Forum Discussion
NimbostratusAPM Different Authentication level for different URI
HI , I am trying to implement different authentication level for our extrenal web site . i am useing web access management . I've configured the flow to authenticate with AD and then tried to add irule to check the authentication level of the user . this irule check if the uri needs higher auth level:
when HTTP_REQUEST { set URI_VALIDATOR 0 ACCESS::session data set session.custom.validuri 0 if { [class match [string tolower [HTTP::uri]] equals "ProtectedURI" ] } { set AUTH_LEVEL [ACCESS::session data get "session.custom.authlevel"]
switch $AUTH_LEVEL {
1 {
do something...
ACCESS::enable
ACCESS::enable
set URI_VALIDATOR 1
ACCESS::session data set session.custom.validuri 1
log local0.notice " uri is protected and URI_VALIDATOR value is : $URI_VALIDATOR"
}
2 {
do something else...
ACCESS::disable
log local0.notice " uri is protected and URI_VALIDATOR value is : $URI_VALIDATOR"
}
default { don't do anything... } } close the swith
} else {
ACCESS::enable
set URI_VALIDATOR 1
ACCESS::session data set session.custom.validuri 1
log local0.notice " uri is not protected and URI_VALIDATOR value is : $URI_VALIDATOR"
}
}
it doesnt work and i dont know if the irule is in the right place on the flow . does anyone can help with this scenario ?
Thanks Asher Hod
8 Replies
Kevin_Davies_40Nacreous
Not sure what you are trying to do here. If you want different paths in the VPE for different incoming URI then use Landing URI object. You cannot do anything further after the connection has passed auth and reached the Allow stage. Once it is allowed no ACCESS iRules will execute anymore.
- Asher_Hod_11473
Thanks Kevin , What i am trying to do is to apply wam on our extenal web site . we have users in AD and they can do different activities according the authentication level . for example if they want to download content the need to authenticate with OTP or User + Pass , if they want to buy a device they need higher level authentication level , lets say User + Pass + Credit card . Those activities are in different url's . we are using CA site minder to do those activities. Can apm do those activities ? is it the right product to choose ? We need the product only to our external web site (public ) not internal . We need it to Authentication and Autherization .
Thanks Asher hod
- Kevin_Davies_40
Give the authentication levels use an empty expression then add branches. On each branch use string matching to detect which level of authentication they are getting back from AD. Then on each branch take the authentication steps you desire.
- Asher_Hod_11473
Thanks Kevin , I am not sure that i understand your answer . the different authentication level for the different applications is not configured in the AD .
Thanks Asher Hod
- Kevin_Davies_40
Ahh ok then. Where is this coming from?
ACCESS::session data get "session.custom.authlevel"
- Asher_Hod_11473
HI Kevin , session.custom.authlevel is a custom session variable that i've created in prior irule . This is the irule . I am working in a telecom company and get different requests from the cellular network and the public network .
when ACCESS_SESSION_STARTED { set user_ip [ACCESS::session data get "session.user.clientip"] if { [IP::addr $user_ip equals "10.1.34.0 mask 255.255.255.0"] } { log local0.notice "CELLULAR NETWORK" ACCESS::session remove ACCESS::session data set session.custom.WIFI 0 ACCESS::session data set session.custom.authlevel 0
} else { ACCESS::session data set session.custom.WIFI 1 ACCESS::session data set session.custom.authlevel 0 log local0.notice "WIFI NETWORK" }}
when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable }
right after that irule i want to check the session status and to validate if the url needs to authenticate and if the user is already authenticated according to the right authentication level .
Thanks Asher Hod
- Asher_Hod_11473
Thanks a lot . I will test it with my group . It realy helped .
- Asher_Hod_11473
Hi Kevin , Its Been a while since we talked and i assume that apm new version came up with new interesting features . Should we use your solution or can we use new features to implement what we need ?
Thanks
