Interrogation Items¶
Interrogation Items are items that limit access based on users, client-side, or server-side endpoints.
Users
Server
Refer to Create Access policy for the OpenAPI specification document.
User Items¶
Active Directory Query¶
You can use Active Directory Query objects to query an external AD server for additional information about the user. You must have an Active Directory AAA server configured before you add an Active Directory query to the policy. When an AD query runs, it populates session variables which are then available for use in the Access policy. In the BIG-IP Next Access policy, you define these in the policy object.
The table below lists the objects for configuring an Active Directory query:
| Object | Type | Description |
|---|---|---|
| attrname | array | Specifies an attribute name. |
| caption | string | Specifies a human-readable description of the policy item. |
| expression | string | Specifies the Tcl expression. The mcget command is an abbreviation for "get the session variable from the memory cache." When evaluating a branch rule, BIG-IP Next Access obtains session variables from the system memory using the Tcl command mcget. The Tcl expression can also contain one or more expressions (expr) or return commands. An expr command evaluates an expression and returns the result. A return command simply returns the result, and can be used to set the variable to a numeric value or string. For example, "expression": "return {1800}", "expression": "return {Hello World}", "expression": "expr { "[mcget session.custom.value1] + [mcget session.custom.value2]" }", "expression": "expr { "[mcget {session.logon.last.domain}]\[mcget {session.logon.last.username}]" }", and "expression": "expr {1800}". For details on Tcl expressions, refer to https://www.tcl.tk/man/tcl8.5/TclCmd/expr.html. For a list of session variables, refer to Reference: Session Variables. |
| fetchNestedGroups | boolean or null | Specifies whether to fetch and associate the user to all groups. The default value is false. This means, by default, the query fetches and associates the user to the groups they belong to directly. If the value is true, the query associates the user with all groups that are nested under the groups they belong to directly. |
| fetchPrimaryGroup | boolean or null | Specifies whether to retrieve a user's primary group attributes, including primary group Distinguished Name, for use in the policy. The default value is false. |
| filter | string | Specifies the search criteria to use when querying the AD server for the user's information. This is a required setting. When entering a string, use parenthesis. For example, (sAmAccountName=%{session.logon.last.username}) or (sAmAccountName=%{subsession.logon.last.username}) - Populates the filter parameter with the username from the current session. |
| itemType | string | Specifies the BIG-IP Next Access policy item. For an AD query, the value is aaa-active-directory-query. This is a required setting. |
| maxLogonAttempt | integer or null | Specifies the number of user authentication logon attempts to allow. Select a number to limit the number of times the user can enter credentials through the logon screen when authentication fails. A complete logon and password challenge and response are considered as one attempt. The default value is 3. The valid value range is 1-5. |
| maxPwdResetAttempt | integer or null | Specifies the number of times to allow a user to try to reset their password. The default value is 3. The valid value range is 1-5. |
| name | string | Specifies the name of the BIG-IP Next Access policy item. |
| nextItems | array | Specifies the different branches of the BIG-IP Next Access policy item. This is a required setting. |
| pwdComplexityCheck | boolean or null | Specifies whether Access performs a password policy check. The default value is false. Access supports the following Active Directory password policies:
|
| pwdExpirationWarning | integer or null | Specifies to prompt the user to change the password before it expires. The default value is 0 days, which signifies the user will not be prompted. |
| server | string | Specifies the Active Directory server. This is a required setting. |
| showExtendedError | boolean or null | Specifies to display comprehensive error messages generated by the authentication server to show on the user's Logon page. The default value is false. Setting the value to false displays non-comprehensive error messages generated by the authentication server to show on the user's Logon page. Note: This setting is intended only for use in testing, in a production or debugging environment. If you enable this setting in a live environment, your system might be vulnerable to malicious attacks. |
| upn | boolean or null | Specifies whether to use the userPrincipalName attribute as the search filter. The default value is false. When the value is set to true, user@domain.com format will be used for authentication and in the search filter. |
LDAP Query¶
You can use LDAP Query objects to query an external LDAP server for additional information about the user. You must have an LDAP AAA server configured before you add an LDAP query to the policy. When an LDAP query access policy runs, it populates session variables which are then available for use in the Access policy.
In the BIG-IP Next Access policy, you define these properties in the policy object.
The table below lists the objects for configuring an LDAP query:
| Object | Type | Description |
|---|---|---|
| attributeName | array | Specifies to add or delete an attribute name to the item. |
| name | string | Specifies the name of the BIG-IP Next Access policy item. |
| itemType | string | Specifies the BIG-IP Next Access policy item. For the LDAP Auth item, the value is aaa-ldap. This is a required setting. |
| caption | string | Specifies a human-readable description of the policy item. |
| filter | string | Specifies the search criteria to use when querying the LDAP server for the user's information. When entering a string, use parenthesis. For example, (sAmAccountName=%{session.logon.last.username}) or (sAmAccountName=%{subsession.logon.last.username}) - Populates the filter parameter with the username from the current session. |
| searchDn | string | Specifies the base domain name that Access uses for internal LDAP search operations. You must use this object with the filter object. For example, session.ssl.cert.last.cn - Uses the user CN from the SSL certificate. Useful as a value for any property in this table. |
| server | string | Specifies the LDAP server name. This is a required setting. |
| memberScope | string | Specifies the scope of user lookup for a group. When the search returns a group, this attribute specifies whether to also look up the members of the group. The valid values are:
|
| membershipScope | string | Specifies the scope of group lookup for a user or a group. When the search returns a user or a group, this attribute specifies whether to also look up the groups to which this user or group belong. The valid values are:
|
| type | string | Specifies a type of AAA LDAP item. This is a required setting. Valid values are auth and query. For LDAP query, the value is query. |
| showExtendedError | boolean | Specifies to display a comprehensive error message generated by the authentication server to show on the user's Logon page. The default value is false. Setting the value to false displays non-comprehensive error messages generated by the authentication server to show on the user's Logon page. Note: This setting is intended only for use in testing, in a production or debugging environment. If you enable this setting in a live environment, your system might be vulnerable to malicious attacks. |
| nextItems | array | Specifies the different branches of the BIG-IP Next Access policy item. This is a required setting. |
Server-Side Items¶
In server-side items, the server queries clients and makes policy decisions based on information that a client presents to the server. These items do not require installation of client components.
Client Type¶
The Client Type item helps you identify the type of client that the user uses to connect to BIG-IP Next Access. This feature makes it possible to specify different actions for different client types in an access policy and to use one virtual server for traffic from various client types. The Client Type item presents a query to find out what type of client connects, and routes the client to the different policy branches based on the query results.
The Client Type item can check for the different clients using the session.client.type session variable in the expression parameter. Currently, clients such as IE, Mozilla, Safari, Firefox, Standalone, activesync, and CitrixReceiver are supported for client check.
Note: This item is supported only for a per-session Access policy.
Example: The following example shows an Access policy with the Client Type configuration.
{
"policyType": "PerSession",
"name": "apssp1",
"profileType": "ltm-apm",
"scope": "global",
"timeout": 11,
"inactivityTimeout": 22,
"policy": {
"objectContent": {
"languages": [ "en" ],
"defaultLanguage": "en",
"start": {
"caption": "Fallback",
"itemType": "client-type",
"name": "client-type-config",
"nextItems" : [
{
"itemType": "allow",
"expression": "expr {[mcget {session.client.type}] == \"mozilla\"}",
"name": "Allow",
"caption": "Successful"
},
{
"itemType": "deny",
"name": "Deny",
"caption": "fallback"
}
]
}
}
}
}
The table below lists the objects for configuring the Client Type item.
| Object | Type | Description |
|---|---|---|
| itemType | string | Specifies the BIG-IP Next Access policy item. For the Client Type item, the value is client-type. This is a required setting. |
| name | string | Specifies the name of the BIG-IP Next Access policy item. |
| caption | string | Specifies a human-readable description of the policy branch. |
| expression | string | Specifies the Tcl expression. The mcget command is an abbreviation for "get the session variable from the memory cache." When evaluating a branch rule, BIG-IP Next Access obtains session variables from the system memory using the Tcl command mcget. In the above example, the mcget command returns the data inside the session.client.type and checks the client type for Mozilla. The system evaluates the expression and assigns the value of the expression to a newly created variable. The Tcl expression can also contain one or more expressions (expr) or return commands. An expr command evaluates an expression and returns the result. A return command simply returns the result, and can be used to set the variable to a numeric value or string. For details on Tcl expressions, refer to https://www.tcl.tk/man/tcl8.5/TclCmd/expr.html. For a list of session variables, refer to Reference: Session Variables. |
| nextItems | array | Specifies the different branches for the BIG-IP Next Access policy item. This is a required setting. |
IP Geolocation Match¶
The IP Geolocation Match item determines the client’s physical location by comparing the client’s IP address to an internal database. This item can be applied in an Access policy to restrict access to resources from certain geolocations. The IP Geolocation Match item can make a match based on one or more location conditions.
Refer to the following conditions and associated Access session variables for defining branch rules.
| Location conditions | Session variable | Description |
|---|---|---|
| Continent code | session.user.ipgeolocation.country_code | Specifies that the client's IP address must match the specified continent code. |
| Country code | session.user.ipgeolocation.country_name | Specifies that the client's IP address must match the specified country code. |
| Country name | session.user.ipgeolocation.continent | Specifies that the client's IP address must match the specified country name. |
| State/Region | session.user.ipgeolocation.state | Specifies that the client's IP address must match the specified region or state. |
BIG-IP Next Access compares the value the administrator configures with the value of the Access session variable listed in the Session variable column of the previous table. If the geolocation information determined from the IP address does not match the specified conditions, the per-session policy sends the user to the fallback branch.
Note: The IP Geolocation Match item is supported only for a per-session Access policy.
Example: The following example shows an Access policy with the IP Geolocation Match configuration.
{
"policyType": "PerSession",
"name": "ip_geolocation_policy",
"profileType": "ltm-apm",
"scope": "global",
"timeout": 60,
"inactivityTimeout": 900,
"maxConcurrentUsers": 0,
"secureCookie": false,
"persistentCookie": false,
"httpOnlyCookie": false,
"samesiteCookie": false,
"logoutUriInclude": "/index.php /another/logout.cgi",
"logoutUriTimeout": 5,
"useHttp503OnError": true,
"policy": {
"objectContent": {
"defaultLanguage": "en",
"languages": [
"en",
"de"
],
"start": {
"itemType": "ip-geolocation-lookup",
"name": "Geolocation",
"caption": "fallback",
"nextItems": [
{
"itemType": "allow",
"name": "Allow",
"expression": "expr {[string tolower [mcget {session.user.ipgeolocation.country_code}]] == \"US\"}",
"caption": "Success"
},
{
"itemType": "deny",
"name": "Deny",
"caption": "fallback"
}
]
}
}
}
}
The table below lists the objects for configuring the IP Geolocation Match item.
| Object | Type | Description |
|---|---|---|
| itemType | string | Specifies the BIG-IP Next Access policy item. For the IP Geolocation Match item, the value is ip-geolocation-lookup. This is a required setting. |
| name | string | Specifies the name of the BIG-IP Next Access policy item. |
| caption | string | Specifies a human-readable description of the policy branch. |
| expression | string | Specifies the Tcl expression. The mcget command is an abbreviation for "get the session variable from the memory cache." When evaluating a branch rule, Access obtains session variables from the system memory using the Tcl command mcget. The Tcl expression can also contain one or more expressions (expr) or return commands. An expr command evaluates an expression and returns the result. A return command simply returns the result, and can be used to set the variable to a numeric value or string. For example, "expression": "return {1800}", "expression": "return {Hello World}", "expression": "expr { "[mcget session.custom.value1] + [mcget session.custom.value2]" }", "expression": "expr { "[mcget {session.logon.last.domain}]\[mcget {session.logon.last.username}]" }", and "expression": "expr {1800}". For details on Tcl expressions, refer to https://www.tcl.tk/man/tcl8.5/TclCmd/expr.html. For a list of session variables, refer to Reference: Session Variables. |
| nextItems | array | Specifies the different branches for the BIG-IP Next Access policy item. This is a required setting. |
IP Subnet Match¶
The IP Subnet Match item determines whether the client IP address matches an IP subnet. You can use this item as a security check to check for a specific client IP subnet or restrict individual hosts’ IP addresses. You can have separate branch rules for subnets that match and a fallback branch for subnets that do not conform.
successful - Indicates that the client IP subnet matches the specified IP subnet. For a successful branch, you can add a Resource Assignment item to add a resource after the IP Subnet Match check.
fallback - Indicates that the client IP subnet does not match and the access is denied. You can add additional items in the fallback branch to write actions for non-matching IP subnets.
Note: The IP Subnet Match item is supported only for a per-session Access policy.
Example: The following example shows an Access policy with the IP Subnet Match configuration.
expression - The expression expr {[IP::addr [mcget {session.user.clientip}] equals \\"10.0.0.0/8\\"]} checks to see if the Client IP address matches the subnet 10.0.0.0/8. Access is denied if the subnet does not match, and the policy takes the fallback branch.
{
"policyType": "PerSession",
"name": "apssp1",
"profileType": "ltm-apm",
"scope": "global",
"timeout": 11,
"inactivityTimeout": 22,
"policy": {
"objectContent": {
"languages": [ "en" ],
"defaultLanguage": "en",
"start": {
"caption": "Fallback",
"itemType": "ip-subnet-match",
"name": "ip-subnet-match-1",
"nextItems" : [
{
"itemType": "allow",
"expression": "expr {[IP::addr [mcget {session.user.clientip}] equals \\"10.0.0.0/8\\"]}",
"name": "Allow",
"caption": "Successful"
},
{
"itemType": "deny",
"name": "Deny",
"caption": "fallback"
}
]
}
}
}
}
The table below lists the objects for configuring the IP Subnet Match item:
| Object | Type | Description |
|---|---|---|
| itemType | string | Specifies the BIG-IP Next Access policy item. For the IP Subnet Match item, the value is ip-subnet-match. This is a required setting. |
| name | string | Specifies the name of the BIG-IP Next Access policy item. |
| caption | string | Specifies a human-readable description of the policy branch. |
| expression | string | Specifies the Tcl expression. The mcget command is an abbreviation for "get the session variable from the memory cache." When evaluating a branch rule, Access obtains session variables from the system memory using the Tcl command mcget. The Tcl expression can also contain one or more expressions (expr) or return commands. An expr command evaluates an expression and returns the result. A return command simply returns the result, and can be used to set the variable to a numeric value or string. For example, "expression": "return {1800}", "expression": "return {Hello World}", "expression": "expr { "[mcget session.custom.value1] + [mcget session.custom.value2]" }", "expression": "expr { "[mcget {session.logon.last.domain}]\[mcget {session.logon.last.username}]" }", and "expression": "expr {1800}". For details on Tcl expressions, refer to https://www.tcl.tk/man/tcl8.5/TclCmd/expr.html. For a list of session variables, refer to Reference: Session Variables. |
| nextItems | array | Specifies the different branches for the BIG-IP Next Access policy item. This is a required setting. |
Landing URI¶
The landing URI is the actual landing address after the domain name; for example, for a Microsoft Outlook Web Access connection at http://www.siterequest.com/owa, the landing URI is /owa. The Landing URI item matches the configured landing URI with the landing URI the client entered to reach the access policy. You can have separate branch rules for each configured URI and a fallback branch for URIs that do not conform.
successful - Indicates that the user is connecting with a URI that matches a specified landing URI. For a successful branch, you can add a Resource Assignment item to add a resource after the landing URI check.
fallback - Indicates that the user is connecting with a different landing URI and the access is denied. You can add additional items in the fallback branch to write actions for non-matching landing URIs.
Note: The Landing URI item is supported only for a per-session Access policy.
Example: The following example shows an Access policy with the Landing URI configuration.
expression - The expression expr {[mcget {session.server.landinguri}] equals \"/uri1\"} checks to see if the landing URI with which the user has accessed the Access policy matches the specified landing URI. In this case, it is /uri1. Access is denied if the user connects with a different URI, and the policy takes the fallback branch.
{
"policyType": "PerSession",
"name": "apssp1",
"profileType": "ltm-apm",
"scope": "global",
"timeout": 11,
"inactivityTimeout": 22,
"policy": {
"objectContent": {
"languages": [ "en" ],
"defaultLanguage": "en",
"start": {
"caption": "Fallback",
"itemType": "landing-uri",
"name": "landing-uri-1",
"nextItems" : [
{
"itemType": "allow",
"expression": "expr {[mcget {session.server.landinguri}] equals \"/uri1\"}",
"name": "Allow",
"caption": "Successful"
},
{
"itemType": "deny",
"name": "Deny",
"caption": "fallback"
}
]
}
}
}
}
The table below lists the objects for configuring the Landing URI item:
| Object | Type | Description |
|---|---|---|
| itemType | string | Specifies the BIG-IP Next Access policy item. For the Landing URI item, the value is landing-uri. This is a required setting. |
| name | string | Specifies the name of the BIG-IP Next Access policy item. |
| caption | string | Specifies a human-readable description of the policy branch. |
| expression | string | Specifies the Tcl expression. The mcget command is an abbreviation for "get the session variable from the memory cache." When evaluating a branch rule, Access obtains session variables from the system memory using the Tcl command mcget. The Tcl expression can also contain one or more expressions (expr) or return commands. An expr command evaluates an expression and returns the result. A return command simply returns the result, and can be used to set the variable to a numeric value or string. For example, "expression": "return {1800}", "expression": "return {Hello World}", "expression": "expr { "[mcget session.custom.value1] + [mcget session.custom.value2]" }", "expression": "expr { "[mcget {session.logon.last.domain}]\[mcget {session.logon.last.username}]" }", and "expression": "expr {1800}". For details on Tcl expressions, refer to https://www.tcl.tk/man/tcl8.5/TclCmd/expr.html. For a list of session variables, refer to Reference: Session Variables. |
| nextItems | array | Specifies the different branches for the BIG-IP Next Access policy item. This is a required setting. |