For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mike_Ho's avatar
Mike_Ho
Icon for Cirrus rankCirrus
Sep 02, 2008

Dynamic group mapping via LDAP groups AND URI landings

I want to offer several service levels on my Firepass. In fact I do currently but each to different audiences. I currently define levels of service with Master Groups linked to the specific resource...
BIG-IP Access Policy Manager (APM)
remote access
security
mal_57091's avatar
mal_57091
Icon for Nimbostratus rankNimbostratus
Sep 03, 2008
Hey Mike,

 

 

I think the solution you have is the only one to use. Please let me explain....you absolute need to use Dynamic Master Group mapping based on Landing URI (as the Mapping Method) so you can say if anyone goes to /vpn then go to Master Group A, anyone who goes to /ssl go to Master Group B and so forth.

 

 

The problem you have is what happens when they go to the root of the Web Server (/). In this case your mapping based on Landing URI's won't work because you potentially have different Master Groups that can access the base URI of web server so you need to map them more intelligently than just using landing URI. So in this case you can do your LDAP group lookups. However i would structure it such that in your Master Group Mapping table I would set the landing URI matches first and then the LDAP matches last.

 

 

Perhaps are there session variables you can use to map Master Group based on? I had a previous customer where we ran a Prelogon Sequence that checked for a machine certificate (specific to corporate laptops). Then what we did was setup Dynamic Master Group mapping to use session variables and if the session variable showed the presence of the machine cert they got mapped to the Master Group for corporate users otherwise they go mapped to the Master Group for guests. Could you use a similar design?

 

 

Yeap...in 6.0.1 and earlier you had to map users to Master Groups using a Global Master Group Mapping table and Resource Groups to Master Groups also using a Global Resource Group Mapping table. In 6.0.2, F5 introduced the ability for each Master Group to have its own Resource Group mapping method and table which is SOOOOOOO much better!!! This way all you need to do is configure your Master Group mapping and then configure all your Resource Group setitngs/mappings within the specific Master Group. You just need to enable Step 3 for Resource Group Mapping under Users -> Groups -> Dynamic Group Mapping -> Group Mapping Sequence (tab) in the "Resource Groups Mapping Sequence" and turn off Step 1 in this section.

 

 

The final thing is you need to enable the checkbox "Allow resource groups to be assigned using dynamic resource group mapping configured in this master group." on the General tab of each of the Master Groups that you want to run Resource Group mapping within.

 

 

Hope this helps you out!

 

 

Cheers,

 

Mal