Forum Discussion
jornlux
Nimbostratus
NimbostratusAPM SSLVPN - ACL assignment fails
Hello folks, first post ! We have an SSLVPN configuration where we would like to use iRules to attach prebuilt ACLs to user sessions. The user's group memberships in Azure AD should determine wh...
Nikoolayy1
MVP
MVPHello, You have to look at the /var/log/ltm for the logs as local0 saves to the ltm logs and local1 is for APM:
https://support.f5.com/csp/article/K13317
Also how do you sync the Azure AD groups to the F5 device as the Azure SAML does not allow groups to be shared and either the Azure AD LDAP extra feature needs to be used or the F5 needs to connect to an on-prem AD directory with Kerberos / LDAP etc?
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/auth-ldap
You can also use the microsoft Azure AD conditional access policies with F5 APM as this a great F5 feature and intergation with Azure AD and the conditional access policies can be attached to groups:
https://www.f5.com/company/blog/zero-trust-azure-active-directory-access-big-ip-apm
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
Other vendors have a SCIM connector app in Azure AD to sync the Azure AD info to their systems but this is usually for cloud services and maybe F5 will add this to silverline or volterra in the future https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/sync-scim
jornluxNimbostratus
NimbostratusHi Nikoolayy1 , thanks for answering.
Logs - we've found the log locations, so that's covered. It's just that these two particular events never seem to trigger.
AAD Groups - not exactly synced, rather a list returned in the SAML response as an additional claim we've configured within the F5 AAD app - see image below.
Conditional Access - not sure if this can directly solve the issue at hand, but we'll look into that option.
- Nikoolayy1
Have you seen this post that suggests for example "expr { [ mcget { session.saml.attr.groups } ] contains "Administrator" }"
https://community.f5.com/t5/technical-forum/saml-session-variable-and-attributes/td-p/212706?page=1
Also use the F5 APM Logging or Message box to follow your traffic to know that you are matching the correct branch in the visual policy editor and the correct groups where the ACL is attached as maybe the event is never triggered as the ACL never is attached to user traffic because wrong config or AAD groups.
F5 APM reports that may help the investigation:
https://support.f5.com/csp/article/K09102347
https://support.f5.com/csp/article/K44555523
Also check the SAML if you think that not the correct groups are returned as if the groups are not Azure native there could be issues (synced from the on prem AD to Azure):
https://support.f5.com/csp/article/K51854802
Also just as info you are using static ACL not dynamic ACL right?