Forum Discussion
NimbostratusAPM resource assignment
Hi,
I am having issue assigning resources dynamically ... based on Dynamic AD group ....
After successful authentication...I have following policy...
AD Query (with fetch nested group settings) > Adv Resour Assign (CN=ABC,OU=DEF,OU=GHI,OU=JKL,DC=Mydomain,DC=local) and then I assign some resouces like webtop and VPN, RDP session etc...
But the user, after successful authentication is not getting any resouces ... the browser falls back to (Internet Explorer cannot disaply the webpage) and I see following messages in the APM report.
2014-03-03 18:02:50 Received User-Agent header: Mozilla%2f5.0%20(compatible%3b%20MSIE%209.0%3b%20Windows%20NT%206.1%3b%20Trident%2f5.0).
2014-03-03 18:02:50 Received client info - Type: IE Version: 9 Platform: Win7 CPU: unknown UI Mode: Full Javascript Support: 1 ActiveX Support: 1 Plugin Support: 0
2014-03-03 18:02:50 New session from client IP 192.168.60.100 (ST=/CC=/C=) at VIP 192.168.60.10 Listener /Common/customer_access_policy (Reputation=Unknown)
2014-03-03 18:03:10 Username 'david'
2014-03-03 18:03:11 Following rule 'fallback' from item 'Advanced Resource Assign' to ending 'Allow'
2014-03-03 18:03:11 Access policy result: LTM+APM_Mode
Is there anything that I am missing here?
Kind Regards, WUM
13 Replies
- Matt_Dierick
Employee
Hi WUM,
Did you try to assign ressource without any filter ? Just to be sure your ressrouces are OKay ?
If yes, show us your configuration in Adv ressource assign. I suppose to check session variables (in order to find the right group) ??
WUM_113639Hi Matthieu,
Thanks for the reply!
The adv resource assignment without AD expression(s) works very much fine...
- WUM_113639
I had just made changes in the above screenshots...have reverted them back in this one...OU instead of CN....
Results are same... as described in my first post.
- Matt_Dierick
OK, that means issue is on the Expression.
In you VPE, after AD auth, do you do a AD Query in order to gather Group information from the user ?
If yes, after AD Query, put a message box to make debugging. Actually, when you are authenticated, you stop on the message box. Go back to you APM configuration and check logs and session variables. Have a look on the AD group session variables and check with your expression.
What is the BIGIP release ?
- WUM_113639
The version is 11.5.0
I will put the debug message box after AD Query and then revert ASAP.
I have ...
Logon > Variable > AD Server > Variable > Token Server > AD Query > Adv Res Ass > Allow....
- WUM_113639
I have checked e.thing, users session flows throw all the objects...mentioned in last reply.
- WUM_113639
session.ad.last.queryresult is 1
- WUM_113639
Can we import the groups from AD in version 11.5.0
There are so many groups that I have to create, but all those groups are already present in the AD, can I somehow import all those groups from AD into APM and then configure the resources in their given resource groups.
- WUM_113639
Yes, I see all these AD attributes for clients...
I, Also got the AD Groups populated in the VPE...but they do not show up in the Access Policy > AAA Server > (AD_SERVER) > Groups tab
- Matt_DierickMe too. Cosmetic bug, I think. So now, you can select all the groups in your VPE.
Steven_Van_Gys1Hi, I've a similar problem. But in the report I don't have the user attributes. So the ad group resource assigment is failing. Any clues, as this looks like a real simplification of the assigment of resources depending on the AD group.
- together_183451
Hi,
I have tried all the above steps but failed
I am able to pass AD auth, but failed AD query.
To make sure my AD query is right I have fetched the result from command dsquery still no success.
I am running 11.5.0 code. It seems that f5 solution with AD query doesn't work
