Forum Discussion

EvgeniV_116522's avatar
EvgeniV_116522
Icon for Nimbostratus rankNimbostratus
Feb 12, 2017

Different Logon Pages depending on REQUEST uri in Access Policy

I have no experience with APM and TCL. I just try to build simple policy using Visual Policy Editor for training. The goal is to get HTTP::uri (from the REQUEST) and analize it: if uri contains the word "softtoken" then go to one Logon Page, if not - use another Logon Page. I use some example of iRule to get the uri (found at F5 site). Since I just learning and I'm not so sure what happens, I add message box in every branch after iRule Event item.

 

Below The iRule that I use:

 

The Policy is here:

 

NOTHING works as I expected.:) Firstly, I do not get no one of Message Box screens that I customized. I always get default Message Box ("Please click the link below to continue"), so I cannot determine what branch was choosed. Then I get standard default Logon page, not one of mine. When I press on "Preview" at Customization:General than I can find my Message Boxes and Logon Pages configured as I wanted. But APM does not call them when authentication process executed.

 

Any help and explanation will be appretiated

 

application delivery
BIG-IP Access Policy Manager (APM)
iRules
security
  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Icon for MVP rankMVP
    Feb 12, 2017

    First of all, I always find it useful to log debug logging to the /var/log/ltm file. For example I would put a line like this in each irule event:

    log local0. "DEBUG: HTTP_REQUEST"

    This helps to see if your irule is actually doing something.

    Second, I think you don't need to trigger an iRule event from the access policy. You could use an 'Empty Action' and use the following condition:

    expr { [HTTP::uri] contains "softtoken" }
    • ZANOOB's avatar
      ZANOOB
      Icon for Cirrus rankCirrus
      Dec 08, 2023

      Hello Neils,

      I am trying to use the Empty Action with the condition as mentioned below

      expr { [HTTP::host] equals"sp.example.com"} and 2 other urls , somehow that does not work.

      Is that the correct experssion to match urls?

      I have three urls pointing to same virtual server, hence creating a visual ediot to specify the urls to match to foward it to a specifc SMAL authtication.

       

  • ZANOOB's avatar
    ZANOOB
    Icon for Cirrus rankCirrus
    Dec 08, 2023

    The apm logs shows that Following rule 'fallback' from item 'Start' to item 'URL Selection'
    Rule evaluation failed with error: invalid command name "HTTP::host"
    Rule evaluation failed with error: invalid command name "HTTP::host"
    Rule evaluation failed with error: invalid command name "HTTP::host"
    Following rule 'fallback' from item 'URL Selection' to ending 'Deny'

    Looks like HTTP::host is invalied to use in tcl expression.