Configuring IF-MAP Session Export Policy on the Infranet Controller (NSM Procedure)

Session-export policies determine how users are identified on the IF-MAP server when their session is published through IF-MAP. The session-export policy sets the IF-MAP identity.

To configure a session-export policy:

  1. In the NSM navigation tree, select Device Manager > Devices.
  2. Click the Device Tree tab, and then double-click the Infranet Controller for which you want to configure a session-export policy.
  3. Click the Configuration tab. In the configuration tree, select System > IF–MAP Federation > Session-Export Policies.
  4. Add or modify settings as specified in Table 34.
  5. Click one:
    • OK—Saves the changes.
    • Cancel—Cancels the modifications.

You must create corresponding session-import policies that allow IF-MAP client Infranet Controllers that are connected to an Infranet Enforcer in front of protected resources to collect IF-MAP data from the IF-MAP server.

Table 34: IF–MAP Session-Export Policy Configuration Details

Option

Function

Your Action

Name

Specifies a unique name for the policy.

Enter a name for the policy.

Description

Describes the policy.

Enter a brief description for the policy.

Administrative Domain

Identifies the IP address, username, or MAC address data.

In a large network environment with several domains, a username, an IP address, or a MAC address could be duplicated. By entering the domain, you ensure that the correct user is identified.

Type the administrative domain for the session export policy. If you want different aspects of a user session to be exported with different administrative domains, you then create several export rules.

Roles

Determines the roles for which this policy should apply.

Select roles from the Non-members area and add the roles to the Members area.

Stop on match

Stops matching the roles when an IF-MAP client has successfully matched the roles selected for this policy to roles based on session-import policies configured on the target device.

Select this option to stop matching roles after a successful match is found.

Identity tab

Set IF-MAP Identity

Specifies the applicable identity.

Select this action and the identity options appear.

  • Identity—Enter the identity name. Identity is normally specified as <Name>, which assigns the user’s login name. Any combination of literal text and context variables may be specified.
  • Identity Type—Select the identity type. If you choose Other for Identity Type, enter a unique identity type in the text box.
Roles tab

Set IF-MAP Roles

Specifies the applicable roles.

Select this action and the following role options appear.

  • Copy matching roles—Select this option to copy all of the user roles that match the roles specified in the Roles section of this policy into the IF-MAP roles data.
  • Copy ALL roles—Select this option to copy all of the roles from the user session to the IF-MAP capabilities data.
  • Set roles specified below—Select this option to set the specified roles. The Roles option appears. From Roles, click New and enter a specified role.
Capabilities tab

Set IF-MAP Capabilities

Specifies the applicable roles.

Select this action. When you select this action and the following role options appear.

  • Copy matching roles—Select this option to copy all of the user roles that match the roles specified in the Roles section of this policy into the IF-MAP capabilities data.
  • Copy ALL roles—Select this option to copy all of the roles from the user session to the IF-MAP roles data.
  • Set capabilities specified below—Select this option to set the specified capabilities. The Capabilities option appears. From Capabilities, click New and enter a specified capability.
Device Attributes tab

Set IF-MAP Device Attributes

Specifies a passed Host Checker policy on the Infranet Controller or SA appliance.

Select this action and the following options appear.

  • Copy Host Checker policy names—Select this option to copy the name of each Host Checker policy that passed for the session to a device attribute.
  • Set device attributes specified below—Select this option to set the specified device attributes. The Device Attributes option appears. From Device Attributes, click New and enter a specified device attribute.

Related Documentation

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.