For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Rob_Stonham's avatar
Rob_Stonham
Icon for Cirrus rankCirrus
Jan 23, 2017

Active Directory Logon Hours and APM session timeout

Hi,   Not really a question but documenting here incase anyone else wants to reuse this code.   I was asked to create a VPN connection on our F5 that would only allow access during a users normal...
application delivery
BIG-IP Access Policy Manager (APM)
Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Jan 23, 2017

Hi,

 

Thanks for sharing. I did not know that AD attribute exists.

 

When I read your code, I thought it is complicated for a simple need.

 

I think this code is a quite simpler (not tested with AD)

 

set maximumSessionSeconds 604800
if {[set logonHours [mcget {session.ad.last.attr.logonHours}]] != ""} {
    convert string to binary string
    set logon_hours_binary_string "";
    for { set a 0} {$a < 21} {incr a} {
    binary scan [binary format H2 [string range $logonHours [expr {$a*2}] [expr {($a+1)*2 -1}]]] B8 hex2bin;
    append logon_hours_binary_string [string reverse $hex2bin];
    }
    unset hex2bin;
     evaluate the number of seconds from last sunday
    set time_from_sunday [expr {[clock seconds] - [clock scan "last sunday"]}];
     search in string next hours with 0 value
    set current_index [expr {$time_from_sunday / 3600}];
     convert the index to number of seconds from last sunday
    if { ([set next_denied_index [string first 0 $logon_hours_binary_string$logon_hours_binary_string $current_index]] == -1) || ($next_denied_index > [expr {168 + $current_index}]) } { set next_denied_index [expr {168 + $current_index}] };
     evaluate number on seconds to disconnect time
    return [expr { $next_denied_index*3600 - $time_from_sunday}]
} else {
       return $maximumSessionSeconds
}