Forum Discussion
NimbostratusAPM - SSL VPN Client Side check based on pre-defined list of MAC ADDRESSES
Hello There I am configuring an SSL VPN policy, where i need to filter Users connecting based on their MAC ADDRESSes
When creating my Policy, i have chosen the Client side check MACHINE INFO, but can't see any info related to client MAC Address
Can someone please provide with steps needed to create a list of allowed MAC ADDRESSES? From my readings, i think i should create a datagroup, but i'm not sure about the type i need to create, and what info to fill in it (String, Value)
Do i need to create any Irule for that? Or i could add the check directly on the Machine Info Check in the VPE?
If so, how to add the check to match the collected client MAC ADDRESS with the Pre-Defined list?
Thanks, Regards,
5 Replies
kunjan1) You can create a DG with string.
ltm data-group internal macDG { records { 00:50:56:B3:7B:4E { } } type string }2) Create an ACCESS_POLICY_AGENT_EVENT iRule
when ACCESS_POLICY_AGENT_EVENT { if { [ACCESS::policy agent_id] eq "chkmac" } { set mac [ACCESS::session data get "session.machine_info.last.net_adapter.list.\[0\].mac_address" ] if { [class match $mac equals macDG } { ACCESS::session data set "session.logon.custom.chkmac" 1 } else { ACCESS::session data set "session.logon.custom.chkmac" 0 } }3) Create VPE with iRule event with ID "chkmac"
4) Verify the session.logon.custom.chkmac in the VPE
apm policy policy-item /Common/ap_maccheck_act_empty { caption chkmac color 1 item-type action rules { { caption "MacVerified" expression "expr { [mcget {session.logon.custom.chkmac}] == 1 }" next-item .... } { caption fallback next-item ... } } }
JorjjjHello There Thanks for your answer
I am having some errors while applying the iRule,
I added the Datagroup as the following :
And here how my Policy looks like, where should I add the last Part? (4) Verify the session.logon.custom.chkmac in the VPE?
Thanks, Regards, Georges
- kunjan
You can add (4) after the chkmac_iRule_Event
Try this, there was typo earlier
when ACCESS_POLICY_AGENT_EVENT { if { [ACCESS::policy agent_id] eq "chkmac" } { set mac [ACCESS::session data get "session.machine_info.last.net_adapter.list.\[0\].mac_address" ] if { [class match $mac equals macDG] } { ACCESS::session data set "session.logon.custom.chkmac" 1 } else { ACCESS::session data set "session.logon.custom.chkmac" 0 } } } - Jorjjj
Hello The iRule was Saved properly, Thx!
Once last question, How should i add the (4) after the iRule? Should be a branch Rule within the iRule box? Or a seperate function/Box to be added? If so, what type should it be?
Thanks Regards,
- kunjan
You can do following
1) Insert 'Empty' empty action
2) Go to 'Add branch rule' (change -> Advanced ->
)expr { [mcget {session.logon.custom.chkmac}] == 1 }
