the language to use to customize this HTTP 401 response page. Selecting a language causes the content in the remaining fields display in the selected language.
Note: Languages on the list reflect those that are configured in the access profile.
Logon Page Input Field #1
Specifies the text to display on the logon page to prompt for input for the first field. When Language is set to en, this defaults to Username.
Logon Page Input Field #2
Specifies the text to display on the logon page to prompt for input for the second field. When Language is set to en, this defaults to Password.
HTTP response message
Specifies the text that appears when the user receives the 401 response, requesting authentication.

About iRule Event

An iRule Event action adds iRule processing to an access policy or to a per-request policy subroutine at a specific point. An iRule Event provides one configuration option: ID, which specifies an iRule event ID.

Note: iRule event access policy items must be processed and completed before the access policy can continue.

An iRule Event action can occur anywhere in an access policy or a per-request policy subroutine.

About LDAP Auth

An LDAP Auth action authenticates a user against an AAA LDAP server. An LDAP Auth action provides these configuration elements and options.

Note: When configured in a per-request subroutine, some screen elements and options described here might not be available.
Type
Specifies Authentication, the type of this LDAP action.
Server
Specifies an LDAP server; servers are defined in the Access Policy AAA servers area of the Configuration utility.
SearchDN
Specifies the base node of the LDAP server search tree to start the search with.
SearchFilter
Specifies the search criteria to use when querying the LDAP server for the user's information. Session variables are supported as part of the search query string. Parentheses are required around search strings; (sAmAccountName=%{session.logon.last.username})
UserDN
Specifies the Distinguished Name (DN) of the user. The DN can be derived from session variables.
Show Extended Error
When enabled, causes comprehensive error messages generated by the authentication server to display on the user's logon page. This setting is intended only for use in testing, in a production or debugging environment. If enabled in a live environment, your system might be vulnerable to malicious attacks. (When disabled, displays non-comprehensive error messages generated by the authentication server on the user's logon page.)
Max Logon Attempts Allowed
Specifies the number of user authentication logon attempts to allow. A complete logon and password challenge and response is considered as one attempt.

About Logon Page

A logon page action prompts for a user name and password, or other identifying information. The logon page action typically precedes the authentication action that checks the credentials provided on the logon page. The logon page action provides up to five customizable fields and enables localization.

The logon page action provides these configuration options and elements.

Note: When configured in a per-request subroutine, some screen elements and options described here might not be available.
Split domain from full username
Specifies Yes or No.
  • Yes - specifies that when a username and domain combination is submitted (for example, marketing\jsmith or jsmith@marketing.example.com), only the username portion (in this example, jsmith) is stored in the session variable session.logon.last.username.
  • No - specifies that the entire username string is stored in the session variable.
CAPTCHA configuration
Specifies a CAPTCHA configuration to present for added CAPTCHA security on the logon page.
Type
Specifies the type of logon page input field: text, password, select, checkbox, or none.
  • text Displays a text field, and shows the text that is typed in that field.
  • password Displays an input field, but displays the typed text input as asterisks.
  • select Displays a list. The list is populated with values that are configured for this field.
  • checkbox Displays a check box.
  • none Specifies that the field is not displayed on the logon page.
Post Variable Name
Specifies the variable name that is prepended to the data typed in the text field. For example, the POST variable username sends the user name input omaas as the POST string username=omaas.
Session Variable Name (or Subsession Variable Name)
Specifies the session variable name that the server uses to store the data typed in the text field. For example, the session variable username stores the username input omaas as the session variable string session.logon.last.username=omaas.
Note: A per-request policy subroutine uses subsession variables in place of session variables.
Values
Specifies values for use on the list when the input field type is select.
Read Only
Specifies whether the logon page agent is read-only, and always used in the logon process as specified. You can use Read Only to add logon POST variables or session variables that you want to submit from the logon page for every session that uses this access policy, or to populate a field with a value from a session variable. For example, you can use the On-Demand Certificate agent to extract the CN (typically the user name) field from a certificate, then you can assign that variable to session.logon.last.username. In the logon page action, you can specify session.logon.last.username as the session variable for a read only logon page field that you configure. When Access Policy Manager® displays the logon page, this field is populated with the information from the certificate CN field (typically the user name).

Additionally, customization options specify text and an image to display on the screen.

Language
Specifies the language to use to customize this logon page. Selecting a language causes the content in the remaining fields to display in the selected language.
Note: Languages on the list reflect those that are configured in the access profile.
Form Header Text
Specifies the text that appears at the top of the logon box.
Logon Page Input Field # number
Specifies the text to display for each input field (number 1 through 5) that is defined in the Logon Page Agent area with Type set to other than none.
Logon Button
Specifies the text that appears on the logon button, which a user clicks to post the defined logon agents.
Front Image
Specifies an image file to display on the logon page. The Replace Image link enables customization and the Revert to Default Image discards any customization and use the default logon page image.
Save Password Check Box
Specifies the text that appears adjacent to the check box that allows users to save their passwords in the logon form. This field is used only in the secure access client, and not in the web client.
New Password Prompt
Specifies the prompt displayed when a new Active Directory password is requested.
Verify Password Prompt
Specifies the prompt displayed to confirm the new password when a new Active Directory password is requested.
Password and Password Verification do not Match
Specifies the prompt displayed when a new Active Directory password and verification password do not match.
Don't Change Password
Specifies the prompt displayed when a user should not change password.

About On-Demand Cert Auth

Typically, when a client makes an HTTPS request, an SSL handshake request occurs at the start of an SSL session. If the client SSL profile skips the initial SSL handshake, an On-Demand Cert Auth action can re-negotiate the SSL connection from an access policy by sending a certificate request to the user. This prompts a certificate screen to open. After the user provides a valid certificate, the On-Demand Cert Auth action checks the result of certificate authentication. The agent verifies the value of the session variable session.ssl.cert.valid to determine whether authentication was a success.

The On-Demand Cert Auth action provides one configuration option, Auth Mode, with two supported modes:

Request
With this mode, the system requests a valid certificate from the client, but the connection does not terminate if the client does not provide a valid certificate. Instead, this action takes the fallback route in the access policy. This is the default option.
Require
With this mode, the system requires that a client provides a valid certificate. If the client does not provide a valid certificate, the connection terminates and the client browser stops responding.
Note: For an iPod or an iPhone, the Require setting must be used for On-Demand certificate authentication. To pass a certificate check using Safari, the user is asked to select the certificate multiple times. This is expected behavior.
Note: On-demand certificate authentication does not work when added to a subroutine for a per-request policy that is part of a forward proxy configuration.

About RADIUS Auth

A RADIUS Auth action authenticates a client against an external RADIUS server. A RADIUS Auth action provides these configuration elements and options.

Note: When configured in a per-request subroutine, some screen elements and options described here might not be available.
AAA Server
Specifies the RADIUS accounting server; servers are defined in the Access Policy AAA servers area of the Configuration utility.
Show Extended Error
When enabled, causes comprehensive error messages generated by the authentication server to display on the user's logon page. This setting is intended only for use in testing, in a production or debugging environment. If enabled in a live environment, your system might be vulnerable to malicious attacks. (When disabled, displays non-comprehensive error messages generated by the authentication server on the user's logon page.)
Max Logon Attempts Allowed
Specifies the number of user authentication logon attempts to allow. A complete logon and password challenge and response is considered as one attempt.

About per-request policy endings

An ending provides a result for a per-request policy branch. An ending for a per-request policy branch is one of two types.

Allow
Allows the user to continue to the requested URL.
Reject
Blocks the user from continuing and triggers the access profile Logout screen.

Customizing messages for the per-request policy Reject ending

You need an access profile configured.
Customize the messages to display when a per-request policy terminates on a Reject ending. When this happens, the per-request policy triggers the access profile Logout screen.
  1. On the Main tab, click Access Policy > Customization > General .
    The Customization tool appears in General Customization view, displaying Form Factor: Full/Mobile Browser settings.
  2. In the left pane, click the Text tab.
    A navigation tree displays in the left pane.
  3. Expand the Access Profiles folder.
    Folders for access profiles that are configured on the BIG-IP® system in the current partition display.
  4. Expand the folder for access profile that you want to update.
    Folders for access profile objects display.
  5. Expand the Logout folder for the access profile.
    The General setting displays in the folder.
  6. Click General.
    Message settings display in the right pane.
  7. In the right pane, update values.
  8. On the menu bar, click Save.
  9. Click the Apply Access Policy link to apply and activate the changes to the access policy.
  10. On the list of access profiles to apply, verify that the access profile that you updated is selected.
  11. Click the Apply Access Policy button.

Exporting and importing a per-request policy across BIG-IP systems

Export a per-request policy from one BIG-IP® system and import it on another (at the same product version level) to copy a policy across systems.
Note: Per-request policy import does not support the import of custom categories or the URLs defined for them. Before you import a per-request policy from one BIG-IP system to another BIG-IP system, you must first list any custom categories configured on the source system and make sure you have the same custom categories on the target system. Otherwise, import will fail.
  1. On the Main tab, click Access Policy > Per-Request Policies .
    The Per-Request Policies screen opens.
  2. Click the link in the Export column for the policy that you want to export.
    A file downloads.
  3. Note the list of custom categories:
    1. Click Access Policy > Secure Web Gateway > URL Categories .
    2. Expand the Custom Categories list.
  4. Log in to the Configuration utility on the BIG-IP system where you want to import the per-request policy.
  5. Verify that the custom categories that exist on the other BIG-IP system also exist on this BIG-IP system:
    1. Click Access Policy > Secure Web Gateway > URL Categories .
    2. Expand the Custom Categories list.
    3. Create any additional custom categories needed to match the list on the other BIG-IP system.
      The import process does not add URLs to custom categories. To include the URLs defined for a custom category on the source system, you can add them to the target system now or wait until after you import the per-request policy.
  6. On the Main tab, click Access Policy > Per-Request Policies .
    The Per-Request Policies screen opens.
  7. Click Import.
    An Import Policy screen displays.
  8. In New Policy Name, type a name.
  9. For Config File Upload, click Browse, locate and select the file downloaded from the other BIG-IP system.
  10. To reuse objects already existing on this BIG-IP system, select the Reuse Existing Objects check box.
  11. Click Import.