Advanced Rules have been added to allow for extending an existing authentication policy.
Both Pre-Authentication and Post-Authentication rules can be applied although the following configurations are not supported by Post-Authentication Rules.
Two or more resources front ended by the same OHS/WebGate and protected by the same Authentication Scheme.
A Post-Authentication rule configured for one of the resources defined in step up authentication.
A user accesses a resource for which no Post-Authentication rule is configured followed by a resource for which a Post-Authentication rule is configured for step up authentication. In this case, the Post-Authentication rule configured for the resource is not effective.
Note:
Advanced Rules are part of the Adaptive Authentication Service for which a license is required. See About Adaptive Authentication Service.
Advanced Rules contain Boolean expressions. If there is more than one triggered outcome to an Authentication Scheme, the lowest execution order outcome will be chosen as the final outcome. Table 22-24 documents the attributes that need be defined when creating an Advanced Rule.
Table 22-24 Advanced Rules Attributes
Name | Description |
---|---|
Name |
AuthnRule name. Name has to be unique within the checkpoint |
Description |
Description of the rule |
Execution Order |
Order in which the outcome will be executed in cases of more than 1 outcome |
Condition |
Script; the user can configure condition based on the HTTP request header's availability and set the desired outcome |
Outcome |
ID of the Authentication Scheme to which the rule applies. Access / Deny.
Note: If the Deny Access option is selected, an error message,The requested URL was not found , is displayed. |
See the following sections for details.
You can configure advance rules for certain scenarios.
For the following use cases, configure Advanced Rules:
Non Browser Client - For user authentication, a form-based login page is presented through the browser for the user to complete. In some cases, a non-browser client (switches, routers and the like) might need to do basic authentication based on credentials passed via the request header. Non-browser client authentication can be configured as a pre-authentication Advanced Rule only. To support non-browser client authentication, configure the desired condition in an Authentication Rule (based on the HTTP request header's availability) and set the desired outcome.
Windows Native Authentication Option - An Advanced Rule can be configured to allow for switching between Windows Native Authentication (WNA) and form-based user authentication depending on whether the user comes thru VPN or a corporate network.
User Authentication Scheme Option - An Advanced Rule can be configured to allow the user to choose the method of authentication. The choice would be passed as a request parameter.
Second Factor Authentication - An Advanced Rule can be configured to allow for Second Factor Authentication (SFA) based on defined user or request attributes. For details on SFA, see Introducing the Adaptive Authentication Service.
Table 22-25 contains examples of how the conditions might be configured in these Advanced Rules use cases.
Table 22-25 Sample Advanced Rules
Sample Rule | Sample Jython Script-based Condition | Notes |
---|---|---|
Switching authentication scheme based on private or public IP rule |
location.clientIP.startswith('10.') or location.clientIP.startswith('172.16') or location.clientIP.startswith('192.168') |
This rule can be used in Pre and Post authentication checkpoints |
Black listed IP |
location.clientIP in ['130.35.50.115', '130.35.50.112', '130.35.50.113'] |
This rule can be used in Pre and Post authentication checkpoints |
Client Browser Type |
request.userAgent.lower().find('firefox') > 0 |
This rule can be used in Pre and Post authentication checkpoints |
Blocking access to user having user attribute 'description' equals 'test' |
user.userMap['description'] == 'test' |
This rule can be used only in Post authentication checkpoints |
Non browser client |
request.authorization.lower().startswith('basic') |
This rule can be used only in Pre authentication checkpoints |
Customer HTTP Header value |
request.requestMap['param'] == 'test' |
This rule can be used in Pre and Post authentication checkpoints |
Switching authentication scheme based on IP address in range |
location.isIPinRange('192.35.50.180','192.35.50.188') |
This rule can be used in Pre and Post authentication checkpoints |
Before executing the Authentication Condition, the Access Manager server prepares a request context using the available data (to construct a Boolean expression based condition).
The following tables describe the various context data details.
Table 22-26 Request Context Data
Attribute Name | Description |
---|---|
requestMap |
Map of all the request headers, parameters and post data values. This example can get the custom-header key from request header and compare it with value 'test'. request.requestMap['custom-header'].lower().find('test') > 0 |
resourceMap |
Map of matched resource details |
accept |
Returns 'Accept' header value |
acceptCharset |
Returns 'Accept-Charset' header value |
acceptEncoding |
Returns 'Accept-Encoding' header value |
acceptLanguage |
Returns 'Accept-Language' header value |
authorization |
Returns 'Authorization' header value |
connection |
Returns 'Connection' header value |
contentLength |
Returns 'ContentLength' header value |
cookie |
Returns 'Cookie' header value |
host |
Returns 'Host' header value |
ifModifiedSince |
Returns 'ifModifiedSince' header value |
pragma |
Returns 'Pragma' header value |
referer |
Returns 'Referer' header value |
userAgent |
Returns 'UserAgent' header value |
resourceHost |
Returns matched Resource's Host value |
resourcePost |
Returns matched Resource's Port value |
resourceOperation |
Returns matched Resource's Operation value |
resourceQueryString |
Returns matched Resource's QueryString |
resourceName |
Returns matched Resource's name |
resourceType |
Returns matched Resource's Type |
resourceURL |
Returns matched Resource's URL; for example, if 'landingPage' is in request.resourceURL, condition will evaluate to true if resourceURL has landingPage in it. |
isIPinRange('start IP' ,'end IP') |
Evaluates to true if location.clientIP is in the specified range. Example: location.isIPinRange('192.35.50.180','192.35.50.188') |
Table 22-27 Location Context Data
Attribute Name | Description |
---|---|
locationMap |
Map of all the location data values; for example: location.locationMap['CLIENT_IP'] == '10.1.23.4' |
clientIP |
Returns client IP address; for example: location.clientIP.startswith('10.2') |
proxyIP |
Returns Proxy IP address |
Table 22-28 Session Context Data
Attribute Name | Description |
---|---|
sessionMap |
Map of all the session data values; for example: session.sessionMap['count'] > 2; |
count |
Returns number of sessions for the current user; for example:session.count > 2 |
Table 22-29 User Context Data
Attribute Name | Description |
---|---|
userMap |
Map of all the user profile data; for example: user.userMap['email'] == 'john.joe@example.com' |