Authentication Items¶

The authentication items perform authentication or authentication-related functions.

Active Directory Authentication
Client Cert Inspection
CRLDP Authentication
Kerberos Authentication
LDAP Authentication
NTLM Authentication
OCSP Authentication
On-Demand Client Cert Auth
RADIUS Authentication

Refer to Create Access policy for the OpenAPI specification document.

Active Directory Authentication¶

To configure Active Directory (AD) authentication, you must create an Active Directory AAA server and AD Auth item. To query the external AD server for additional information about the user, refer to the Active Directory Query section in Interrogation Items.

For instructions on configuring AD Auth, refer to How To: Configure AD Authentication.

Active Directory AAA server¶

Active Directory AAA server specifies the objects for configuring an AD authentication server. In the BIG-IP Next Access policy, you define Active Directory AAA server properties in the externalServers object.

The table below lists the objects for configuring an Active Directory AAA server:

Object	Type	Description
acctLockoutDuration	integer or null	Specifies the duration in minutes the user is locked out after they hit the `acctLockoutThreshold` value. Once this time is elapsed the user is automatically unlocked. The default value is 14400. A value of 0 requires the account to be manually unlocked by an administrator.
acctLockoutThreshold	integer or null	Specifies the number of failed logon attempts before the account is locked out. The default value is 3. A locked-out account cannot be used until an administrator resets it or until the `acctLockoutWindow` for the account has expired. If this value is greater than 0, the `acctLockoutDuration` value must be greater than or equal to the `acctLockoutWindow` value.
acctLockoutWindow	integer or null	Specifies the number of minutes that must elapse after an account is locked due to unsuccessful logon attempts before resetting the `acctLockoutThreshold` counter. The default value is 5. If the `acctLockoutThreshold` value is greater than 0, the `acctLockoutWindow` value must be less than or equal to the `acctLockoutDuration` value.
adminName	string	Specifies the administrator name that has Active Directory administrative permissions.
adminPassword	string	Specifies the administrator password associated with the Domain Name.
description	string	Specifies the description of the server.
domain	string	Specifies the Windows domain name. This is a required setting.
groupCacheTtl	integer or null	Specifies the lifetime of a group cache, in days. The default lifetime is 30 days. This means that BIG-IP Next Access refreshes the Active Directory group cache every 30 days.
kdcValidation	boolean or null	Specifies whether to enable Kerberos KDC Validation. The default value is false. The Kerberos Key Distribution Center (KDC) is a network service that supplies session tickets and temporary session keys to users and computers within an Active Directory domain. The KDC runs on each domain controller and is responsible for authenticating users. The KDC validation allows you to prevent a KDC spoofing attack. You configure a KDC validation by importing a keytab file that you exported from the Kerberos KDC. When you enable the KDC validation, after obtaining the ticket-granting ticket (TGT) and validating the user, BIG-IP Next requests a service ticket on behalf of the user. It validates the returned service ticket against the secret key for the KDC, which is stored in a keytab file. When the validation with the keytab file fails, the KDC server is considered untrusted, and the user is not authenticated.
keytabFileName	string	Specifies a keytab file containing Kerberos encrypted keys. These are derived from the Kerberos password. It contains the service keys that the server uses to authenticate the client.
name	string	Specifies the name of the AAA AD server. This is a required setting.
padataEncType	string or null	Specifies a Kerberos pre-authentication encryption type. If specified, BIG-IP Next Access includes Kerberos pre-authentication data within the first authentication service request (AS-REQ) packet. The default value is none.
psoCacheTtl	integer or null	Specifies the lifetime of a Password Security Object (PSO) cache. The default lifetime is 30 days.
serverType	string	Specifies the external server type. For AD server, the value is ActiveDirectory. This is a required setting.
serviceName	string or null	Specifies the Kerberos service name. The default value is HTTP. This is required if `kdcValidation` is set to true.
serverSide	object	Specifies the server-side parameters. This is a required setting.
monitors	object or null	Specifies an ICMP monitor to track the health of your AD server. This object lets you configure the icmp object, which has the following parameters: interval: Specifies the monitor check frequency in seconds. The default is 5. Type - integer. timeout: Specifies the time in which the target must respond in seconds. The default is 16. Type - integer.
l4ServerSide	string	Specifies an L4 server-side object.
loadBalancing	string or null	Specifies the load balancing method. The default value is round-robin. The valid values are: round-robin - The load balancer passes each new connection request to the next server in line, eventually distributing connections evenly across the array of load-balanced machines. This method works well in most configurations, especially if the equipment you are load balancing is roughly equal in processing speed and memory. least-connections - The load balancer passes a new connection to the node that has the least number of connections in the pool. This method works best in environments where the servers or other equipment you are load balancing have similar capabilities. This dynamic load balancing method distributes connections based on various aspects of real-time server performance analysis, such as the current number of connections per node or the fastest node response time. predictive - The ranking trend is analyzed over time to determine whether a node's performance is improving or declining. The nodes in the pool with better performance rankings that are improving rather than decreasing receive a higher proportion of the connections. weighted-round-robin - Each server is assigned a weight per the number of active connections it contains. The higher the weight of a server, the more requests it receives. ratio-least-connections - The load balancer selects the pool member according to the ratio of the number of connections each pool member has active. If a ratio weight is not specified, it will be treated as a default value of 1. ratio-session - The load balancer selects the pool member according to the ratio of the number of sessions each pool member has active. Pending sessions count as active sessions. fastest - The load balancer passes a new connection based on the quickest response of all currently active nodes in a pool. This method might be beneficial in environments where nodes are distributed across different logical networks.
ignorePersistedWeight	boolean or null	Specifies whether to count the weight of persisted connections on pool members when making load-balancing decisions. The default value is false.
timeout	integer or null	Specifies the number of seconds to reach the Active Directory server initially. The default value is 15.

Active Directory Auth¶

The table below lists the objects for configuring a Active Directory authentication. In the BIG-IP Next Access policy, you define these in the policy object.

Object	Type	Description
caption	string	Specifies a human-readable description of the policy item.
expression	string	Specifies the Tcl expression. The mcget command is an abbreviation for "get the session variable from the memory cache." When evaluating a branch rule, BIG-IP Next Access obtains session variables from the system memory using the Tcl command mcget. The Tcl expression can also contain one or more expressions (expr) or return commands. An expr command evaluates an expression and returns the result. A return command simply returns the result, and can be used to set the variable to a numeric value or string. For example, "expression": "return {1800}", "expression": "return {Hello World}", "expression": "expr { "[mcget session.custom.value1] + [mcget session.custom.value2]" }", "expression": "expr { "[mcget {session.logon.last.domain}]\[mcget {session.logon.last.username}]" }", and "expression": "expr {1800}". For details on Tcl expressions, refer to https://www.tcl.tk/man/tcl8.5/TclCmd/expr.html. For a list of session variables, refer to Reference: Session Variables.
itemType	string	Specifies the BIG-IP Next Access policy item. For Active Directory query, the value is aaa-active-directory-auth. This is a required setting.
maxLogonAttempt	integer or null	Specifies the number of user authentication logon attempts to allow. Select a number to limit the number of times the user can enter credentials through the logon screen when authentication fails. A complete logon and password challenge and response is considered as one attempt. The default value is 3. The valid value range is 1-5.
maxPwdResetAttempt	integer or null	Specifies the number of times to allow a user to try to reset their password. The default value is 3. The valid value range is 1-5.
name	string	Specifies the name of the BIG-IP Next Access policy item.
nextItems	array	Specifies the different branches of the BIG-IP Next Access policy item. This is a required setting.
pwdComplexityCheck	boolean or null	Specifies whether BIG-IP Next Access performs a password policy check. The default value is false. Access supports the following Active Directory password policies: Maximum password age Minimum password age Minimum password length Password must meet complexity requirements Note: Because this option might require administrative privileges, you should specify the administrator name and password on the AAA Active Directory server configuration. Access must retrieve all related password policies from the domain to make the appropriate checks on the new password.
pwdExpirationWarning	integer or null	Specifies to prompt user to change the password before it expires. The default value is 0 days, which signifies that the user will not be prompted.
server	string	Specifies the Active Directory server. This is a required setting.
showExtendedError	boolean or null	Specifies to display a comprehensive error messages generated by the authentication server to show on the user's Logon page. The default value is false. Setting the value to false displays non-comprehensive error messages generated by the authentication server to show on the user's Logon page. Note: This setting is intended only for use in testing, in a production or debugging environment. If you enable this setting in a live environment, your system might be vulnerable to malicious attacks.

| upn | boolean or null | Specifies whether to use the userPrincipalName attribute as the search filter. The default value is false. When the value is set to true, user@domain.com format will be used for authentication and in the search filter. |

Client Cert Inspection¶

The Client Cert Inspection item checks the result of the TLS handshake at the start of a session. The TLS handshake verifies the client’s TLS certificate and the server’s possession of the private key. The client and server verify and authenticate each other using mutual TLS (mTLS). When you create a client SSL configuration, you specify a certificate authority (CA) bundle file that includes a list of trusted CA certificates. BIG-IP Next verifies the client user’s identity by validating the client certificate against a list of trusted CA certificates. When the client presents an SSL certificate, BIG-IP Next uses the client SSL profile details to verify whether a trusted CA issued the certificate.

Note: The Client Cert Inspection item is supported only for a per-session Access policy.

Example: The following example shows an Access policy with the Client Cert Inspection item.

The TCL expression expr {[mcget {session.ssl.cert.valid}] == \"0\" fetches and checks the client certificate data from the session variable. If the certificate is valid, the session is allowed to start.

{
    "policyType": "PerSession",
    "name": "apssp1",
    "profileType": "ltm-apm",
    "scope": "global",
    "timeout": 11,
    "inactivityTimeout": 22,
    "policy":
    {
      "objectContent":
      {
        "languages": [ "en" ],
        "defaultLanguage": "en",
        "start": {
            "caption": "Fallback",
            "itemType": "empty",
            "name": "my-client-cert-inspection-item",
            "nextItems" : [
                {
                    "itemType": "allow",
                    "expression": "expr {[mcget {session.ssl.cert.valid}] == \"0\"}",
                    "name": "Allow",
                    "caption": "Successful"
                },
                {
                    "itemType": "deny",
                    "name": "Deny",
                    "caption": "fallback"
                }
            ]
        }
    }
}

Configuring an application

Note: Before creating an application, specify a certificate authority (CA) bundle file that includes a list of trusted CA certificates. BIG-IP Next verifies the client user’s identity by validating the client certificate against a list of trusted CA certificates. A trusted CA bundle file can be uploaded using the /api/v1/files endpoint.

POST https://{{bigip_next_mgmt_ip}}:{{bigip_next_mgmt_port}}/api/v1/files

Example: The following example shows an application configuration for client authentication.

template - Specifies the TLS template type to use for authenticating TLS clients.
trustedCa - Specifies the name of the trusted CA bundle file you uploaded earlier.
enable - Set this object to true to enable Client Authentication.
perSessionAccessPolicy - Name of the Access policy you created earlier.

Refer to the Create an application with stack section for details on creating an application.

{
    "name": "Access_App",
    "description": "Web server for F5",
    "stacks": [
        {
            "stackType": "HttpRevProxy",
            "name": "Stack_With_SSL_Profile",
            "clientSide":
            {
                "l4ClientSide": "ext_l4_clientside",
                "tls":
                {
                    "cipherstring": "DEFAULT",
                    "template": "CLIENTSIDE_TLS_CLIENT_AUTH_TEMPLATE",
                    "trustedCa": "uploaded-ca-file-name",
                    "enable": true,
                    "keyCertificatePairs": [
                        {
                            "keyCertificateContent":
                            {
                                "keyFile": "uploaded-key-file-name",
                                "certificateFile": "uploaded-cert-file-name"
                            }
                        }]
                }
            },
            "serverSide":
            {
                "l4ServerSide": "ext_l4_serverside"
            },
            "policies": [
            {
                "perSessionAccessPolicy": "apssp1"
            }]
        }
    ]
}

CRLDP Authentication¶

To configure CRLDP Authentication, you must create CRLDP AAA server and CRLDP Auth objects.

For instructions and examples on configuring CRLDP Authentication, refer to How To: Configure CRLDP Authentication.

CRLDP AAA server¶

CRLDP AAA server specifies how to access certificate revocation lists (CRLs). In the Access policy, you define CRLDP AAA server properties in the externalServers object.

The table below lists the objects for configuring a CRLDP AAA server:

Object	Type	Description
name	string	Specifies the name of the AAA CRLDP server. This is a required setting.
serverType	string	Specifies the external server type. For a CRLDP server, the value is Crldp. This is a required setting.
cacheExpire	integer or null	Specifies the number of seconds a CRL is cached. The default value is 86400 seconds.
useIssuer	boolean or null	Specifies whether the system extracts the CRL distribution point from the certificate of the client certificate issuer. When set to true, BIG-IP Next uses the CRLDP information provided by the issuer certificate instead of the client certificate. The default value is false.
allowNullcrl	boolean or null	Specifies whether a null CRL from the CRLDP server is considered a successful authentication. The default value is false.
verifySig	boolean or null	Specifies whether the signature on the received CRL is verified. The default value is true. Note: This parameter value should be true when using LDAP or HTTP to fetch CRL.
connTimeout	integer or null	Specifies the number of seconds of inactivity the system allows before the connection times out. The default value is 15. This parameter does not apply if you specify the `source` parameter value as endpoint in the `serverConnection` object.
updateInterval	integer or null	Specifies the validity (in seconds) of the CRL file. The default value is 0. To force the retrieval of a CRL file before the current CRL becomes obsolete, set this value to less than the CRL expiration time. If the value is zero (default), the CRLDP action uses the expiration time specified by the CA's CRL publishing parameters.
serverConnection	object	Specifies how BIG-IP Next connects to the AAA CRLDP server. The `source` parameter in this object specifies the mode of server connection. You can choose the following configuration modes based on how BIG-IP Next connects to the AAA CRLDP server: CRLDP Server Endpoint Mode - Specifies an endpoint to create a pool of server connections for High Availability. CRLDP Server Certificate Mode - Specifies a fully qualified HTTP or LDAP URL from the user/issuer certificate for the CRL location.

CRLDP Server Endpoint Mode¶

The table below lists the objects for configuring CRLDP Server Endpoint Mode:

Object	Type	Description
source	string	Specifies the CRLDP Server Source. For a CRLDP Server Endpoint mode, the value is endpoint. This is a required setting.
port	integer or null	Specifies a CRLDP service port. The default value is 389.
baseDn	string	Specifies a CRLDP base distinguished name for certificates that specify the CRL distribution point in the directory name (dirName) format. Access uses Base DN when the value of the X509v3 attribute crlDistributionPoints is of type dirName and tries to match the value of the crlDistributionPoints attribute to the Base DN value. An example of a Base DN value is cn=lxxx,dc=f5,dc=com.
reverseDn	boolean or null	Specifies in which order the system should attempt to match the Base DN value to the value of the X509v3 attribute crlDistributionPoints. The default value is false. When set to true, Access matches the base DN from left to right or from the beginning of the DN string to accommodate dirName strings in certificates such as c=us,st=wa,l=sea,ou=f5,cn=xxx.
serverSide	object	Specifies the server-side parameters.
monitors	object or null	Specifies a monitor to track the health of the server. This object lets you configure the following monitors: icmp: Specifies the ICMP monitor settings that make a simple node check. In this object, you can configure the monitor's interval and timeout parameters. tcp: Specifies the TCP monitor settings. It verifies the Transmission Control Protocol (TCP) service by attempting to receive specific content from a resource. The check is successful when the content matches the value of the receiveString setting. In this object, you can configure the monitor's interval, timeout, sendString, receiveString, and receiveDisableString parameters. Refer to Create Access policy for the OpenAPI specification document.
l4ServerSide	string	Specifies an L4 server-side object. This is a required setting.
loadBalancing	string or null	Specifies the load balancing method. The default value is round-robin. The valid values are: round-robin: The load balancer passes each new connection request to the next server in line, eventually distributing connections evenly across the array of load-balanced machines. This method works well in most configurations, especially if the equipment you are load balancing is roughly equal in processing speed and memory. least-connections: The load balancer passes a new connection to the node that has the least number of connections in the pool. This method works best in environments where the servers or other equipment you are load balancing have similar capabilities. This dynamic load balancing method distributes connections based on various aspects of real-time server performance analysis, such as the current number of connections per node or the fastest node response time. predictive: The ranking trend is analyzed over time to determine whether a node's performance is improving or declining. The nodes in the pool with better performance rankings that are improving rather than decreasing receive a higher proportion of the connections. weighted-round-robin: Each server is assigned a weight per the number of active connections it contains. The higher the weight of server, the more requests it receives. ratio-least-connections: The load balancer selects the pool member according to the ratio of the number of connections each pool member has active. If a ratio weight is not specified, it will be treated as a default value of 1. ratio-session: The load balancer selects the pool member according to the ratio of the number of sessions each pool member has active. Pending sessions count as active sessions. fastest: The load balancer passes a new connection based on the quickest response of all currently active nodes in a pool. This method might be beneficial in environments where nodes are distributed across different logical networks.
ignorePersistedWeight	boolean or null	Specifies whether to count the weight of persisted connections on pool members when making load-balancing decisions. The default value is false.

CRLDP Server Certificate Mode¶

The table below lists the objects for configuring CRLDP Server Certificate Mode:

Object	Type	Description
source	string	Specifies the CRLDP Server Source. For a CRLDP Server Certificate mode, the value is certificate. This is a required setting.
dnsResolverName	integer or null	Specifies the DNS resolver object to be used by the server to resolve DNS names for endpoint URIs. The default value is global_f5_internal_net_resolver. Refer to How to: Manage DNS Resolution for more details.

CRLDP Auth item¶

The table below lists the objects for configuring CRLDP authentication. In the Access policy, you define these in the policy object.

Object	Type	Description
caption	string	Specifies a human-readable description of the policy item.
expression	string	Specifies the Tcl expression. The mcget command is an abbreviation for "get the session variable from the memory cache." When evaluating a branch rule, BIG-IP Next Access obtains session variables from the system memory using the Tcl command mcget. The Tcl expression can also contain one or more expressions (expr) or return commands. An expr command evaluates an expression and returns the result. A return command simply returns the result, and can be used to set the variable to a numeric value or string. For example, "expression": "return {1800}", "expression": "return {Hello World}", "expression": "expr { "[mcget session.custom.value1] + [mcget session.custom.value2]" }", "expression": "expr { "[mcget {session.logon.last.domain}]\[mcget {session.logon.last.username}]" }", and "expression": "expr {1800}". For details on Tcl expressions, refer to https://www.tcl.tk/man/tcl8.5/TclCmd/expr.html. For a list of session variables, refer to Reference: Session Variables.
itemType	string	Specifies the BIG-IP Next Access policy item. For the CRLDP Auth item, the value is aaa-crldp. This is a required setting.
name	string	Specifies the name of the BIG-IP Next Access policy item.
nextItems	array	Specifies the different branches of the BIG-IP Next Access policy item. This is a required setting.
server	string	Specifies the CRLDP server name. This is a required setting.

Kerberos Authentication¶

To configure Kerberos Auth, you must create a Kerberos AAA server and authentication objects.

For instructions and examples on configuring Kerberos Auth, refer to How To: Configure Kerberos Authentication.

Kerberos AAA Server¶

Kerberos AAA server specifies the objects for configuring a Kerberos authentication server. In the BIG-IP Next Access policy, you define Kerberos AAA server properties in the externalServers object.

The table below lists the objects for configuring a Kerberos AAA server:

Object	Type	Description
authRealm	string	Specifies a Kerberos auth realm name (administrative name), such as testbed.lab.companynet.com. This is a required setting.
description	string	Specifies the description of the server.
keytabFileName	string	Specifies a keytab file that contains Kerberos encrypted keys. These are derived from the Kerberos password. It contains the service keys that the server uses to authenticate the client. This is a required setting.
name	string	Specifies the name of the Kerberos server. This is a required setting.
serverType	string	Specifies the external server type. For Kerberos server, the value is Kerberos. This is a required setting.
serviceName	string	Specifies the Kerberos service name; for example, HTTP. This is a required setting.
spn	string	Specifies the Kerberos service principal name; for example, %{session.vmware.spn}.
spnFormat	string	Specifies the service principle name (SPN) format for the Kerberos AAA server. Valid values are host-based-service and krb5-nt-principal-name. All existing Kerberos AAA servers are host-based services by default. Use krb5-nt-principal-name for VMware View clients.

Kerberos Auth Item¶

The table below lists the objects for configuring a Kerberos authentication. In the BIG-IP Next Access policy, you define these in the policy object.

Object	Type	Description
caption	string	Specifies a human-readable description of the policy item.
expression	string	Specifies the Tcl expression. The mcget command is an abbreviation for "get the session variable from the memory cache." When evaluating a branch rule, BIG-IP Next Access obtains session variables from the system memory using the Tcl command mcget. The Tcl expression can also contain one or more expressions (expr) or return commands. An expr command evaluates an expression and returns the result. A return command simply returns the result, and can be used to set the variable to a numeric value or string. For example, "expression": "return {1800}", "expression": "return {Hello World}", "expression": "expr { "[mcget session.custom.value1] + [mcget session.custom.value2]" }", "expression": "expr { "[mcget {session.logon.last.domain}]\[mcget {session.logon.last.username}]" }", and "expression": "expr {1800}". For details on Tcl expressions, refer to https://www.tcl.tk/man/tcl8.5/TclCmd/expr.html. For a list of session variables, refer to Reference: Session Variables.
extractGroupSids	boolean	Specifies whether to allow the Kerberos Authentication to extract user group membership SIDs from the Kerberos authentication ticket. The default value is false.
groupSidsSessVar	string	Specifies a custom variable name for the session variable used to store extracted Group SIDs. The default value is session.kerberos.last.groupsids.
itemType	string	Specifies the BIG-IP Next Access policy item. For the Kerberos Auth item, the value is aaa-kerberos. This is a required setting.
maxLogonAttempt	integer	Specifies the number of user authentication logon attempts to allow. Select a number to limit the number of times the user can enter credentials through the logon screen when authentication fails. A complete logon and password challenge and response is considered as one attempt. The default value is 3.
name	string	Specifies the name of the BIG-IP Next Access policy item.
nextItems	array	Specifies the different branches of the BIG-IP Next Access policy item. This is a required setting.
requestBasedAuth	boolean	Specifies whether per request based authentication is enabled. When disabled, authentication occurs only while executing the Access policy. The default value is false.
server	string	Specifies the Kerberos server name. This is a required setting.

LDAP Authentication¶

To configure LDAP authentication, you must create an LDAP AAA server and Auth item. To query the external LDAP server for additional information about the user, refer to the LDAP Query section in Interrogation Items.

For instructions and examples on configuring LDAP Auth, refer to How To: Configure LDAP Authentication using BIG-IP Next instances.

LDAP AAA Server¶

LDAP AAA server specifies the objects for configuring an LDAP authentication server. In the BIG-IP Next Access policy, you define LDAP AAA server properties in the externalServers object.

The table below lists the objects for configuring an LDAP AAA server:

Object	Type	Description
addr	string	Specifies an IPv4 or IPv6 address of the LDAP or LDAPS server.
adminDn	string	Specifies the Distinguished Name (DN) of the user with administrator rights. This is a required setting.
adminPassword	string	Specifies the admin password for the LDAP server. This is a required setting.
baseDn	string	Specifies the base DN from which to search. This search DN is used to search groups across a whole directory.
description	string	Specifies the description of the server.
groupCacheTtl	integer	Specifies a lifetime for the group cache in days. The default value is 30.
isLdaps	boolean	Specifies whether to use the LDAPS protocol during authentication. The default value is false. When set to true, you must also specify the `tls`.
l4ServerSide	string	Specifies the L4 server-side object.
ldapSchemaAttrs	object	Access provides Active Directory-specific default values for the LDAP schema-specific attribute names. You can change them to reflect your schema.
groupMember	string	If the group object maintains a list of users that belong to it, specifies the value of its attribute. Defaults to member.
groupMemberValue	string	If the groupMember attribute is specified, this field specifies the attribute that is used to add users to a group. Defaults to dn.
groupMemberof	string	If the group object maintains membership in other groups, specifies the value of the membership attribute. Defaults to memberOf.
groupObjectClass	string	Specifies the value of the objectClass attribute for a group object. Defaults to group.
userMemberof	string	If the user object maintains a group membership, specifies the value of the membership attribute. Defaults to memberOf.
userObjectClass	string	Specifies the value of the objectClass attribute for a user object. The default value is user.
monitors	object	Specifies a monitor to track the health of your AAA LDAP server.
icmp	object	Specifies the ICMP monitor settings that makes a simple node check. The check is successful if the monitor receives a response to an ICMP_ECHO datagram. Specify the following parameters in this object: interval: Specifies the monitor check frequency. Type - integer. timeout: Specifies the time in which the target must respond. to the monitor request. Type - integer.
tcp	object	Verifies the Transmission Control Protocol (TCP) service by attempting to receive specific content from a resource. The check is successful when the content matches the value of the Receive String setting. Specify the following parameters in this object: interval: Specifies the monitor check frequency. Type - integer. timeout: Specifies the time in which the target must respond. to the monitor request. Type - integer. sendString: Specifies the text string to send to the target. You must include `\r\n` at the end of a non-empty send string. The default setting is `GET /\r\n`, which retrieves a default HTML file for a web site. To retrieve a specific page from a web site, specify a fully-qualified path name, for example, `GET /www/siterequest/index.html\r\n`. receiveString: Specifies the text string that the monitor looks for in the returned resource. For example, for the receive string value `<HEAD>`, the monitor searches for a standard HTML tag. You can also use the default null receive string value [""]. In this case, any content retrieved is considered a match. If both the `sendString` and `receiveString` objects are empty, only a simple connection check is performed. receiveDisableString: Specifies the text string that the monitor looks for in the returned resource. This setting works similar to `receiveString`, except that target (the node or pool member) is disabled when its response matches the `receiveString` value.
name	string	Specifies the name of the AAA LDAP server. This is a required setting.
port	integer	Specifies the port number to access the remote LDAP host server. The default value is 389.
serverType	string	Specifies the external server type. For LDAP server, the value is Ldap. This is a required setting.
tls	object	Specifies the TLS default properties for connections on the server side.
cipherstring	string	Specifies the cipher string to use for server-side SSL communications. Default value is DEFAULT.
tlsVersions	object	Specifies the TLS versions that needs to be enabled. Specify the following parameters in this object: enableTLS1.3: Specifies whether TLS 1.3 is enabled. Type - boolean. enableTLS1.2: Specifies whether TLS 1.2 is enabled. Type - boolean. enableTLS1.1: Specifies whether TLS 1.1 is enabled. Type - boolean.
timeout	integer	Specifies a timeout interval (in seconds) for the AAA server after which the server closes a connection. The default value is 15.

LDAP Auth Item¶

The table below lists the objects for configuring an LDAP authentication. In the BIG-IP Next Access policy, you define these in the policy object.

Object	Type	Description
attributeName	array	Specifies to add or delete an attribute name from the item.
caption	string	Specifies a human-readable description of the policy item.
expression	string	Specifies the Tcl expression. The mcget command is an abbreviation for "get the session variable from the memory cache." When evaluating a branch rule, BIG-IP Next Access obtains session variables from the system memory using the Tcl command mcget. The Tcl expression can also contain one or more expressions (expr) or return commands. An expr command evaluates an expression and returns the result. A return command simply returns the result, and can be used to set the variable to a numeric value or string. For example, "expression": "return {1800}", "expression": "return {Hello World}", "expression": "expr { "[mcget session.custom.value1] + [mcget session.custom.value2]" }", "expression": "expr { "[mcget {session.logon.last.domain}]\[mcget {session.logon.last.username}]" }", and "expression": "expr {1800}". For details on Tcl expressions, refer to https://www.tcl.tk/man/tcl8.5/TclCmd/expr.html. For a list of session variables, refer to Reference: Session Variables.
filter	string	Specifies the search criteria to use when querying the LDAP server for the user's information. When entering a string, use parenthesis. For example, (sAmAccountName=%{session.logon.last.username}) or (sAmAccountName=%{subsession.logon.last.username}) - Populates the filter parameter with the username from the current session.
itemType	string	Specifies the BIG-IP Next Access policy item. For the LDAP Auth item, the value is aaa-ldap. This is a required setting.
maxLogonAttempt	integer	Specifies the number of user authentication logon attempts to allow. Select a number to limit the number of times the user can enter credentials through the logon screen when authentication fails. A complete logon and password challenge and response is considered as one attempt. The default value is 3.
name	string	Specifies the name of the BIG-IP Next Access policy item.
nextItems	array	Specifies the different branches of the BIG-IP Next Access policy item. This is a required setting.
searchDn	string	Specifies the base domain name that Access uses for internal LDAP search operations. You must use this object with the `filter` object. For example, session.ssl.cert.last.cn - Uses the user CN from the SSL certificate. Useful as a value for any property in this table.
server	string	Specifies the LDAP server name. This is a required setting.
showExtendedError	boolean	Specifies whether to display a comprehensive error message generated by the authentication server on the user's Logon page. The default value is false. Setting the value to false displays non-comprehensive error messages generated by the authentication server to show on the user's Logon page. Note: This setting is intended only for use in testing, in a production or debugging environment. If you enable this setting in a live environment, your system might be vulnerable to malicious attacks.
type	string	Specifies a type of AAA LDAP item. This is a required setting. Valid values are auth and query. For LDAP authentication, the value is auth.
userDn	string	Specifies the name (in distinguished name -DN format) that represents the user on the backend LDAP server.

NTLM Authentication¶

You configure NTLM Authentication for domain-joined computers to authenticate users logged in with their domain-user accounts. To configure NTML Authentication, you must create an NTLM Authentication Configuration and NTLM Auth Result objects.

For instructions on configuring NTLM Authentication, refer to How to: Configure NTLM Authentication using BIG-IP Next instances.

NTLM Authentication Configuration¶

The NTLM Authentication Configuration specifies the domains that a machine account can access. In addition, you can also configure an NTLM machine configuration that creates a machine account on the domain controller. It also creates a NetBIOS Domain Name object that is automatically populated after creating a machine account.

In the Access policy, you define NTLM Authentication Configuration properties in the ntlmAuthConfig object.

The table below lists the objects for configuring an NTLM Authentication configuration:

Object	Type	Description
machineAccount	object	Specifies the trusted machine account configuration to perform the NTLM authentication. This is a required setting.
machineAccountName	string	Specifies the name of the machine trust account to which the NTLM Auth Configuration applies. This is a required setting.
domainFqdn	string	Specifies the fully qualified domain name (FQDN) of the domain you want the machine account to join. This is a required setting.
netbiosDomainName	string	Specifies the NetBIOS domain name for the machine. This is a required setting. This parameter is automatically populated after a machine account is created.
dcFqdn	string	Specifies the FQDN of the domain controller defined in the dcFqdnList parameter for this machine account. For example, dc.example.com.
password	string	Specifies the machine account password. This is a required setting.
dcFqdnList	array	Specifies the fully qualified domain names of the domain controllers that the machine account can access. You should add only domain controllers that belong to one domain. By specifying more than one domain controller, you enable high availability. If the first domain controller on the list is unavailable, Access successively tries the following domain controller on the list.

NTLM Auth Result¶

The NTLM Auth Result item allows you to check the result of NTLM authentication of end-user credentials. This item is similar to an Empty item where you can add built-in or custom branch rules with TCL expressions. It triggers and evaluates TCL expressions against session variable values in the two outgoing branches: Successful and fallback.

In the Access policy, you define the NTLM Auth Result item in the policy object.

The table below lists the objects for the NTLM Auth Result item.

Object	Type	Description
itemType	string	Specifies the BIG-IP Next Access policy item. For the NTLM Auth Result item, the value is ntlm-auth-result. This is a required setting.
name	string	Specifies the name of the BIG-IP Next Access policy item.
caption	string	Specifies a human-readable description of the policy branch.
expression	string	Specifies the Tcl expression. The Tcl expression can contain one or more expressions (expr) or return commands. An expr command evaluates an expression and returns the result. A return command simply returns the result, and can be used to set the variable to a numeric value or string. The mcget command gets the session variable from the memory cache. For example, "expression": "return {1800}", "expression": "return {Hello World}", "expression": "expr { "[mcget session.custom.value1] + [mcget session.custom.value2]" }", "expression": "expr { "[mcget {session.logon.last.domain}]\[mcget {session.logon.last.username}]" }", and "expression": "expr {1800}". For details on Tcl expressions, refer to https://www.tcl.tk/man/tcl8.5/TclCmd/expr.html. For a list of session variables, refer to Reference: Session Variables.
nextItems	array	Specifies the branches to the next policy item. This is a required setting.

OCSP Authentication¶

To configure OCSP Authentication, you must create an OCSP AAA Responder and Auth item.

For instructions on configuring OCSP Authentication, refer to How To: Configure OCSP Authentication using BIG-IP Next instances.

OCSP AAA Responder¶

OCSP AAA Responder specifies the objects for configuring an OCSP responder server. In the Access policy, you define OCSP AAA responder properties in the externalServers object.

The table below lists the objects for configuring an OCSP AAA responder.

Object	Type	Description
allowCerts	boolean	Specifies whether to allow the addition of certificates to an OCSP request. The default value is true.
cafile	string	Specifies the file's name containing trusted CA certificates used to verify the signature on the OCSP response. This is a required setting.
certidDigest	string or null	Specifies the algorithm for converting the client certificate and its issuer certificate to an OCSP cert ID. The cert ID is added to the OCSP request.
chain	boolean or null	Specifies whether to construct a certificate chain in the OCSP response. The default value is true.
checkCerts	boolean or null	Specifies whether to make additional checks to verify if the signer's certificate is authorized to provide the required status information. The default value is true.
description	string	Specifies the description of the OCSP responder.
explicitOcsp	boolean or null	Specifies whether to explicitly trust that the OCSP signer's certificate is authorized for OCSP response signing. The default value is true. Note: The X509 certificate has several extensions, one of which indicates whether the certificate can be used for signing. If this parameter is enabled, but the signer's certificate does not contain the OCSP signing extension field, BIG-IP Next Access does not trust the response.
ignoreAia	boolean or null	Specifies whether to ignore the URL in the certificate's AIA fields and use the URL the responder specifies. The default value is false.
intern	boolean or null	Specifies whether to look internally in the OCSP response for the signer's certificate. The default value is true.
name	string	Specifies the name for the OCSP Responder server. This is a required setting.
nonce	boolean or null	Specifies whether to add a nonce extension to OCSP requests. The default value is true.
serverType	string	Specifies the external server type. For the OCSP responder item, the value is ocsp. This is a required setting.
signDigest	string or null	Specifies the algorithm to use for certificate identification in the OCSP request. The default value is sha1. The valid values are md5 and sha1.
signOther	string	Specifies additional certificates to include in the OCSP request.
signer	string	Specifies the certificate name to sign an OCSP request. If the signer is specified, but the signkey is not specified, then the private key is read from the same file as the certificate. The request is not signed if neither the signer nor the signkey is specified. If only the signkey is specified, then the configuration is considered invalid.
signkey	string	Specifies the signing key to sign an OCSP request.
statusAge	integer or null	Specifies a time (in seconds) to compare to the notBefore time of an OCSP response. Each certificate status response includes a notBefore time and an optional notAfter time. This property is used when the status response does not include the notAfter time. The value of statusAge should be more than the notBefore time. The default value is 0.
trustOther	boolean or null	Specifies whether to trust the certificates specified in the verifyOther setting. The default value is false.
url	string	Specifies the URL used to contact the OCSP service on the responder.
vafile	string	Specifies the name of the file containing explicitly-trusted responder certificates. This parameter is required when the responder is not covered by the certificates that are already loaded into the responder's CA store.
validityPeriod	integer or null	Specifies an acceptable error range (in seconds) for the time tolerated in an OCSP response. Each certificate status response includes a notBefore time and an optional notAfter time and the current time should fall between these two values. This setting is used when the OCSP responder and client clocks are not synchronized, which could cause a certificate status check to fail. The default value is 300.
verify	boolean or null	Specifies whether to verify an OCSP response signature or the nonce value. The default value is true.
verifyCert	boolean or null	Specifies whether to verify the certificate in the OCSP response. The default value is true.
verifyOther	string	Specifies the file name used to search for an OCSP response signing certificate when the certificate has been omitted from the response.
verifySig	boolean or null	Specifies whether to check the signature on the OCSP response. The default value is true.
dnsResolverName	string or null	Specifies the DNS resolver object to be used to perform DNS resolution. The default value is global_f5_internal_net_resolver. Refer to How to: Manage DNS Resolution for more details.
serverTls	object or null	Specifies the TLS default properties for connections with the OCSP responder.
cipherstring	string or null	Specifies the cipher string to use for server-side SSL communications. The default value is DEFAULT.
tlsVersions	object or null	Specifies the TLS versions that needs to be enabled. Specify the following parameters in this object: enableTLS1.3: Specifies whether TLS 1.3 is enabled. Type - boolean or null. enableTLS1.2: Specifies whether TLS 1.2 is enabled. Type - boolean or null. enableTLS1.1: Specifies whether TLS 1.1 is enabled. Type - boolean or null.

OCSP Auth¶

You can use OCSP Auth item objects to obtain and verify the revocation status for a user certificate. You must have an OCSP Responder configured before you add an OCSP Auth item to the policy. In the Access policy, you define these properties in the policy object.

The table below lists the objects for configuring an OCSP authentication:

Object	Type	Description
caption	string	Specifies a human-readable description of the policy branch.
expression	string	Specifies the Tcl expression. The mcget command is an abbreviation for "get the session variable from the memory cache." When evaluating a branch rule, BIG-IP Next Access obtains session variables from the system memory using the Tcl command mcget. The Tcl expression can also contain one or more expressions (expr) or return commands. An expr command evaluates an expression and returns the result. A return command simply returns the result, and can be used to set the variable to a numeric value or string. For example, "expression": "return {1800}", "expression": "return {Hello World}", "expression": "expr { "[mcget session.custom.value1] + [mcget session.custom.value2]" }", "expression": "expr { "[mcget {session.logon.last.domain}]\[mcget {session.logon.last.username}]" }", and "expression": "expr {1800}". For details on Tcl expressions, refer to https://www.tcl.tk/man/tcl8.5/TclCmd/expr.html. For a list of session variables, refer to Reference: Session Variables.
itemType	string	Specifies the BIG-IP Next Access policy item. For the OCSP Auth item, the value is aaa-ocsp. This is a required setting.
name	string	Specifies the name of the BIG-IP Next Access policy item.
nextItems	array	Specifies the branches to the next policy item. This is a required setting.
ocspResponder	string	Specifies the OCSP responder name. This is a required setting.

On-Demand Client Cert Auth¶

The On-Demand Client Certificate Auth item allows you to request and validate SSL certificates on demand. Typically, when a client makes an HTTPS request, an SSL handshake request occurs at the start of an SSL session. You can configure a client SSL profile to skip the initial SSL handshake and add the On-Demand Certificate Auth item to the Access policy to re-negotiate the SSL connection later. An On-Demand Client Cert Auth item can be used in scenarios where all employees gain access to the network, but a few employees gain access to servers with sensitive information.

To disable client authentication in the initial SSL handshake, set the enable (field/attribute) in the tls object on ClientSide to false. With this setting, Access does not prompt for a certificate request and provides a Logon page to the user. When the Access policy runs the On-Demand Client Cert Auth item, the item re-negotiates the SSL connection by sending a certificate request to the client. After the client provides a valid certificate, the On-Demand Client Cert Auth item verifies the value of the session variable session.ssl.cert.valid to determine whether authentication succeeded. The On-Demand Certificate Auth item is supported only for a per-session Access policy.

Note: You cannot use TLS1.3 with On-Demand Certificate Auth as TLS1.3 does not have the ability to perform “renegotiation.”

Example: The following example shows an Access policy with On-Demand Client Certificate Auth objects.

The TCL expression expr {[mcget {session.ssl.cert.valid}] == \"0\" fetches and checks the client certificate data from the session variable. If the certificate is valid, the session is allowed to continue.

{
    "policyType": "PerSession",
    "name": "apssp1",
    "profileType": "ltm-apm",
    "scope": "global",
    "timeout": 11,
    "inactivityTimeout": 22,
    "policy":
    {
        "objectContent":
        {
            "languages": [ "en" ],
            "defaultLanguage": "en",
            "start": {
            "caption": "Fallback",
            "itemType": "aaa-on-demand-client-cert",
            "name": "on-demand-client-cert-item",
            "mode": "require",
            "nextItems" : [
                {
                    "itemType": "allow",
                    "expression": "expr {[mcget {session.ssl.cert.valid}] == \"0\"}",
                    "name": "Allow",
                    "caption": "Successful"
                },
                {
                    "itemType": "deny",
                    "name": "Deny",
                    "caption": "fallback"
                }
            ]
        }
    }
}

The table below lists the objects for configuring an On-Demand Client Certificate Auth item:

Object	Type	Description
caption	string	Specifies a human-readable description of the policy branch.
expression	string	Specifies the Tcl expression. The mcget command is an abbreviation for "get the session variable from the memory cache." When evaluating a branch rule, BIG-IP Next Access obtains session variables from the system memory using the Tcl command mcget. The Tcl expression can also contain one or more expressions (expr) or return commands. An expr command evaluates an expression and returns the result. A return command simply returns the result, and can be used to set the variable to a numeric value or string. For example, "expression": "return {1800}", "expression": "return {Hello World}", "expression": "expr { "[mcget session.custom.value1] + [mcget session.custom.value2]" }", "expression": "expr { "[mcget {session.logon.last.domain}]\[mcget {session.logon.last.username}]" }", and "expression": "expr {1800}". For details on Tcl expressions, refer to https://www.tcl.tk/man/tcl8.5/TclCmd/expr.html. For a list of session variables, refer to Reference: Session Variables.
itemType	string	Specifies the BIG-IP Next Access policy item. For the On-Demand Client Certificate Auth item, the value is aaa-on-demand-client-cert. This is a required setting.
mode	string	Specifies the mode of authentication. The default value is request. The valid values are: require: With this mode, it is required that a client provides a valid certificate. If the client does not provide a valid certificate, the connection terminates, and the client's browser stops responding. request: With this mode, BIG-IP Next requests a valid certificate from the client, but the connection does not terminate if the client does not provide a valid certificate. Instead, this action takes the fallback route in the Access policy.
name	string	Specifies the name of the BIG-IP Next Access policy item.
nextItems	array	Specifies the branches to the next policy item. This is a required setting.

Configuring an application

Note: Before creating an application, specify a certificate authority (CA) bundle file that includes a list of trusted CA certificates. BIG-IP Next verifies the client user’s identity by validating the client certificate against a list of trusted CA certificates. A trusted CA bundle file can be uploaded using the /api/v1/files endpoint.

POST https://{{bigip_next_mgmt_ip}}:{{bigip_next_mgmt_port}}/api/v1/files

Example: The following example shows an application configuration for client authentication.

template - Specifies the TLS template type to use for authenticating TLS clients.
trustedCa - Specifies the name of the trusted CA bundle file you uploaded earlier.
enable - Set this object to false to disable Client Authentication.
perSessionAccessPolicy - Name of the Access policy you created earlier.

Refer to the Create an application with stack section for details on creating an application.

{
    "name": "Access_App",
    "description": "Web server for F5",
    "stacks": [
        {
            "stackType": "HttpRevProxy",
            "name": "Stack_With_SSL_Profile",
            "clientSide":
            {
                "l4ClientSide": "ext_l4_clientside",
                "tls":
                {
                    "cipherstring": "DEFAULT",
                    "template": "CLIENTSIDE_TLS_CLIENT_AUTH_TEMPLATE",
                    "trustedCa": "uploaded-ca-file-name",
                    "enable": false,
                    "keyCertificatePairs": [
                        {
                            "keyCertificateContent":
                            {
                                "keyFile": "uploaded-key-file-name",
                                "certificateFile": "uploaded-cert-file-name"
                            }                   
                        }]
                }
            },
            "serverSide":
            {
                "l4ServerSide": "ext_l4_serverside"
            },
            "policies": [
            {
                "perSessionAccessPolicy": "apssp1"
            }]
        }
    ]
}

RADIUS Authentication¶

To configure RADIUS Auth, you must create a RADIUS AAA server and authentication objects.

For instructions on configuring RADIUS Auth, refer to How to: Configure RADIUS Authentication using BIG-IP Next instances.

RADIUS AAA Server¶

RADIUS AAA server specifies the objects for configuring a RADIUS authentication server. In the BIG-IP Next Access policy, you define Radius AAA server properties in the externalServers object.

The table below lists the objects for configuring a RADIUS AAA server:

Object	Type	Description
name	string	Specifies the name of the RADIUS AAA server. This is a required setting.
nasIdentifier	string	Specifies the string to identify the NAS that originates the access request.
nasIpAddress	string	Specifies an IPv4 address to identify the NAS in dotted quad notation using the default zone.
nasIpv6Address	string	Specifies an IPv6 address to identify the NAS represented as either a full address, shortened or mixed-shortened formats, using the default zone.
radiusCharacterSet	string	Specifies the character encoding used for the user name and password. The default value is cp1252. The valid values are: cp1252: The RADIUS Auth item decodes the username and password into CP-1252 before sending it to the RADIUS server. utf8: The RADIUS Auth item sends the username and password unmodified.
retries	integer	Specifies the number of times that BIG-IP Next Access tries to connect to the RADIUS AAA server after the first attempt fails. The default value is 3.
secret	string	Specifies the shared secret password for your RADIUS AAA server. This is a required setting.
serverSide		Specifies the server-side parameters.
monitors		Specifies an ICMP monitor to track the health of your RADIUS server. This object lets you configure the `icmp` object, which has the following parameters: interval: Specifies the monitor check frequency in seconds. The default value is 5. Type - integer. timeout: Specifies the time in which the target must respond in seconds. The default value is 16. Type - integer.
l4ServerSide	string	Specifies an L4 server-side object.
loadBalancing	string	Specifies the load balancing method. The default value is round-robin. The valid values are: round-robin: The load balancer passes each new connection request to the next server in line, eventually distributing connections evenly across the array of load-balanced machines. This method works well in most configurations, especially if the equipment you are load balancing is roughly equal in processing speed and memory. least-connections: The load balancer passes a new connection to the node that has the least number of connections in the pool. This method works best in environments where the servers or other equipment you are load balancing have similar capabilities. This dynamic load balancing method distributes connections based on various aspects of real-time server performance analysis, such as the current number of connections per node or the fastest node response time. predictive: The ranking trend is analyzed over time to determine whether a node's performance is improving or declining. The nodes in the pool with better performance rankings that are improving rather than decreasing receive a higher proportion of the connections. weighted-round-robin: Each server is assigned a weight per the number of active connections it contains. The higher the weight of server, the more requests it receives. ratio-least-connections: The load balancer selects the pool member according to the ratio of the number of connections each pool member has active. If a ratio weight is not specified, it will be treated as a default value of 1. ratio-session: The load balancer selects the pool member according to the ratio of the number of sessions each pool member has active. Pending sessions count as active sessions. fastest: The load balancer passes a new connection based on the quickest response of all currently active nodes in a pool. This method might be beneficial in environments where nodes are distributed across different logical networks.
ignorePersistedWeight	boolean	Specifies whether to count the weight of persisted connections on pool members when making load-balancing decisions. The default value is false.
serverType	string	Specifies the external server type. For the Radius server, the value is Radius. This is a required setting.
serviceType	string	Specifies the type of service you use on the RADIUS server. Service types are specific to your RADIUS implementation. If you retain the default value, the service type is set to authenticate-only. The valid values are: administrative: The user should be granted access to the administrative interface of the NAS from which privileged commands can be executed. authenticate-only: Only Authentication is requested, and no authorization information needs to be returned in the Access-Accept. call-check: Used by the NAS in an Access-Request packet to indicate that a call is being received and that the RADIUS server should send back an Access-Accept to answer the call or an Access-Reject to not accept the call, typically based on the Called-Station-Id or Calling-Station-Id attributes. callback-administrative: The user should be disconnected and called back, then granted access to the administrative interface to the NAS from which privileged commands can be executed. callback-framed: The user should be disconnected and called back, then a Framed Protocol should be started for the user. callback-login: The user should be disconnected and called back, then connected to a host. callback-nas-prompt: The user should be disconnected and called back, then provided a command prompt on the NAS from which non-privileged commands can be executed. default: The service type is set to authenticate-only. framed: A Framed Protocol, such as PPP or SLIP, should be started for the user. login: The user should be connected to a host. nas-prompt: The user should be provided a command prompt on the NAS from which non-privileged commands can be executed. outbound: The user should be granted access to outgoing devices.
timeout	integer	Specifies the number of seconds to wait for a response from the RADIUS AAA server before timing out. The default value is 5.

RADIUS Auth Item¶

The table below lists the objects for configuring a RADIUS Authentication. In the BIG-IP Next Access policy, you define these in the policy object.

Object	Type	Description
caption	string	Specifies a human-readable description of the policy branch.
expression	string	Specifies the Tcl expression. The mcget command is an abbreviation for "get the session variable from the memory cache." When evaluating a branch rule, BIG-IP Next Access obtains session variables from the system memory using the Tcl command mcget. The Tcl expression can also contain one or more expressions (expr) or return commands. An expr command evaluates an expression and returns the result. A return command simply returns the result, and can be used to set the variable to a numeric value or string. For example, "expression": "return {1800}", "expression": "return {Hello World}", "expression": "expr { "[mcget session.custom.value1] + [mcget session.custom.value2]" }", "expression": "expr { "[mcget {session.logon.last.domain}]\[mcget {session.logon.last.username}]" }", and "expression": "expr {1800}". For details on Tcl expressions, refer to https://www.tcl.tk/man/tcl8.5/TclCmd/expr.html. For a list of session variables, refer to Reference: Session Variables.
itemType	string	Specifies the BIG-IP Next Access policy item. For the RADIUS Auth item, the value is aaa-radius. This is a required setting.
maxLogonAttempt	integer	Specifies the number of user authentication logon attempts to allow. It limits the times the user can enter credentials through the logon screen when authentication fails. A complete logon and password challenge and response are considered as one attempt. The default value is 3. The valid values are 1-5.
name	string	Specifies the name of the BIG-IP Next Access policy item. This is a required setting.
nextItems	array	Specifies the different branches of the BIG-IP Next Access policy item. This is a required setting.
passwordSource	string	Specifies the session variable name from which the RADIUS item should read the password. The default value is %{session.logon.last.password}.
ServerName	string	Specifies the RADIUS external server configuration. This is a required setting.
showExtendedError	boolean	Specifies whether to display comprehensive error message generated by the authentication server on the user's logon page. This object is intended only for testing, in a production or debugging environment. Your system might be vulnerable to malicious attacks when set to true in a live environment. When set to false, it displays non-comprehensive error messages on the user's logon page. The default value is false.
usernameSource	string	Specifies the session variable name from which the RADIUS item should read the username. The default value is %{session.logon.last.username}.

Authentication Items¶

Active Directory Authentication¶

Active Directory AAA server¶

Active Directory Auth¶

Client Cert Inspection¶

CRLDP Authentication¶

CRLDP AAA server¶

CRLDP Server Endpoint Mode¶

CRLDP Server Certificate Mode¶

CRLDP Auth item¶

Kerberos Authentication¶

Kerberos AAA Server¶

Kerberos Auth Item¶

LDAP Authentication¶

LDAP AAA Server¶

LDAP Auth Item¶

NTLM Authentication¶

NTLM Authentication Configuration¶

NTLM Auth Result¶

OCSP Authentication¶

OCSP AAA Responder¶

OCSP Auth¶

On-Demand Client Cert Auth¶

RADIUS Authentication¶

RADIUS AAA Server¶

RADIUS Auth Item¶

Related Links¶