Interrogation rules¶
Active Directory Query¶
Allows you to query a lightweight directory for specific attributes. These attributes can then be used in authorization decision-making within an access policy.
When you use this rule, you configure fields on a number of pages. Each page is documented separately.
Rule Properties
This page displays when you first begin to configure this rule in the VPD workspace.
| Field | Description |
|---|---|
| Name | Specify the name of the rule. You can specify a name or use the name that auto-generates when you insert the rule into the policy. |
| Search Filter | Specifies the search criteria to use when querying the Active Directory server for the user's information. Session variables are supported as part of the search query string. Specify the search criteria to use when querying the Active Directory (AD) server for the user's information. This is a required setting. When entering a string, use parenthesis. For example, (sAmAccountName=%{session.logon.last.username}) or (sAmAccountName=%{subsession.logon.last.username}) - Populates the filter parameter with the username from the current session. |
| Fetch Primary Group | Specify whether to retrieve a user's primary group attributes, including primary group Distinguished Name, for use in the policy. The default value is false. |
| Cross Domain Support | Specify whether AD cross domain authentication support is enabled. |
| Fetch Nested Groups | Specify whether to fetch and associate the user to all groups. The default value is Disabled. When disabled, associates the user only to the groups to which they belong directly. When enabled, associates the user to all groups that are nested under the groups that they directly belong to. For example, if the user belongs to Group 1 and Group 2, and Group 1 is a member of Group 3 and Group 4, enabling this setting allows the user to obtain privileges from all groups. |
| Complexity Check for Password Reset | Specify whether BIG-IP Next Access performs a password policy check. The default value is Disabled. Access supports the following Active Directory password policies:
|
| Show Extended Error | Specify to display comprehensive error messages generated by the authentication server to show on the user's Logon page. The default value is Disabled. When disabled, displays non-comprehensive error messages generated by the authentication server on the user's logon page. When enabled, causes comprehensive error messages generated by the authentication server to display on the user's logon page. This setting is intended only for use in testing, in a production or debugging environment. If enabled in a live environment, your system might be vulnerable to malicious attacks. |
| Max Logon Attempts Allowed | Specifies the number of user authentication logon attempts to allow. The default value is 3. The valid value range is 1-5. |
| Max Password Reset Attempts Allowed | Specify the number of times to allow a user to try to reset their password. The default value is 3. The valid value range is 1-5. |
| Password Expiration Reminder (days) | Specify to prompt the user at a set time to change the password before it expires. The default value is 0 days, which signifies the user will not be prompted. |
| Required Attributes | By default, the server loads all user attributes if you do not specify any required attributes. However, you have the option to improve system performance by specifying only certain required attributes that you want the server to return. For example, you can specify primaryGroupID and sAMAccountName as required attributes. With this specification, only those two attributes are retrieved from the LDAP server. Click the Create to add a new attribute to the Active Directory query action. |
Active Directory Server
This tab displays when you click Save & Continue on the AD Query Rule Properties tab.
| Field | Description |
|---|---|
| Server Connection | Specify Pool. Direct is not supported in the current release. |
| Domain | Specify the name of the Windows domain. |
| Timeout | Specify the number of seconds to reach the Active Directory server initially. The default value is 15. |
| Group Cache Lifetime (days) | Specify the lifetime of a group cache, in days. The default lifetime is 30 days. This means that BIG-IP Next Access refreshes the Active Directory group cache every 30 days. |
| Password Security Object Lifetime (days) | Specify the lifetime of the Password Security Object (PSO) cache. The default lifetime is 30 days. |
| Admin Username | Specify the administrator name that has Active Directory administrative permissions. |
| Admin Password | Specify the administrator password associated with the Domain Name. |
| KDC Validation | Specify whether to enable Kerberos KDC Validation. The default value is false. The Kerberos Key Distribution Center (KDC) is a network service that supplies session tickets and temporary session keys to users and computers within an Active Directory domain. The KDC runs on each domain controller and is responsible for authenticating users. The KDC validation allows you to prevent a KDC spoofing attack. You configure a KDC validation by importing the keytab file you exported from the Kerberos KDC. When you enable the KDC validation, after obtaining the ticket-granting ticket (TGT) and validating the user, BIG-IP Next requests a service ticket on behalf of the user. It validates the returned service ticket against the secret key for the KDC, which is stored in a keytab file. When the validation with the keytab file fails, the KDC server is considered untrusted, and the user is not authenticated. |
| Service Name | Specifies the Kerberos service name; for example, HTTP. This is a required setting. |
| Keytab File | Specifies the name of the keytab file that contains Kerberos encrypted keys. These are derived from the Kerberos password. It contains the service keys that the server uses to authenticate the client. This is a required setting. |
Client Operating System¶
This rule detects the operating system of the remote client. BIG-IP Next Access detects this using information from the HTTP header. The action provides separate branches for separate operating systems. This action can be very useful at the beginning of a policy. Each branch can include actions that are specific to a client operating system.
Rule Properties
This page displays when you first begin to configure this rule in the VPD workspace.
| Field | Description |
|---|---|
| Name | Specify the name of the rule. You can specify a name or use the name that auto-generates when you insert the rule into the policy. |
Client Type¶
This rule helps you identify the type of client that the user uses to connect to BIG-IP Next Access. This feature makes it possible to specify different actions for different client types in one access policy and to use one virtual server for traffic from various client types. The Client Type rule presents a query to find out what type of client is connecting and routes the client to the different policy branches based on the query results.
Rule Properties
This page displays when you first begin to configure this rule in the VPD workspace.
| Field | Description |
|---|---|
| Name | Specify the name of the rule. You can specify a name or use the name that auto-generates when you insert the rule into the policy. |
Date Time¶
The Date Time action enables branching based on the day, date, or time on the server.
Rule Properties
This page displays when you first begin to configure this rule in the VPD workspace.
| Field | Description |
|---|---|
| Name | Specify the name of the rule. You can specify a name or use the name that auto-generates when you insert the rule into the policy. |
Date Time rule provides two default branch rules:
Weekend Defined as Saturday and Sunday.
Business Hours Defined as 8:00 AM to 5:00 PM.
The Date Time action provides these conditions for defining branch rules. On the Branches tab, click Create and navigate to the Expresssions > Context path. Select Date Time from the Context drop-down list.
Time From Specifies a time of day. The condition is true at or after the specified time.
Time To Specifies a time of day. This condition is true before or at the specified time.
Date From Specifies a date. This condition is true at or after the specified date.
Date To Specifies a date. This condition is true before or at the specified date
Day of Week Specifies a day. The condition is true for the entire day (local time zone).
Day of Month Specifies the numeric day of month. This condition is true for this day every month (local time zone).
Geolocation Match¶
This rule determines a user’s physical location by comparing the user’s IP address to an internal database. This match is based on one or more location parameters, including Continent, Country, County, and State/Region.
Rule Properties
This page displays when you first begin to configure this rule in the VPD workspace.
| Field | Description |
|---|---|
| Name | Specify the name of the rule. You can specify a name or use the name that auto-generates when you insert the rule into the policy. |
IP Subnet Match¶
This is a general purpose rule that focuses on IP Subnets to define custom branching logic based on the source address of the connecting client.
When you use this rule, you configure the following fields:
Field |
Description |
|---|---|
Name |
Specify the name of the subnet match rule. |
Landing URI¶
This is a general purpose rule that provides the ability to create custom branching logic based on the URI provided at the start of the access policy evaluation.
When you use this rule, you configure fields on a number of pages. Each page is documented separately.
Rule Properties
This page displays when you first begin to configure this rule in the VPD workspace.
| Field | Description |
|---|---|
| Name | Specify the name of the rule. You can specify a name or use the name that auto-generates when you insert the rule into the policy. |
LDAP Query¶
This rule allows you to retrieve the requested attributes defined in this rule from a lightweight directory service. An LDAP Query action performs a query against an AAA LDAP server. When running the LDAP Query access policy item, BIG-IP Next Access queries an external LDAP server for additional information about the user. The LDAP Query item does not authenticate user credentials. A logon page or some other method to collect the information specified in the search filter must precede this rule to complete the query. If authentication is required, an LDAP Authentication rule must be used in addition to this rule.
When you use this rule, you configure fields on a number of pages. Each page is documented separately.
Rule Properties
This page displays when you first begin to configure this rule in the VPD workspace.
| Field | Description |
|---|---|
| Name | Specify the name of the rule. You can specify a name or use the name that auto-generates when you insert the rule into the policy. |
| Search DN | Specify the base domain name that Access uses for internal LDAP search operations. You must use this object with the filter object. For example, session.ssl.cert.last.cn - Uses the user CN from the SSL certificate. This is a useful value for any property in this table. |
| Search Filter | Specify the search criteria to use when querying the LDAP server for the user's information. When entering a string, use parenthesis. For example, (sAmAccountName=%{session.logon.last.username}) or (sAmAccountName=%{subsession.logon.last.username}) - populates the filter parameter with the username from the current session. |
| User's Group Membership Scope | Specify the scope of user lookup for a group. When the search returns a group, this attribute specifies whether to also look up the members of the group. The default value is None. The valid values are:
|
| Group's User Membership Scope | Specifies the scope of group lookup for a user or a group. When the search returns a user or a group, this attribute specifies whether to also look up the groups to which this user or group belong. The default value is None. The valid values are:
|
| Show Extended Error | Specify to display a comprehensive error message generated by the authentication server to show on the user's Logon page. The default value is Enabled. Setting the value to false displays non-comprehensive error messages generated by the authentication server to show on the user's Logon page. Note: This setting is intended only for use in testing in a production or debugging environment. If you enable this setting in a live environment, your system might be vulnerable to malicious attacks. |
Required Attributes
This tab displays when you click Save & Continue on the LDAP Query Rule Properties tab.
By default, the server loads all user attributes if you do not specify any required attributes. However, you have the option to improve system performance by specifying only certain required attributes that you want the server to return. For example, you can specify primaryGroupID and sAMAccountName as required attributes. With this specification, only those two attributes are retrieved from the LDAP server.
Server Properties
This page displays when you click Start Creating on the LDAP Server page.
| Field | Description |
|---|---|
| Name | Specify the name of the rule. You can specify a name or use the name that auto-generates when you insert the rule into the policy. |
| Base Search DN | Need more information. I found a definition for searchDn and used it for Search DN (above), but now I'm thinking that definition belongs here instead. But if that's the case, what do I use for a definition of Search DN? |
| Admin DN | Specify the distinguished name (DN) of the user with administrator rights. Type the value in this format: CN=administrator,CN=users,DC=sales,DC=mycompany,DC=com. This is a required setting. |
| Admin Password | Specify the administrative password for the server. This is a required setting. |
| Verify Admin Password | Verify the administrative password for the server. This is a required setting. |
| Group Cache Lifetime | Specify a lifetime for the group cache in days. The default value is 30. |
| LDAPs | Specify whether to use the LDAPS protocol during authentication. The default value is false. When set to true, you must also specify the tls. |
Schema Properties
This page displays when you click Save & Continue on the LDAP Server Properties page.
| Field | Description |
|---|---|
| User Object Class | Specify the value of the objectClass attribute for a user object. The default value is user. |
| User Membership | If the user object maintains membership in other groups, specify the value of the membership attribute. Defaults to memberOf. |
| Group Object Class | Specify the value of the objectClass attribute for a group object. Defaults to group. |
| Group Membership | If the group object maintains a list of users that belong to it, specify the value of its membership attribute. Defaults to memberOf. |
| Group Member Value | If the Group Membership attribute is specified, use this field to specify the attribute that is used to add users to a group. Defaults to dn. |
| Group Member | If the group object maintains a list of users that belong to it, specify the value of its attribute. Defaults to member. |
SAML Attribute Match¶
This is a general purpose rule that has no explicit rule configuration and provides the capability to define custom branching logic for session variables that are specific to the SAML use case.
When you use this rule, you configure the following fields:
Field |
Description |
|---|---|
Name |
Specify the name of the attributes match rule. |