Authentication rules

The authentication rules support assigning resources (such as a credentials) to session variables.

The following assignment rules are included with BIG-IP Next Central Manager.

Active Directory Authentication

This rule allows for the authentication of clients in a Microsoft Active Directory (AD) environment and supports both Kerberos-based authentication and password management functionality. To complete the authentication process, you need to use a logon page or other method to collect user credentials before this rule is executed. Additionally, if desired, an AD Query rule can be used to retrieve additional details (such as group membership) regarding the client’s account.

Rule Properties

This page displays when you first begin to configure this rule in the VPD workspace.

Field Description
Name Specify the name of the Active Directory (AD) rule. You can specify a name, or use the name that auto-generates when you insert the rule into the policy.
Cross Domain Support Specify whether AD cross domain authentication support is enabled. This setting is optional.
  • Select Enabled to support cross domain authentication. This enables enterprise users from different domains to authenticate successfully in the rules for the policy. If you use a non-canonical domain name, such as domain, instead of domainname.companyintranet.com, you must use a custom variable rule to map the non-canonical domain name to a full domain name used by the Active Directory rule. Otherwise, an Active Directory authentication error can occur because the Active Directory rule is unable to authenticate users, such as user@domainname.
  • Select Disabled to disable the cross domain authentication support.
Complexity Check for Password Reset Specifies whether BIG-IP Next Access performs a password policy check. The default value is Disabled. Access supports the following Active Directory password policies:
  • Maximum password age
  • Minimum password age
  • Minimum password length
  • Password must meet complexity requirements
Show Extended Error Specify to display comprehensive error messages generated by the authentication server to show on the user's Logon page. The default value is Disabled. When disabled, displays non-comprehensive error messages generated by the authentication server on the user's logon page. When enabled, causes comprehensive error messages generated by the authentication server to display on the user's logon page. This setting is intended only for use in testing, in a production or debugging environment. If enabled in a live environment, your system might be vulnerable to malicious attacks.
Max Logon Attempts Allowed Specify the number of user authentication logon attempts to allow. Select a number to limit the number of times the user can enter credentials through the logon screen when authentication fails. A complete logon and password challenge and response is considered as one attempt. The default value is 3. The valid value range is 1-5.
Max Password Reset Attempts Allowed Specify the number of times to allow a user to try to reset their password. The default value is 3. The valid value range is 1-5.

Server Properties

This page displays when you click Start Creating on the Active Directory Server page.

Field Description
Name Specify the name of the AD server. You can specify a name, or use the name that auto-generates when you start creating an AD server.
Domain Specify the Windows domain name. This is a required setting.
Timeout Specifies the number of seconds to allow to reach the Active Directory server initially. The default value is 15.
Group Cache Lifetime Specify the lifetime of a group cache, in days. The default lifetime is 30 days. This means that BIG-IP Next Access refreshes the Active Directory group cache every 30 days.
Password Security Object Lifetime Specify the lifetime of the Password Security Object (PSO) cache. The default lifetime is 30 days.
Admin Username Specify the administrator name that has Active Directory administrative permissions.
Admin Password Specify the administrator password associated with the Domain Name.
Verify Admin Password Verify the administrator password associated with the Domain Name.
KDC Validation Select to enable Kerberos KDC Validation. The default value is disabled. When selected, you must specify a keytab file. The Kerberos Key Distribution Center (KDC) is a network service that supplies session tickets and temporary session keys to users and computers within an Active Directory domain. The KDC runs on each domain controller and is responsible for authenticating users. The KDC validation allows you to prevent a KDC spoofing attack. You configure a KDC validation by importing a keytab file that you exported from the Kerberos KDC. When you enable the KDC validation, after obtaining the ticket-granting ticket (TGT) and validating the user, BIG-IP Next requests a service ticket on behalf of the user. It validates the returned service ticket against the secret key for the KDC, which is stored in a keytab file. When the validation with the keytab file fails, the KDC server is considered untrusted, and the user is not authenticated.

Client Certificate Inspection

This rule allows you to check the result of client certificate authentication by the Local Traffic Client SSL Profile.

When you use this rule, you configure fields on a number of pages. Each page is documented separately.

Rule Properties

This page displays when you first begin to configure this rule in the VPD workspace.

Field Description
Name Specify the name of the rule. You can specify a name, or use the name that auto-generates when you start creating a Client Certificate Inspection rule.

CRLDP Authentication

Certificate Revocation List Distribution Point (CRLDP) authentication retrieves a Certificate Revocation List (CRL) from a network location (distribution point). A distribution point is either an LDAP Uniform Resource Identifier (URI), a directory path that identifies the location where the CRLs are published, or a fully qualified HTTP URL.

When you use this rule, you configure fields on a number of pages. Each page is documented separately.

Rule Properties

This page displays when you first begin to configure this rule in the VPD workspace.

Field Description
Name Specify the name of the CRLDP rule. You can specify a name, or use the name that auto-generates when you start creating the rule.

Responder

This page displays when you click Continue on the Rule Properties page.

Field Description
Name Specify the name of the responder. You can specify a name, or use the name that auto-generates when you start creating the responder.
Cache Expiration Specify the number of seconds a certificate revocation list (CRL) is cached. The default value is 86400 seconds.
Use Issuer Specify whether the system extracts the CRL distribution point from the certificate of the client certificate issuer. When enabled, BIG-IP Next uses the CRLDP information provided by the issuer certificate instead of the client certificate. The default value is false.
Allow Null Certificate Revocation Lists (CRL) Specify whether a null CRL from the CRLDP server is considered a successful authentication. The default value is false.
Verify Signature Specify whether the signature on the received CRL is verified. The default value is true.
Note: This parameter value should be enabled when using LDAP or HTTP to fetch the CRL.
Connection Timeout Specify the number of seconds of inactivity to allow before the connection times out. The default value is 15. This parameter does not apply if you specify the source parameter value as an endpoint in the serverConnection object.
Mode Specify how BIG-IP Next connects to the AAA CRLDP server. The source parameter in this object specifies the mode of server connection. You can choose the following configuration modes based on how BIG-IP Next connects to the AAA CRLDP server:
  • Server Endpoint: Specifies an endpoint to create a pool of server connections for High Availability.
  • Server Certificate: Specifies a fully qualified HTTP or LDAP URL from the user/issuer certificate for the CRL location.
Service Port Specify the CRLDP service port. The default value is 389.
Base Distinguished Name (DN) Specify a CRLDP base distinguished name for certificates that specify the CRL distribution point in the directory name (dirName) format. BIG-IP Next Access uses Base DN when the value of the X509v3 attribute crlDistributionPoints is of type dirName and tries to match the value of the crlDistributionPoints attribute to the Base DN value. An example of a Base DN value is cn=lxxx,dc=f5,dc=com.
Reverse Distinguished Name (DN) Specify which order BIG-IP Next Access should use when it attempts to match the Base DN value to the value of the X509v3 attribute crlDistributionPoints. When enabled, BIG-IP Next Access matches the base DN from left to right or from the beginning of the DN string to accommodate dirName strings in certificates such as c=us,st=wa,l=sea,ou=f5,cn=xxx. The default value is disabled.

Kerberos Authentication

Authenticates clients based on their Kerberos ticket, which is obtained and validated each time a request is made. This slightly differs from most authentication rules, which only validate credentials during policy execution. You can disable the Request Based Authentication option to configure Kerberos authentication to occur only during policy execution. Note that an HTTP 401 Response rule must precede the Kerberos Authentication rule to collect the Kerberos ticket information.

To configure Kerberos Authentication, you must create a Kerberos AAA server and authentication objects.

When you use this rule, you configure fields on a number of pages. Each page is documented separately.

Rule Properties

This page displays when you first begin to configure this rule in the VPD workspace.

Field Description
Name Specify the name of the Kerberos rule. You can specify a name, or use the name that auto-generates when you start creating a Kerberos rule.
Request Based Authentication Specify whether per request based authentication is enabled. When disabled, authentication occurs only while executing the BIG-IP Next Access policy. The default value is false.
Max Logon Attempts Allowed Specify the number of user authentication logon attempts to allow. Select a number to limit the number of times the user can enter credentials through the logon screen when authentication fails. A complete logon and password challenge and response is considered as one attempt. The default value is 3.

Server Properties

This page displays when you click Start Creating on the Kerberos Server page.

Field Description
Name Specify the name of the Kerberos server. You can specify a name, or use the name that auto-generates when you start creating a Kerberos server.
Service Principal Name Format Specify the service principle name format for the Kerberos AAA server. Valid values are:
  • host-based-service
  • krb5-nt-principal-name
All existing Kerberos AAA servers are host-based services by default. Use krb5-nt-principal-name for VMware View clients.
Service Name Specify the Kerberos service name; for example, HTTP. This is a required setting.
Authentication Realm Specify the Kerberos authentication realm name (administrative name), such as testbed.lab.companynet.com. This is a required setting.
Keytab File Specify the name of the keytab file that contains the Kerberos encrypted keys. These are derived from the Kerberos password. It contains the service keys that the server uses to authenticate the client. This is a required setting.

LDAP Authentication

To configure LDAP authentication, you must create an LDAP AAA server and Authentication rule. To query the external LDAP server for additional information about the user, configure LDAP query objects.

For instructions and examples on configuring LDAP Authentication, refer to How to: Configure LDAP Authentication policies using BIG-IP Central Manager.

Search DN | Specify the base domain name that BIG-IP Next Access uses for internal LDAP search operations. You must use this object with the filter object. For example, session.ssl.cert.last.cn - Uses the user CN from the SSL certificate. Useful as a value for any property in this table. Search filter | Specify the search criteria to use when querying the LDAP server for the user’s information. When entering a string, use parenthesis. For example, (sAmAccountName=%{session.logon.last.username}) or (sAmAccountName=%{subsession.logon.last.username}) - Populates the filter parameter with the username from the current session. UserDn | Specify the name (in distinguished name -DN format) that represents the user on the backend LDAP server. Show Extended Error | Specify whether to display a comprehensive error message generated by the authentication server to show on the user’s Logon page. The default value is false. Setting the value to false displays non-comprehensive error messages generated by the authentication server to show on the user’s Logon page.
Note: This setting is intended only for use in testing, in a production or debugging environment. If you enable this setting in a live environment, your system might be vulnerable to malicious attacks. Max Logon Attempts Allowed | Specify the number of user authentication logon attempts to allow. Select a number to limit the number of times the user can enter credentials through the logon screen when authentication fails. A complete logon and password challenge and response is considered as one attempt. The default value is 3.

Server Properties

This page displays when you are creating an LDAP rule and click Start Creating on the Rule Properties page.

Field Description
Name Specify the name of the AAA LDAP server. This is a required setting
Base Search DN Specify the base DN from which to search. This search DN is used to search groups across a whole directory.
Admin DN Specify the Distinguished Name (DN) of the user with administrator rights. This is a required setting.
Admin Password Specify the admin password for the LDAP server. This is a required setting.
Timeout Specify a timeout interval (in seconds) for the AAA server after which the server closes a connection. The default value is 15.
Group Cache Lifetime Specify a lifetime for the group cache in days. The default value is 30.
Pool Monitor Specify a monitor to track the health of your AAA LDAP server.
ICMP pool monitor Specify the IMCP monitor settings that makes a simple node check. The check is successful if the monitor receives a response to an ICMP_ECHO datagram. Specify the following parameters in this object:
  • interval: Specify the monitor check frequency. Type - integer
  • timeout: Specify the time in which the target must respond. to the monitor request. Type - integer.
TCP pool monitor Verify the Transmission Control Protocol (TCP) service by attempting to receive specific content from a resource. The check is successful when the content matches the value of the Receive String setting. Specify the following parameters in this object:
  • interval: Specify the monitor check frequency. Type - integer.
  • timeout: Specify the time in which the target must respond. to the monitor request. Type - integer.
  • sendString: Specify the text string to send to the target. You must include \r\n at the end of a non-empty send string. The default setting is GET /\r\n, which retrieves a default HTML file for a web site. To retrieve a specific page from a web site, specify a fully-qualified path name, for example, GET /www/siterequest/index.html\r\n.
  • receiveString: Specify the text string that the monitor looks for in the returned resource. For example, for the receive string value , the monitor searches for a standard HTML tag.
    You can also use the default null receive string value [""]. In this case, any content retrieved is considered a match. If both the sendString and receiveString objects are empty, only a simple connection check is performed.
  • receiveDisableString: Specify the text string that the monitor looks for in the returned resource. This setting works similar to receiveString, except that the target (the node or pool member) is disabled when its response matches the receiveString value.
LDAPs Specify whether to use the LDAPS protocol during authentication. The default value is No. When set to Yes, you must also specify the TLS Cipher String.
TLS Cipher String Specify the cipher string to use for server-side SSL communications. The default value is DEFAULT.
TLS Options Specify the TLS version that needs to be enabled.

Schema Properties

This page displays when you are creating an LDAP server and click Save & Continue on the Server Properties page.

Field Description
User Object Class Specify the value of the objectClass attribute for a user object. The default value is user.
User Membership If the user object maintains a group membership, specify the value of the membership attribute. The default value is memberOf.
Group Object Class Specify the value of the objectClass attribute for a group object. The default value is group.
Group Membership If the group object maintains membership in other groups, specify the value of the membership attribute. The default value is memberOf.
Group Member If the group object maintains a list of users that belong to it, specify the value of its attribute. The default value is member.
Group Member Value If the Group Member attribute is specified, use this field to specify the attribute that is used to add users to a group. The default value is dn.

OCSP Authentication

Online Certificate Status Protocol (OCSP) authentication provides a more efficient means to validate a certificate by directly querying a trusted OCSP responder over HTTP for the current status of the specific certificate presented by the client.

Rule Properties

This page displays when you first begin to configure this rule in the VPD workspace.

Field Description
Name Specify the name of the rule. You can specify a name or use the name that auto-generates when you start creating an OCSP Authentication rule.

Responder

This page displays when you click Save & Continue on the Rule Properties tab. Select Show advanced fields to display all options.

Field Description
Name Specify the name of the OCSP responder server. You can specify a name or use the name that auto-generates.
URL Specify the URL used to contact the OCSP service on the responder.
Certificate Authority File Specify the name of the file that contains the trusted CA certificates used to verify the signature on the OCSP response. This is a required setting.
Validity Period Specify an acceptable error range (in seconds) for the time tolerated in an OCSP response. Each certificate status response includes a notBefore time and an optional notAfter time, and the current time should fall between these two values. This setting is used when the OCSP responder and client clocks are not synchronized, which could cause a certificate status check to fail. The default value is 300.
Status Age Specify a time (in seconds) to compare to the notBefore time of an OCSP response. Each certificate status response includes a notBefore time and an optional notAfter time. This property is used when the status response does not include the notAfter time. The value of statusAge should be more than the notBefore time. The default value is 0.
CertID Digest Specify the algorithm for converting the client certificate and its issuer certificate to an OCSP cert ID. The cert ID is added to the OCSP request.
Verify Other Specify the file name used to search for an OCSP response signing certificate when the certificate has been omitted from the response.
VA File Specify the name of the file that contains explicitly-trusted responder certificates. This parameter is required when the responder is not covered by the certificates that are already loaded into the responder's CA store.
Signer Specify the certificate name used to sign an OCSP request. If the signer is specified, but the signkey is not specified, then the private key is read from the same file as the certificate. The request is not signed if neither the signer nor the signkey is specified. If only the signkey is specified, then the configuration is considered invalid.
Ignore AIA Select this option to ignore the URL in the certificate's AIA fields and use the URL the responder specifies. The default value is false.
Trust Other Select this option to trust the certificates specified in the verifyOther setting. The default value is false.
Allow Certificates Select this option to allow the addition of certificates to an OCSP request. The default value is true.
Verify Select this option to verify an OCSP response signature or the nonce value. The default value is true.
Intern Select this option to look internally in the OCSP response for the signer's certificate. The default value is true.
Verify Signature Select this option to check the signature on the OCSP response. The default value is true.
Verify Certificate Select this option to verify the certificate in the OCSP response. The default value is true.
Certificate Chain Select this option to construct a certificate chain in the OCSP response. The default value is true.
Check Certificates Select this option to make additional checks to verify that the signer's certificate is authorized to provide the required status information. The default value is true.
Explicit OCSP Select this option to explicitly trust that the OCSP signer's certificate is authorized for OCSP response signing. The default value is true.
Note: The X509 certificate has several extensions, one of which indicates whether the certificate can be used for signing. If this parameter is enabled, but the signer's certificate does not contain the OCSP signing extension field, BIG-IP Next Access does not trust the response.
Nonce Select this option to add a nonce extension to OCSP requests. The default value is true.

The On-Demand Client Certificate Authentication rule allows you to request and validate SSL certificates on demand. Typically, when a client makes an HTTPS request, an SSL handshake request occurs at the start of an SSL session. You can configure a client SSL profile to skip the initial SSL handshake and add the On-Demand Certificate Authentication item to the Access policy to re-negotiate the SSL connection later. You can use an On-Demand Client Cert Authentication rule in scenarios where all employees gain access to the network, but a few employees gain access to servers with sensitive information.

Rule Properties

This page displays when you first begin to configure this rule in the VPD workspace.

Field Description
Name You can specify a name for this rule, or use the name that auto-generates when you insert the rule into the policy.
Authentication Mode Specify the mode of authentication. The default value is request. The valid values are:
  • require: With this mode, it is required that a client provides a valid certificate. If the client does not provide a valid certificate, the connection terminates, and the client's browser stops responding.
  • request: With this mode, BIG-IP Next requests a valid certificate from the client, but the connection does not terminate if the client does not provide a valid certificate. Instead, this action takes the fallback route in the Access policy.

RADIUS Authentication

Remote Authentication Dial-In User Service (RADIUS) is a network protocol that provides centralized authentication, authorization, and accounting management. RADIUS is a popular method for leveraging some multifactor authentication services such as One-Time Passwords (OTP).

To configure RADIUS Auth, you must create authentication objects and a RADIUS AAA server.

Rule Properties

The table below lists the objects for configuring RADIUS authentication objects. The Rule Properties page appears when you start editing a RADIUS Authentication rule:

Object Description
Name Specify the name of the Access policy rule.
Show Extended Error Specify whether to display comprehensive error message generated by the authentication server on the user's logon page.
Note: This object is intended only for testing, in a production or debugging environment. Your system might be vulnerable to malicious attacks if set to Enabled in a live environment. When set to Disabled, it displays non-comprehensive error messages on the user's logon page. The default value is Disabled.
Max Logon Attempts Allowed Specify the number of user authentication logon attempts to allow. This setting limits the times the user can enter credentials through the logon screen when authentication fails. A complete logon and password challenge and response are considered as one attempt. The default value is 3. The valid values are 1-5.
Username Source Specify the session variable name from which the RADIUS item should read the username. The default value is %{session.logon.last.username}.
Password Source Specify the session variable name from which the RADIUS item should read the password. The default value is %{session.logon.last.password}.

RADIUS Server

The table below lists the objects for configuring a RADIUS server. The RADIUS Server page appears after you save the Rule Properties settings and then click Start Creating on the RADIUS Server page:

Object Description
Name Specify the name of the RADIUS AAA server. This is a required setting.
Secret Specify the shared secret password for your RADIUS AAA server. This is a required setting.
Verify Secret Verify the shared secret password for your RADIUS AAA server. This is a required setting.
Service Type Specify the type of service you use on the RADIUS server. Service types are specific to your RADIUS implementation. If you retain the default value, the service type is set to authenticate-only. The valid values are:
  • administrative: The user should be granted access to the administrative interface of the NAS from which privileged commands can be executed.
  • authenticate-only: Only Authentication is requested, and no authorization information needs to be returned in the Access-Accept.
  • call-check: Used by the NAS in an Access-Request packet to indicate that a call is being received and that the RADIUS server should send back an Access-Accept to answer the call or an Access-Reject to not accept the call, typically based on the Called-Station-Id or Calling-Station-Id attributes.
  • callback-administrative: The user should be disconnected and called back, then granted access to the administrative interface to the NAS from which privileged commands can be executed.
  • callback-framed: The user should be disconnected and called back, then a Framed Protocol should be started for the user.
  • callback-login: The user should be disconnected and called back, then connected to a host.
  • callback-nas-prompt: The user should be disconnected and called back, then provided a command prompt on the NAS from which non-privileged commands can be executed.
  • default: The service type is set to authenticate-only.
  • framed: A Framed Protocol, such as PPP or SLIP, should be started for the user.
  • login: The user should be connected to a host.
  • nas-prompt: The user should be provided a command prompt on the NAS from which non-privileged commands can be executed.
  • outbound: The user should be granted access to outgoing devices.
Character Set Specify the character encoding used for the user name and password. The default value is cp1252. The valid values are:
  • cp1252: The RADIUS Authentication item decodes the username and password into CP-1252 before sending it to the RADIUS server.
  • utf8: The RADIUS Authentication item sends the username and password unmodified.
NAS Identifier Specify the string used to identify the NAS that originates the access request.
NAS IP Address Specify an IPv4 address to identify the NAS in dotted quad notation using the default zone.
NAS IPv6 Address Specify an IPv6 address to identify the NAS represented as either a full address, shortened or mixed-shortened formats, using the default zone.