Forum Discussion
Nolan_Jensen
Cirrostratus
CirrostratusAPM IP Subnet Match - single IP list
Hello,
I am trying to figure out the best way to reference a single list of IP's in a few different access policies. Having this would allow me to just maintain one subnet match list and when updated all access polices using it would be using the new list.
I am using the IP subnet match to identify which machines are on our domain so I can route them to a 401 response and kerberos auth.
I am running version 14.1.4.4
Ideal options
- If there was a way to create a Shared Object list of IP's then reference that in an access policy to make a branch decision but that doesn't seem to be possible.
- Make an access policy decision based on what VLAN the request came from
Other option
- I am aware I could do some sort of client side check to determine if machine was domain joined but that seems to cause the users more problems which I would rather be more behind the scenes.
Only concept I can find to reference a list of IP's would be to use an iRule that references a data group list then reference that iRule event in each of my access polices. However I am not really sure how to do that and not finding much helpful documentation on that process.
Here is what I tried but it is not sending the ones that match down the correct branch.
Any help someone could provide would be greatly appreciated. Thank you!
when ACCESS_POLICY_AGENT_EVENT {
if { [class match [IP::client_addr] equals kerberos_apm_subnet_match] } {
switch [ACCESS::policy item_id] {
"match"
The did something like this in access policy, however it always matched so my rule must be incorrect.
You can create a macro. In macro, select the server side security and IP subnet match for user's range. Call that macro in VPE.
For other option of iRule, you can use something like below
when ACCESS_POLICY_AGENT_EVENT { if { ([ACCESS::policy agent_id] eq "match") and (class match [IP::client_addr] equals kerberos_apm_subnet_match])}{ ACCESS::session data set session.custom.ip 0 } else { ACCESS::session data set session.custom.ip 1 } }event ID should be "match" and expression should be "expr { [mcget {session.custom.ip}] == 0 }" to match the user subnet
spalandeNacreous
You can create a macro. In macro, select the server side security and IP subnet match for user's range. Call that macro in VPE.
For other option of iRule, you can use something like below
when ACCESS_POLICY_AGENT_EVENT { if { ([ACCESS::policy agent_id] eq "match") and (class match [IP::client_addr] equals kerberos_apm_subnet_match])}{ ACCESS::session data set session.custom.ip 0 } else { ACCESS::session data set session.custom.ip 1 } }event ID should be "match" and expression should be "expr { [mcget {session.custom.ip}] == 0 }" to match the user subnet
Nolan_JensenSanjayP,
Wow thank you very much the iRule and iRule event is working on my first quick pass at testing. I am going to do more testing and will mark this as answer once I am able to do so.
Thank you again for your help I greatly appreciate it!
Note: for anyone else who comes across this there is a minor code error in above iRule so here is the working one.
when ACCESS_POLICY_AGENT_EVENT { if { ([ACCESS::policy agent_id] eq "match") and [class match [IP::client_addr] equals kerberos_apm_subnet_match] } { ACCESS::session data set session.custom.ip 0 } else { ACCESS::session data set session.custom.ip 1 } }