Forum Discussion

M_Petr's avatar
M_Petr
Icon for Altostratus rankAltostratus
Sep 05, 2019

AD MemberOF

Hi everyone, Please answer me a question and explain:   Is it possible to change to what URL it is forwarding on request to f5 depending on the user's membership in the AD group?   Thanks!
BIG-IP Access Policy Manager (APM)
security
  • Dave_W's avatar
    Dave_W
    Sep 09, 2019

    Hello, if the AD auth or AD query fails the session variable for memberOf will not be populated. In the AAA server object do you have an Administrator account configured? Are you sure the credentials for the user (or admin account in the AAA configuration) are correct?

youssef1's avatar
youssef1
Icon for Cumulonimbus rankCumulonimbus

Hi Petr,

 

Yes you can do It using APM following this steps:

 

You have to create a policy per session policy and of course a per request session in order to check each request (URI).

The per request policy let your analyse every user request...

 

Let me know if you need more details.

regards

M_Petr's avatar
M_Petr
Icon for Altostratus rankAltostratus
Sep 09, 2019

Hi, I have a problem.

When I add :

  • Logon page
  • AD auth

It's OK! Authentication is successed.

But if I add

  • Logon page
  • AD auth
  • AD query with (expr { [mcget {session.ad.last.attr.memberOf}] contains "CN=GroupPod1" })

I get a message -

"AD module: query with '(sAMAccountName=userpod1)' failed: Preauthentication failed, principal name: ldap_user@CORP.AVALIS.CO.UA. Invalid user credentials. (-1765328360)"

And I dont see {session.ad.last.attr.memberOf} in the REPORTS.

 

What do you think?

Thanks!