Forum Discussion
jornlux
Nimbostratus
NimbostratusAPM SSLVPN - ACL assignment fails
Hello folks, first post ! We have an SSLVPN configuration where we would like to use iRules to attach prebuilt ACLs to user sessions. The user's group memberships in Azure AD should determine wh...
jornluxNimbostratus
NimbostratusHi.
expr { [ mcget { session.saml.attr.groups } ] contains "Administrator" is a possible solution we've considered. This would however imply that we create one step in the policy editor for each group/ACL combination, and there could be quite a few along the way. Thus, we would rather use an iRule (if possible) to solve this dynamically.
The AAD group IDs returned seem correct. We've bumped up the log level for this specific access policy to debug, and can also verify these contents from active APM sessions in the GUI, or using the CLI command 'sessiondump --allkeys'.
ACLs are static, yes. These are populated automatically through the API when needed - such as when a new Azure subscription with a corresponding IP pool is created.
- Nikoolayy1
MVP
Still if you are not triggering the ACL events it seems to me that the F5 APM thinks that there are no ACL defined as only then the ACL events are not triggered, so better debug the APM policy as I suggested and to look at the apm reports:
https://community.f5.com/t5/technical-articles/http-event-order-access-policy-manager/ta-p/287898
Outside of that you can check for ACL bugs in ihealth or the bug tracker or the F5 release notes for your version for fixes and known issues:
https://support.f5.com/csp/bug-tracker?sf189923893=1
https://support.f5.com/csp/bug-tracker?sf189923893=1
