Forum Discussion
gam
Nimbostratus
NimbostratusF5 Access Policy Authentication Using Domain Prefix
Greeting,
Need a little assistance. Trying to integrate our F5 Access Policy using RADIUS Authentication in support of our PortalGuard 2FA solution. PortalGurad uses LDAP Authentication on it's end and we have 3 Domains configured in support of 2FA. PortalGuard is dependent on a prefixed domain\username logon authentication. Also configured in PortalGuard is a RADIUS server for the F5 to use for authentication and presents the OTP challenge.
The current Test F5 Access Policy I have has a Logon Page that has you pick the Domain you want to authenticate to and uses a Domain Selct Macro that also servers as the 1st Factor Authentication. The Macro is configured to use AD Authentication using a configured AAA server using an AD Query search filter sAMAccountName=%{session.logon.last.username}. I have the PortalGuard RADIUS Authentication inserted between the Domain Select and SSO Credential Mapping using expr { "[mcget {session.logon.last.domain}]\\[mcget {session.logon.last.username}]" }.
How do I configure the Access policy to use a prefixed logon scheme domain\username rather than just a SAM account only? I need to satisfy AD Auth as the 1st authentication and pass along the authentication format to PortalGuard as the 2nd factor. Hope this makes sense.
Hi
So if I'm reading this right, you want to rewrite the session.logon.last.username variable to include the DOMAIN/ in it prior to AD auth?
If so, then add in a new Variable Assign object into your policy and rewrite the username variable as you have done with your SSO object. Stanislas wrote a great post regarding APM variables which includes such an example. https://community.f5.com/t5/codeshare/apm-variable-assign-examples/ta-p/287962
iaineNacreous
Hi
So if I'm reading this right, you want to rewrite the session.logon.last.username variable to include the DOMAIN/ in it prior to AD auth?
If so, then add in a new Variable Assign object into your policy and rewrite the username variable as you have done with your SSO object. Stanislas wrote a great post regarding APM variables which includes such an example. https://community.f5.com/t5/codeshare/apm-variable-assign-examples/ta-p/287962
gamYes your undestanding is correct. Thanks for the reference and came across this article a while back and was trying out refrenced variable but I don't think I was using the correct one and\or nor applying it correctly. You have to excuse me, I'm still learning as to Access Policy matter of things.
So I see what looks like 2 possible variable options in the article that looks like applies to Domain and username below. Which of the two is more fitting as to what I'm trying to achieve
expr { "[mcget {session.logon.last.domain}]\\[mcget {session.logon.last.username}]" }if { [mcget {session.logon.last.username}] contains "\\" } { set username [string tolower [mcget {session.logon.last.logonname}]]; return [string range $username 0 [expr {[string first "\\" $username] -1}] ]; } else { return {} }So based on my Access Policy example I uploaded, where would I inject the appropriate variable to perform the rewrite? Before Domain select or after Domain Select prior to the RADIUS Server?
Thank you for your time and assitance and much appreciated.
- gam
Ok using your guidence with the article with some thought and trial I was able to insert the rewrite viarable and everything is working as it should. Thank you again for your help.