For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

NiHo_202842's avatar
NiHo_202842
Icon for Cirrostratus rankCirrostratus
Jun 30, 2015
Solved

Cannot get domain in iRule after APM logon page

Hi all.

I'm trying to get the domain forest out of the user logon. I enabled 'split domain' on the APM logon page, added a None-type domain field with domain session variable but 

session.logon.last.domain
keeps returning nothing.

Point is currently we only match the username as you can see. But we don't xx-D/user to authenticate in favour of AVI-DC/user. We only configured one AD server, but I believe this one will forward the authentication to others.

Any suggestions?

(as always, irule pasting here is horrible.) irule: http://pastie.org/private/poewrrnepgbylxih7wyvsw

application delivery
BIG-IP Access Policy Manager (APM)
design
devops
iRules
LTM
security
  • kunjan_118660's avatar
    kunjan_118660
    Jun 30, 2015

    Don't really get the iRule used here.

    If you enable split domain, basically the logon agent will break the logon.last.logonname to logon.last.username and logon.last.domain. So user might enter the logonname like 

    user@mydomain.loc
    or 
    mydomain.loc\user

8 Replies

  • kunjan_118660's avatar
    kunjan_118660
    Icon for Cumulonimbus rankCumulonimbus
    Jun 30, 2015

    Don't really get the iRule used here.

    If you enable split domain, basically the logon agent will break the logon.last.logonname to logon.last.username and logon.last.domain. So user might enter the logonname like 

    user@mydomain.loc
    or 
    mydomain.loc\user

    • NiHo_202842's avatar
      NiHo_202842
      Icon for Cirrostratus rankCirrostratus
      Jun 30, 2015
      The irule is used to check the username against a data group for whitelisting purposes on top of AD authentication that is done by APM. Logging shows that logon.last.domain is empty.
  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    Jun 30, 2015

    Don't really get the iRule used here.

    If you enable split domain, basically the logon agent will break the logon.last.logonname to logon.last.username and logon.last.domain. So user might enter the logonname like 

    user@mydomain.loc
    or 
    mydomain.loc\user

    • NiHo_202842's avatar
      NiHo_202842
      Icon for Cirrostratus rankCirrostratus
      Jun 30, 2015
      The irule is used to check the username against a data group for whitelisting purposes on top of AD authentication that is done by APM. Logging shows that logon.last.domain is empty.
  • kunjan_118660's avatar
    kunjan_118660
    Icon for Cumulonimbus rankCumulonimbus
    Jun 30, 2015

    1) How the logonname is entered, the format ?

     

    2) Can you do a sessiondump to verify?

     

    3) which version are you having ? Tested working in 11.6

     

    • NiHo_202842's avatar
      NiHo_202842
      Icon for Cirrostratus rankCirrostratus
      Jun 30, 2015
      It seems it does work if we explicitly ask domain\ in the username. Thanks for the effort tough!
  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    Jun 30, 2015

    1) How the logonname is entered, the format ?

     

    2) Can you do a sessiondump to verify?

     

    3) which version are you having ? Tested working in 11.6

     

    • NiHo_202842's avatar
      NiHo_202842
      Icon for Cirrostratus rankCirrostratus
      Jun 30, 2015
      It seems it does work if we explicitly ask domain\ in the username. Thanks for the effort tough!