Forum Discussion

Alen_Ismic_1869's avatar
Alen_Ismic_1869
Icon for Nimbostratus rankNimbostratus
Jun 30, 2015

APM - Using AD as AAA server

AD credentials in AAA server configuration was ok for aproximatly 3 months, after that, password is changed for that username on AD, but I never changed this password in configuration on BIG IP, but VPN users are still able to connect. Is there some place for caching this information, or?

 

aaa server
ad
BIG-IP Access Policy Manager (APM)
microsoft
security
vpn
  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    Jun 30, 2015

    Are using AD query in the policy? For AD authentication it is not used.

     

  • Alen_Ismic_1869's avatar
    Alen_Ismic_1869
    Icon for Nimbostratus rankNimbostratus
    Jun 30, 2015

    Yes, I have AD Query: expr { [mcget {session.logon.last.username}] equals "someUser"}

     

    Policy is like this

     

    Logon page -> AD AUTH -> AD Query -> Seperate by users -> Resources by users

     

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    Jun 30, 2015

    If AD admin user/password is not configured APM will use the

     

    "APM uses the user account to fetch information. This works if the user account has sufficient privilege."(OLH)

     

    Not sure if this is happening here. If possible do restart of apd daemon to verify. "bigstart restart apd "

     

  • Seth_Cooper's avatar
    Seth_Cooper
    Icon for Employee rankEmployee
    Jun 30, 2015

    The AD admin credentials in the AAA object are only used for getting the password security information if you allow password change and for building the group cache. If you aren't using either of those then the AD Administrator is not needed.

     

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    Jun 30, 2015

    Just to add:

    https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/2.htmlunique_757404569

    In the Admin Name field, type a is case-sensitive name for an administrator who has Active Directory administrative permissions. 

    APM uses the information in the Admin Name and Admin Password fields for AD Query
    . If Active Directory is configured for anonymous queries, you do not need to provide an Admin Name. Otherwise, APM needs an account with sufficient privilege to bind to an Active Directory server, fetch user group information, and fetch Active Directory password policies to support password-related functionality. (APM must fetch password policies, for example, if you select the Prompt user to change password before expiration option in an AD Query action.) If you do not provide Admin account information in this configuration, APM uses the user account to fetch information. This works if the user account has sufficient privilege.