E XERCISE 7.4 – A UTHENTICATION , A UTHORIZATION , AND E NDPOINT C HECKS
Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4.
Estimated completion time: 45 minutes
TASK 1 – Add Authentication and Authorization to the Access Policy
Update the network_access policy to authenticate and authorize users using an LDAP server.
In the VMware library, power on the BIGIP_A_v11.5.1 and LAMP_3.4 images.
Access and log in to BIGIP_A_v11.5.1.
Verify that you have restored using bc_7.3_apm_full_webtop_v11.5.1 (there should be a Webtop named full_webtop).
Open the Access Policy > Access Profiles > Access Profiles List page.
In the network_access row, click the Edit link to open the Visual Policy Editor.
Add the following items to the network_access policy.
Logon Page item
Add a new item in the following location:
On the Logon tab, select the Logon Page option, and then click Add Item.
From the Language list box, select en.
Change the Form Header Text to Secure Logon <br> for Lorax Industries.
Edit the Logon Page Input Field #1 to Domain username.
Click Save.
LDAP Auth item
Add a new item in the following location:
Click the Authentication tab, select the LDAP Auth option, and then click Add Item.
From the Server list box, select /Common/webauth_policy_aaa_srvr.
In the SearchDN box, copy and paste:
Exercise 7.4 – Authentication, Authorization, and Endpoint Checks
In the SearchFilter box, copy and paste:
(uid=%{session.logon.last.username})
Click Save.
LDAP Query item
Add a new item in the following location:
Click the Authentication tab, select the LDAP Query option, and then click Add Item.
From the Server list, select /Common/webauth_policy_aaa_srvr.
In the SearchDN box, copy and paste:
ou=Groups,dc=f5demo,dc=com
→NOTE: Copy and paste the LDAP syntax from the exercise guide PDF.
In the SearchFilter box, copy and paste:
(uniqueMember=uid=%{session.logon.last.username},ou=People,dc=f5demo,dc=com)
From the Fetch Nested Groups list box, select Enabled.
Click the Branch Rules tab.
Click change.
Delete the first expression by clicking on the “x”.
Click Add Expression.
Exercise 7.4 – Authentication, Authorization, and Endpoint Checks
Change the branch Name to Passed query.
Click Save.
Click Apply Access Policy.
TASK 2 – Test Authentication and Verify Group Information
Verify that both authentication and authorization is taking place, and then examine the BIG-IP APM reports for AD group information.
Use a new tab to access https://access.vlab.f5demo.com.
Notice the updated logon page details.
When prompted, log in using the following credentials:
Domain username: corpuser Password: password
In the Configuration Utility, open the Access Policy > Reports > View Reports page, and then click Run Report.
In the row for the most corpuser session, select the View Session Variables link.
Expand ldap > last > attr.
Question:
What is the dn value for this user account? _____________________________________
In the Webtop Web browser, click Logout, and then select click here to re-open your session.
Log in using the following credentials:
Domain username: remoteuser Password: password
In the Configuration Utility, use the steps above to run the session report again.
In the row for the most remoteuser session, select the View Session Variables link.
Exercise 7.4 – Authentication, Authorization, and Endpoint Checks
Question:
What is the dn value for this user account? ___________________
In the Webtop Web browser, click Logout.
TASK 3 – Use Authorization for Resource Allocation
Use the group membership information from the previous task to provide different Webtops for corpuser and remoteuser.
In the Visual Policy Editor, click Resource Assign.
For the existing Expression, click change.
Click the Advanced tab.
In the text box, copy and paste:
expr { [string tolower [mcget {session.ldap.last.attr.dn}]] contains "cn=employees,ou=groups,dc=f5demo,dc=com" } Notice the expression above contains cn=employees.
Click Finished.
Under Resource Assignment, click Add new entry.
For the new Expression, click change.
Click the Advanced tab, and in the text box, copy and paste:
expr { [string tolower [mcget {session.ldap.last.attr.dn}]] contains "cn=remote,ou=groups,dc=f5demo,dc=com" } Notice the expression above contains cn=remote.
Click Finished.
Exercise 7.4 – Authentication, Authorization, and Endpoint Checks
Click Update.
You now have two expressions, one that will match the group information for remote users, and another that will match the group information for corporate users.
Click Save, and then click Apply Access Policy.
Test by logging into the Webtop as both corpuser and then as remoteuser.
Question:
What resources are available for corpuser? __________________________________
______________________________________________________________________
What resources are available for remoteuser? _________________________________
_______________________________________________________________________
Logout of the Webtop.
TASK 4 – Add Client Side Checks and Client Side Actions
Add client side checks to ensure workstations have current antivirus software, and then add client side actions to enforce cache and session control for the training user and protected workspace for limited user.
In the Visual Policy Editor, add a new item in the following location:
Click the Endpoint Security (Client-Side) tab, select the Antivirus option, and then click Add Item.
Edit the DB Age Not Older Than value to 60 days, and then click Save.
Create two branches out of the Full Resource Assign item
Click Resource Assign.
Click the Branch Rules tab.
Exercise 7.4 – Authentication, Authorization, and Endpoint Checks
Name the new branch rule Remote users.
Click change, and then click the Advanced tab.
In the text box, copy and paste:
expr { [string tolower [mcget {session.ldap.last.attr.dn}]] contains "cn=remote,ou=groups,dc=f5demo,dc=com" }
Click Finished.
Click Add Branch Rule.
Name the new branch rule Corporate users.
Click change, and then click the Advanced tab.
In the text box, copy and paste:
expr { [string tolower [mcget {session.ldap.last.attr.dn}]] contains "cn=employees,ou=groups,dc=f5demo,dc=com" }
Click Finished.
Click Save.
Add client side actions
Add a new item in the following location:
Click the Endpoint Security (Client-Side) tab, select the Windows Cache and Session Control option, and then click Add Item.
From the Empty Recycle Bin list box, select Enabled.
From the Terminate session on User Inactivity list box, select 5 minutes, and then click Save.
Change the Windows Cache and Session Control Successful branch ending to Allow.
Add a new item in the following location:
Exercise 7.4 – Authentication, Authorization, and Endpoint Checks
Click the Endpoint Security (Client-Side) tab, select the Window Protected Workspace option, and then click Add Item.
Accept all defaults and click Save.
Change the Windows Protected Workspace Successful branch ending to Allow.
Change the Resource Assign fallback branch ending to Deny.
Click Apply Access Policy.
TASK 5 – Test Network Access
Test network access to see how changes to the access policy affect the users’ experience.
In the Webtop Web browser re-open your session and log in as corpuser.
If you are prompted to, add this site to your Trusted Sites list, and confirm all dialog boxes.
→NOTE: This exercise requires that your workstation is running current antivirus software.
If you are prompted to, select to Always Allow Pop-ups from This Site.
Create an empty Notepad file named Trash.txt and save it to your desktop.
Move the Trash.txt file to the Recycle Bin.
In the Webtop Web browser, click Logout.
Open the Recycle Bin.
Question:
After several seconds, was Recycle Bin emptied? _______________
Close the Recycle Bin.
In the Webtop Web browser re-open your session and log in as remoteuser.
→NOTE: This exercise requires a Windows workstation.
Question:
Was the user presented with the Protected Workspace? _______________
Exercise 7.4 – Authentication, Authorization, and Endpoint Checks
In the Webtop Web browser, click Logout.
Question:
Is the Imporant.txt file still available on your desktop? _______________
TASK 6 – Add Remediation for Non-Compliant Workstations
Add policy items that will give assistance for workstations that do not pass the antivirus check.
In the Virtual Policy Editor, click Antivirus.
Change the Platform to Win.
Change the Vendor Id to ClamWin, and then click Save.
Add a new item in the following location:
Click the General Purpose tab, select the Message Box option, and then click Add Item.
From the Language list box, select en.
Edit the Message to Your workstation does not meet our corporate antivirus requirements, and then click Save.
Click Edit Endings.
Click Add Ending.
Name the new ending ClamWin, select the Redirect option, and in the Url box type http://www.clamwin.com.
Exercise 7.4 – Authentication, Authorization, and Endpoint Checks
Change the color of the new ending (select the color of your choice), and then click Update.
Click Save.
Change the Deny ending following the Message Box item to a ClamWin ending.
Click Apply Access Policy, and then close the Visual Policy Editor.
TASK 7 – Test Network Access
Test network access to see how changes to the access policy affect the users’ experience.
In the Webtop Web browser re-open your session.
Notice the customized message to the user.
Select Click here to continue.
You can direct the user to any Web site that will enable them to update their workstation.
Close the Web browser.
Create an archive file bc_7.4_apm_vpn_security_v11.5.1.
In the VMware library, shut down the BIGIP_A_v11.5.1 image.
Create a VMware snapshot of the BIGIP_A_v11.5.1 image named BIGIP_APM.
Restore the BIGIP_A_v11.5.1 image using the BIGIP_A_clean_install snapshot.