Lab 3: Intro to Per-Request Policies

Section 1 - Setup Lab Environment

To access your dedicated student lab environment, you will require a web browser and Remote Desktop Protocol (RDP) client software. The web browser will be used to access the Lab Training Portal. The RDP client will be used to connect to the Jump Host, where you will be able to access the BIG-IP management interfaces (HTTPS, SSH).

1. Click DEPLOYMENT located on the top left corner to display the environment

2. Click ACCESS next to jumpohost.f5lab.local

   

3. Select your RDP resolution.

4. The RDP client on your local host establishes a RDP connection to the Jump Host.

5. Login with the following credentials:

   • User: f5lab\user1
   • Password: user1

6. After successful logon the Chrome browser will auto launch opening the site https://portal.f5lab.local. This process usually takes 30 seconds after logon.

7. Click the Classes tab at the top of the page.

   

8. Scroll down the page until you see 101 Intro to Access Foundational Concepts on the left

   

9. Hover over tile Intro to Per-Request Policies. A start and stop icon should appear within the tile. Click the Play Button to start the automation to build the environment

10. The screen should refresh displaying the progress of the automation within 30 seconds. Scroll to the bottom of the automation workflow to ensure all requests succeeded. If you experience errors try running the automation a second time or open an issue on the Access Labs Repo.

    

Section 2 - Step-up Authentication

Task 1 - Test the existing Configuration

1. From the jumpbox, navigate to https://app.acme.com. You will be redirected to the SAML IdP and be presented a logon page.

2. Logon with the credentials username: coyote@acme.com password: user1

   

3. After a successful logon at the IdP you are redirected to back to https://app.acme.com and presented a portal page.

4. Click the Admin View button.

   

5. You are succesfully logged into admin view without asking for any further credentials. We want to add additional security to the admin view by requiring MFA at the IdP for this portion of the website.

   

Task 2 - Create a Step-up Authentication Per-Request Policy

1. From a browser navigate to https://bigip1.f5lab.local

2. Login with username admin and password admin

   

3. Navigate to Access >> Profiles/Policies >> Per-Request Policies >> click the Plus Sign(+).

   

4. Enter the Name app-prp

5. Toggle English (en) to the list of Accepted Languages

6. Click Finished

   

7. Click Edit

   

8. Click Add New Subroutine

   

9. Enter the Name SAML Auth

10. Click Save

    

11. Click Edit Terminals

    

12. Click Add Terminal

    

13. Enter the Name Fail on the line with a red #2

14. Enter the Name Pass on the line with a green #1

15. Click the up arrow on the pass line to move it above the Fail Terminal

    

16. Click the Set Default tab

    

17. Select Fail as the default

18. Click Save

    

19. Click the Plus Symbol (+) between In and Pass

    

20. Click thee Authentication tab

21. Select SAML Auth

22. Click Add Item

    

23. From the AAA Server dropdown select /Common/app.acme.com-1-sp-serv

24. Click Save

    

25. Click the Plus Symbol (+) between Start and Allow

    

26. Click the Classification tab

27. Select URL Branching

28. Click Add Item

    

29. Click the Branch Rules tab

30. Enter the Name MFA

31. Click change

    

32. For URL Contains enter https://app.acme.com/admin/

33. Click Finished

    

34. Click Save

    

35. Click the Plus Symbol (+) on the MFA branch between URL branching and Allow

    

36. Click the Subrooutines tab

37. Select SAML Auth

38. Click Add Item

    

39. Click the Reject Terminal located at the end of the URL Branching fallback branch

    

40. Select Allow

41. Click Save

    

42. The policy should now look like the one below

    

Task 3 - Attach the Per-Request Policy

1. Navigate to Local Traffic >> Virtual Servers >> Virtual Server List. Not the Plus Symbol (+)

   

2. Click app-https

   

3. Scroll to the Access Policy section of the virtual server

4. From the Per-Request Policy dropdown select app-prp

5. Click Update

   

Task 4 - Test Step-Up Authentication

1. From the jumpbox, navigate to https://app.acme.com. You will be redirected to the SAML IdP and be presented a logon page.

2. Logon with the credentials username: coyote@acme.com password: user1

   

3. After a successful logon at the IdP you are redirected to back to https://app.acme.com and presented a portal page.

4. Click the Admin View button.

   

5. The page is now requires a new SAML assertion with a higher level authentication context class. The user is now prompted for certificte authentication. Selet the user1 certifcate

   

6. After successfully providing a certificate you kow have access to the admin page.

   

Section 3 - Header Injection

Task 1 - Add Header Injection to an existing Per-Request Policy

1. BIG-IP APM often has access to information that the application may not have access to natively. Through the power of the per-request policy we can inject additional headers into each request . Let’s explore adding an additional header after the SAML auth subroutine.

2. From a browser navigate to https://bigip1.f5lab.local

3. Login with username admin and password admin

   

4. Navigate to Access >> Profiles/Policies >> Per-Request Policies.

   

5. Click Edit to the right of add-prp

   

6. Click the Plus Symbol (+) on the Pass branch between SAML Auth and Allow Terminal

   

7. Click the General Purpose tab.

8. Select HTTP Headers

9. Click Add Item

   

10. Click Add new entry

11. Enter the Header Name email

12. Enter the Header Value %{session.saml.last.nameIDValue}

13. Click Save

    

14. The Per-Request Policy should now look like below

    

Task 2 - Test Header Injection

1. From the jumpbox, navigate to https://app.acme.com. You will be redirected to the SAML IdP and be presented a logon page.

2. Logon with the credentials username: coyote@acme.com password: user1

   

3. After a successful logon at the IdP you are redirected to back to https://app.acme.com and presented a portal page.

4. Click the Admin View button.

   

5. Selet the user1 certifcate

   

6. The admin page succesfully parsed the new email header and displays it on the screen

   

Section 4 - Lab Cleanup

1. From a browser on the jumphost navigate to https://portal.f5lab.local

2. Click the Classes tab at the top of the page.

   

3. Scroll down the page until you see 101 Intro to Access Foundational Concepts on the left

   

4. Hover over tile Visual Policy Editor (VPE) Overview. A start and stop icon should appear within the tile. Click the Stop Button to trigger the automation to remove any prebuilt objects from the environment

5. The screen should refresh displaying the progress of the automation within 30 seconds. Scroll to the bottom of the automation workflow to ensure all requests succeeded. If you experience errors try running the automation a second time or open an issue on the Access Labs Repo.

   

6. This concludes the lab.