Forum Discussion
APM SSLVPN - ACL assignment fails
Hi.
expr { [ mcget { session.saml.attr.groups } ] contains "Administrator" is a possible solution we've considered. This would however imply that we create one step in the policy editor for each group/ACL combination, and there could be quite a few along the way. Thus, we would rather use an iRule (if possible) to solve this dynamically.
The AAD group IDs returned seem correct. We've bumped up the log level for this specific access policy to debug, and can also verify these contents from active APM sessions in the GUI, or using the CLI command 'sessiondump --allkeys'.
ACLs are static, yes. These are populated automatically through the API when needed - such as when a new Azure subscription with a corresponding IP pool is created.
Still if you are not triggering the ACL events it seems to me that the F5 APM thinks that there are no ACL defined as only then the ACL events are not triggered, so better debug the APM policy as I suggested and to look at the apm reports:
https://community.f5.com/t5/technical-articles/http-event-order-access-policy-manager/ta-p/287898
Outside of that you can check for ACL bugs in ihealth or the bug tracker or the F5 release notes for your version for fixes and known issues:
https://support.f5.com/csp/bug-tracker?sf189923893=1
https://support.f5.com/csp/bug-tracker?sf189923893=1
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com