Authentication rules¶
The authentication rules support assigning resources (such as a credentials) to session variables.
The following assignment rules are included with BIG-IP Next Central Manager.
Active Directory Authentication¶
This rule allows for the authentication of clients in a Microsoft Active Directory (AD) environment and supports both Kerberos-based authentication and password management functionality. To complete the authentication process, you need to use a logon page or other method to collect user credentials before this rule is executed. Additionally, if desired, an AD Query rule can be used to retrieve additional details (such as group membership) regarding the client’s account.
Rule Properties
This page displays when you first begin to configure this rule in the VPD workspace.
| Field | Description |
|---|---|
| Name | Specify the name of the Active Directory (AD) rule. You can specify a name, or use the name that auto-generates when you insert the rule into the policy. |
| Cross Domain Support | |
| Complexity Check for Password Reset | |
| Show Extended Error | |
| Max Logon Attempts Allowed | |
| Max Password Reset Attempts Allowed |
Server Properties
This page displays when you click Start Creating on the Active Directory Server page.
| Field | Description |
|---|---|
| Name | Specify the name of the AD server. You can specify a name, or use the name that auto-generates when you start creating an AD server. |
| Domain | Specify the Windows domain name. This is a required setting. |
| Timeout | Specifies the number of seconds to allow to reach the Active Directory server initially. The default value is 15. |
| Group Cache Lifetime | Specify the lifetime of a group cache, in days. The default lifetime is 30 days. This means that BIG-IP Next Access refreshes the Active Directory group cache every 30 days. |
| Password Security Object Lifetime | Specify the lifetime of the Password Security Object (PSO) cache. The default lifetime is 30 days. |
| Admin Username | Specify the administrator name that has Active Directory administrative permissions. |
| Admin Password | Specify the administrator password associated with the Domain Name. |
| Verify Admin Password | Verify the administrator password associated with the Domain Name. |
| KDC Validation | Select to enable Kerberos KDC Validation. The default value is disabled. When selected, you must specify a keytab file. The Kerberos Key Distribution Center (KDC) is a network service that supplies session tickets and temporary session keys to users and computers within an Active Directory domain. The KDC runs on each domain controller and is responsible for authenticating users. The KDC validation allows you to prevent a KDC spoofing attack. You configure a KDC validation by importing a keytab file that you exported from the Kerberos KDC. When you enable the KDC validation, after obtaining the ticket-granting ticket (TGT) and validating the user, BIG-IP Next requests a service ticket on behalf of the user. It validates the returned service ticket against the secret key for the KDC, which is stored in a keytab file. When the validation with the keytab file fails, the KDC server is considered untrusted, and the user is not authenticated. |
Client Certificate Inspection¶
This rule allows you to check the result of client certificate authentication by the Local Traffic Client SSL Profile.
When you use this rule, you configure fields on a number of pages. Each page is documented separately.
Rule Properties
This page displays when you first begin to configure this rule in the VPD workspace.
| Field | Description |
|---|---|
| Name | Specify the name of the rule. You can specify a name, or use the name that auto-generates when you start creating a Client Certificate Inspection rule. |
CRLDP Authentication¶
Certificate Revocation List Distribution Point (CRLDP) authentication retrieves a Certificate Revocation List (CRL) from a network location (distribution point). A distribution point is either an LDAP Uniform Resource Identifier (URI), a directory path that identifies the location where the CRLs are published, or a fully qualified HTTP URL.
When you use this rule, you configure fields on a number of pages. Each page is documented separately.
Rule Properties
This page displays when you first begin to configure this rule in the VPD workspace.
| Field | Description |
|---|---|
| Name | Specify the name of the CRLDP rule. You can specify a name, or use the name that auto-generates when you start creating the rule. |
Responder
This page displays when you click Continue on the Rule Properties page.
| Field | Description |
|---|---|
| Name | Specify the name of the responder. You can specify a name, or use the name that auto-generates when you start creating the responder. |
| Cache Expiration | Specify the number of seconds a certificate revocation list (CRL) is cached. The default value is 86400 seconds. |
| Use Issuer | Specify whether the system extracts the CRL distribution point from the certificate of the client certificate issuer. When enabled, BIG-IP Next uses the CRLDP information provided by the issuer certificate instead of the client certificate. The default value is false. |
| Allow Null Certificate Revocation Lists (CRL) | Specify whether a null CRL from the CRLDP server is considered a successful authentication. The default value is false. |
| Verify Signature | Specify whether the signature on the received CRL is verified. The default value is true. Note: This parameter value should be enabled when using LDAP or HTTP to fetch the CRL. |
| Connection Timeout | Specify the number of seconds of inactivity to allow before the connection times out. The default value is 15. This parameter does not apply if you specify the source parameter value as an endpoint in the serverConnection object. |
| Mode | Specify how BIG-IP Next connects to the AAA CRLDP server. The source parameter in this object specifies the mode of server connection. You can choose the following configuration modes based on how BIG-IP Next connects to the AAA CRLDP server:
|
| Service Port | Specify the CRLDP service port. The default value is 389. |
| Base Distinguished Name (DN) | Specify a CRLDP base distinguished name for certificates that specify the CRL distribution point in the directory name (dirName) format. BIG-IP Next Access uses Base DN when the value of the X509v3 attribute crlDistributionPoints is of type dirName and tries to match the value of the crlDistributionPoints attribute to the Base DN value. An example of a Base DN value is cn=lxxx,dc=f5,dc=com. |
| Reverse Distinguished Name (DN) | Specify which order BIG-IP Next Access should use when it attempts to match the Base DN value to the value of the X509v3 attribute crlDistributionPoints. When enabled, BIG-IP Next Access matches the base DN from left to right or from the beginning of the DN string to accommodate dirName strings in certificates such as c=us,st=wa,l=sea,ou=f5,cn=xxx. The default value is disabled. |
Kerberos Authentication¶
Authenticates clients based on their Kerberos ticket, which is obtained and validated each time a request is made. This slightly differs from most authentication rules, which only validate credentials during policy execution. You can disable the Request Based Authentication option to configure Kerberos authentication to occur only during policy execution. Note that an HTTP 401 Response rule must precede the Kerberos Authentication rule to collect the Kerberos ticket information.
To configure Kerberos Authentication, you must create a Kerberos AAA server and authentication objects.
When you use this rule, you configure fields on a number of pages. Each page is documented separately.
Rule Properties
This page displays when you first begin to configure this rule in the VPD workspace.
| Field | Description |
|---|---|
| Name | Specify the name of the Kerberos rule. You can specify a name, or use the name that auto-generates when you start creating a Kerberos rule. |
| Request Based Authentication | Specify whether per request based authentication is enabled. When disabled, authentication occurs only while executing the BIG-IP Next Access policy. The default value is false. |
| Max Logon Attempts Allowed | Specify the number of user authentication logon attempts to allow. Select a number to limit the number of times the user can enter credentials through the logon screen when authentication fails. A complete logon and password challenge and response is considered as one attempt. The default value is 3. |
Server Properties
This page displays when you click Start Creating on the Kerberos Server page.
| Field | Description |
|---|---|
| Name | Specify the name of the Kerberos server. You can specify a name, or use the name that auto-generates when you start creating a Kerberos server. |
| Service Principal Name Format | Specify the service principle name format for the Kerberos AAA server. Valid values are:
|
| Service Name | Specify the Kerberos service name; for example, HTTP. This is a required setting. |
| Authentication Realm | Specify the Kerberos authentication realm name (administrative name), such as testbed.lab.companynet.com. This is a required setting. |
| Keytab File | Specify the name of the keytab file that contains the Kerberos encrypted keys. These are derived from the Kerberos password. It contains the service keys that the server uses to authenticate the client. This is a required setting. |
LDAP Authentication¶
To configure LDAP authentication, you must create an LDAP AAA server and Authentication rule. To query the external LDAP server for additional information about the user, configure LDAP query objects.
For instructions and examples on configuring LDAP Authentication, refer to How to: Configure LDAP Authentication policies using BIG-IP Central Manager.
Search DN | Specify the base domain name that BIG-IP Next Access uses for internal LDAP search operations. You must use this object with the filter object. For example, session.ssl.cert.last.cn - Uses the user CN from the SSL certificate. Useful as a value for any property in this table.
Search filter | Specify the search criteria to use when querying the LDAP server for the user’s information. When entering a string, use parenthesis. For example, (sAmAccountName=%{session.logon.last.username}) or (sAmAccountName=%{subsession.logon.last.username}) - Populates the filter parameter with the username from the current session.
UserDn | Specify the name (in distinguished name -DN format) that represents the user on the backend LDAP server.
Show Extended Error | Specify whether to display a comprehensive error message generated by the authentication server to show on the user’s Logon page. The default value is false. Setting the value to false displays non-comprehensive error messages generated by the authentication server to show on the user’s Logon page.
Note: This setting is intended only for use in testing, in a production or debugging environment. If you enable this setting in a live environment, your system might be vulnerable to malicious attacks.
Max Logon Attempts Allowed | Specify the number of user authentication logon attempts to allow. Select a number to limit the number of times the user can enter credentials through the logon screen when authentication fails. A complete logon and password challenge and response is considered as one attempt. The default value is 3.
Server Properties
This page displays when you are creating an LDAP rule and click Start Creating on the Rule Properties page.
| Field | Description |
|---|---|
| Name | Specify the name of the AAA LDAP server. This is a required setting |
| Base Search DN | Specify the base DN from which to search. This search DN is used to search groups across a whole directory. |
| Admin DN | Specify the Distinguished Name (DN) of the user with administrator rights. This is a required setting. |
| Admin Password | Specify the admin password for the LDAP server. This is a required setting. |
| Timeout | Specify a timeout interval (in seconds) for the AAA server after which the server closes a connection. The default value is 15. |
| Group Cache Lifetime | Specify a lifetime for the group cache in days. The default value is 30. |
| Pool Monitor | Specify a monitor to track the health of your AAA LDAP server. |
| ICMP pool monitor | Specify the IMCP monitor settings that makes a simple node check. The check is successful if the monitor receives a response to an ICMP_ECHO datagram. Specify the following parameters in this object:
|
| TCP pool monitor | Verify the Transmission Control Protocol (TCP) service by attempting to receive specific content from a resource. The check is successful when the content matches the value of the Receive String setting. Specify the following parameters in this object:
|
| LDAPs | Specify whether to use the LDAPS protocol during authentication. The default value is No. When set to Yes, you must also specify the TLS Cipher String. |
| TLS Cipher String | Specify the cipher string to use for server-side SSL communications. The default value is DEFAULT. |
| TLS Options | Specify the TLS version that needs to be enabled. |
Schema Properties
This page displays when you are creating an LDAP server and click Save & Continue on the Server Properties page.
| Field | Description |
|---|---|
| User Object Class | Specify the value of the objectClass attribute for a user object. The default value is user. |
| User Membership | If the user object maintains a group membership, specify the value of the membership attribute. The default value is memberOf. |
| Group Object Class | Specify the value of the objectClass attribute for a group object. The default value is group. |
| Group Membership | If the group object maintains membership in other groups, specify the value of the membership attribute. The default value is memberOf. |
| Group Member | If the group object maintains a list of users that belong to it, specify the value of its attribute. The default value is member. |
| Group Member Value | If the Group Member attribute is specified, use this field to specify the attribute that is used to add users to a group. The default value is dn. |
OCSP Authentication¶
Online Certificate Status Protocol (OCSP) authentication provides a more efficient means to validate a certificate by directly querying a trusted OCSP responder over HTTP for the current status of the specific certificate presented by the client.
Rule Properties
This page displays when you first begin to configure this rule in the VPD workspace.
| Field | Description |
|---|---|
| Name | Specify the name of the rule. You can specify a name or use the name that auto-generates when you start creating an OCSP Authentication rule. |
Responder
This page displays when you click Save & Continue on the Rule Properties tab. Select Show advanced fields to display all options.
| Field | Description |
|---|---|
| Name | Specify the name of the OCSP responder server. You can specify a name or use the name that auto-generates. |
| URL | Specify the URL used to contact the OCSP service on the responder. |
| Certificate Authority File | Specify the name of the file that contains the trusted CA certificates used to verify the signature on the OCSP response. This is a required setting. |
| Validity Period | Specify an acceptable error range (in seconds) for the time tolerated in an OCSP response. Each certificate status response includes a notBefore time and an optional notAfter time, and the current time should fall between these two values. This setting is used when the OCSP responder and client clocks are not synchronized, which could cause a certificate status check to fail. The default value is 300. |
| Status Age | Specify a time (in seconds) to compare to the notBefore time of an OCSP response. Each certificate status response includes a notBefore time and an optional notAfter time. This property is used when the status response does not include the notAfter time. The value of statusAge should be more than the notBefore time. The default value is 0. |
| CertID Digest | Specify the algorithm for converting the client certificate and its issuer certificate to an OCSP cert ID. The cert ID is added to the OCSP request. |
| Verify Other | Specify the file name used to search for an OCSP response signing certificate when the certificate has been omitted from the response. |
| VA File | Specify the name of the file that contains explicitly-trusted responder certificates. This parameter is required when the responder is not covered by the certificates that are already loaded into the responder's CA store. |
| Signer | Specify the certificate name used to sign an OCSP request. If the signer is specified, but the signkey is not specified, then the private key is read from the same file as the certificate. The request is not signed if neither the signer nor the signkey is specified. If only the signkey is specified, then the configuration is considered invalid. |
| Ignore AIA | Select this option to ignore the URL in the certificate's AIA fields and use the URL the responder specifies. The default value is false. |
| Trust Other | Select this option to trust the certificates specified in the verifyOther setting. The default value is false. |
| Allow Certificates | Select this option to allow the addition of certificates to an OCSP request. The default value is true. |
| Verify | Select this option to verify an OCSP response signature or the nonce value. The default value is true. |
| Intern | Select this option to look internally in the OCSP response for the signer's certificate. The default value is true. |
| Verify Signature | Select this option to check the signature on the OCSP response. The default value is true. |
| Verify Certificate | Select this option to verify the certificate in the OCSP response. The default value is true. |
| Certificate Chain | Select this option to construct a certificate chain in the OCSP response. The default value is true. |
| Check Certificates | Select this option to make additional checks to verify that the signer's certificate is authorized to provide the required status information. The default value is true. |
| Explicit OCSP | Select this option to explicitly trust that the OCSP signer's certificate is authorized for OCSP response signing. The default value is true. Note: The X509 certificate has several extensions, one of which indicates whether the certificate can be used for signing. If this parameter is enabled, but the signer's certificate does not contain the OCSP signing extension field, BIG-IP Next Access does not trust the response. |
| Nonce | Select this option to add a nonce extension to OCSP requests. The default value is true. |
The On-Demand Client Certificate Authentication rule allows you to request and validate SSL certificates on demand. Typically, when a client makes an HTTPS request, an SSL handshake request occurs at the start of an SSL session. You can configure a client SSL profile to skip the initial SSL handshake and add the On-Demand Certificate Authentication item to the Access policy to re-negotiate the SSL connection later. You can use an On-Demand Client Cert Authentication rule in scenarios where all employees gain access to the network, but a few employees gain access to servers with sensitive information.
Rule Properties
This page displays when you first begin to configure this rule in the VPD workspace.
| Field | Description |
|---|---|
| Name | You can specify a name for this rule, or use the name that auto-generates when you insert the rule into the policy. |
| Authentication Mode | Specify the mode of authentication. The default value is request. The valid values are:
|
RADIUS Authentication¶
Remote Authentication Dial-In User Service (RADIUS) is a network protocol that provides centralized authentication, authorization, and accounting management. RADIUS is a popular method for leveraging some multifactor authentication services such as One-Time Passwords (OTP).
To configure RADIUS Auth, you must create authentication objects and a RADIUS AAA server.
Rule Properties
The table below lists the objects for configuring RADIUS authentication objects. The Rule Properties page appears when you start editing a RADIUS Authentication rule:
| Object | Description |
|---|---|
| Name | Specify the name of the Access policy rule. |
| Show Extended Error | Specify whether to display comprehensive error message generated by the authentication server on the user's logon page. Note: This object is intended only for testing, in a production or debugging environment. Your system might be vulnerable to malicious attacks if set to Enabled in a live environment. When set to Disabled, it displays non-comprehensive error messages on the user's logon page. The default value is Disabled. |
| Max Logon Attempts Allowed | Specify the number of user authentication logon attempts to allow. This setting limits the times the user can enter credentials through the logon screen when authentication fails. A complete logon and password challenge and response are considered as one attempt. The default value is 3. The valid values are 1-5. |
| Username Source | Specify the session variable name from which the RADIUS item should read the username. The default value is %{session.logon.last.username}. |
| Password Source | Specify the session variable name from which the RADIUS item should read the password. The default value is %{session.logon.last.password}. |
RADIUS Server
The table below lists the objects for configuring a RADIUS server. The RADIUS Server page appears after you save the Rule Properties settings and then click Start Creating on the RADIUS Server page:
| Object | Description |
|---|---|
| Name | Specify the name of the RADIUS AAA server. This is a required setting. |
| Secret | Specify the shared secret password for your RADIUS AAA server. This is a required setting. |
| Verify Secret | Verify the shared secret password for your RADIUS AAA server. This is a required setting. |
| Service Type | Specify the type of service you use on the RADIUS server. Service types are specific to your RADIUS implementation. If you retain the default value, the service type is set to authenticate-only. The valid values are:
|
| Character Set | Specify the character encoding used for the user name and password. The default value is cp1252. The valid values are:
|
| NAS Identifier | Specify the string used to identify the NAS that originates the access request. |
| NAS IP Address | Specify an IPv4 address to identify the NAS in dotted quad notation using the default zone. |
| NAS IPv6 Address | Specify an IPv6 address to identify the NAS represented as either a full address, shortened or mixed-shortened formats, using the default zone. |