Forum Discussion
jornlux
Nimbostratus
NimbostratusAPM SSLVPN - ACL assignment fails
Hello folks, first post ! We have an SSLVPN configuration where we would like to use iRules to attach prebuilt ACLs to user sessions. The user's group memberships in Azure AD should determine wh...
jornluxNimbostratus
NimbostratusHi Nikoolayy1 , thanks for answering.
Logs - we've found the log locations, so that's covered. It's just that these two particular events never seem to trigger.
AAD Groups - not exactly synced, rather a list returned in the SAML response as an additional claim we've configured within the F5 AAD app - see image below.
Conditional Access - not sure if this can directly solve the issue at hand, but we'll look into that option.
Nikoolayy1
MVP
MVPHave you seen this post that suggests for example "expr { [ mcget { session.saml.attr.groups } ] contains "Administrator" }"
https://community.f5.com/t5/technical-forum/saml-session-variable-and-attributes/td-p/212706?page=1
Also use the F5 APM Logging or Message box to follow your traffic to know that you are matching the correct branch in the visual policy editor and the correct groups where the ACL is attached as maybe the event is never triggered as the ACL never is attached to user traffic because wrong config or AAD groups.
F5 APM reports that may help the investigation:
https://support.f5.com/csp/article/K09102347
https://support.f5.com/csp/article/K44555523
Also check the SAML if you think that not the correct groups are returned as if the groups are not Azure native there could be issues (synced from the on prem AD to Azure):
https://support.f5.com/csp/article/K51854802
Also just as info you are using static ACL not dynamic ACL right?