Check on AD group to give access

Question

Hello,&nbsp;
&nbsp;I'm trying to make a Protected Configuration that checks if a user is a member of a certain Active Direcory Group, If they are member of that group it should show the resource.&nbsp;
&nbsp;Already tried to make a couple custom checks Based on the link below, but none of them seem to work.&nbsp;
&nbsp;http://devcentral.f5.com/wiki/default.aspx/FirePass/DynamicGroupSessionVariables.html&nbsp;
&nbsp;Made the custom check like this:
&nbsp;session.ldap.groupmapping.memberOf="Terminal Server Users"&nbsp;
&nbsp;I'm a member of that group in my active directory.&nbsp;
&nbsp;Is the above command correct or should i try a different one?&nbsp;
&nbsp;Thank you in advance.&nbsp;
&nbsp;Jeroen&nbsp;
&nbsp;--------------------------------------------------------------------------------------
&nbsp;Update:
&nbsp;Already found out i should be using session.ad.auth.memberof  instead.
&nbsp;I enabled the advanced logging for session variables and it tells me this:
&nbsp;Session Variable  %session.ad.auth.memberof%= ' CN=Terminal Server Users,OU=_Test,DC=DCC,DC=lan '&nbsp;
&nbsp;Made a custom check with :
&nbsp;session.ad.auth.memberof = "Terminal Server Users"
&nbsp;or
&nbsp;session.ad.auth.memberof = "CN=Terminal Server Users,OU=_Test,DC=DCC,DC=lan"&nbsp;
&nbsp;Both wont work.&nbsp;&nbsp;

fuzz_31058 · Answer

I don't think this will ever work as a "Pre-logon" check. The Firepass does not know who the user is until after they have passed the check. I could be miss understanding what you are trying to accomplish. It might be possible to do this with 6.0.1 though. What version are you currently running and can you give a better use case.

tbg_112407 · Answer

It is not a pre-logon check, it is a custom protected resource.&nbsp;
&nbsp;What i am trying to do is the folowing:&nbsp;
&nbsp;I got a certain resource i want to limit to users who are only member of a certain domain group.&nbsp;
&nbsp;So i have made a Protected configuration, with a custom check.
&nbsp;session.ad.auth.memberof = "Terminal Server Users" (this should check if a user is member of that group)&nbsp;
&nbsp;But it turns out the firepass only gives the first group it finds (alphabet order) and not all groups the user is member off.
&nbsp;And therefor im afraid its not possible

fuzz_31058 · Answer

Is it only a single resource? You could do this with the Dynamic Resource Group Mapping. Have you tried that it allows you to pick any AD group and assign it to a resource group. This could be done for multiple resource groups and AD groups. I think this will accomplish what you are looking for. Make sure you select the checkbox for dynamic resource group assignment on the master group. &nbsp;
&nbsp;HTH
&nbsp;Fuzz&nbsp;

Forum Discussion

Check on AD group to give access

Recent Discussions

ppp TunnelStats: LCP_UNKNOWN_OPTIONS 1,LCP_PROTO_REJ 1,FSM_UNEXPECTED_DOWN 1,

How to Renew F5 Device Certificate

F5 ASM CEF Sending Logs in Specific TimeZone

F5 looses the token for the first call

feature request: container egress service

Related Content

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

Access Troubleshooting: BIG-IP APM OIDC integration

Check a Virtual Server's SSL Status

Leaked Credential Check with Advanced WAF

Pwned Passwords Check

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS