F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Apr 18, 2016

Hi,

I had a similar need for a customer, but with explicit authentication. the user role is stored in a table.

The user must authenticate to APM on a dedicated VS with the following irule:

when ACCESS_ACL_ALLOWED {
    log local0. "requete de [IP::client_addr]"
    switch [HTTP::path] {
        "/status" {
            set value [table lookup -subtable IPAdmins [IP::client_addr]]
            set lifetime [table lifetime -subtable IPAdmins -remaining [IP::client_addr]]
            if {$lifetime < 1} {ACCESS::respond 302 noserver Location "/disconnect"}
            ACCESS::respond 200 content "
                
                    Authenticated
                
                    You are authenticated successfuly : 
                    session time remaining : [clock format $lifetime -format {%H:%M:%S}]
                    Your client IP : [IP::client_addr]
                    Your autorization role : $value
                
                
            " noserver
        }
        "/disconnect" {
            table delete -subtable IPAdmins [IP::client_addr]
            ACCESS::respond 302 noserver Location "/vdesk/hangup.php3"

        }
        default {
            table set -subtable IPAdmins [IP::client_addr] [ACCESS::session data get session.localdb.groups] 7200 43200
            ACCESS::respond 302 noserver Location "/status"
        }
    }
}

Then, when trying to access protected resources, the AFM rule allow traffic with following irule (one per user role)

when CLIENT_ACCEPTED {
    switch [table lookup -subtable IPAdmins [IP::client_addr]] {
        "Admins" {}
        "Deploy" {drop}
        "Exploit" {drop}
        "Infra" {drop}
        default {drop}
    }
}