Forum Discussion

gam's avatar
gam
Icon for Nimbostratus rankNimbostratus
Oct 18, 2022

F5 Access Policy Authentication Using Domain Prefix

Greeting,

Need a little assistance.  Trying to integrate our F5 Access Policy using RADIUS Authentication in support of our PortalGuard 2FA solution.  PortalGurad uses LDAP Authentication on it's end and we have 3 Domains configured in support of 2FA.  PortalGuard is dependent on a prefixed domain\username logon authentication.  Also configured in PortalGuard is a RADIUS server for the F5 to use for authentication and presents the OTP challenge.

The current Test F5 Access Policy I have has a Logon Page that has you pick the Domain you want to authenticate to and uses a Domain Selct Macro that also servers as the 1st Factor Authentication.  The Macro is configured to use AD Authentication using a configured AAA server using an AD Query search filter  sAMAccountName=%{session.logon.last.username}.  I have the PortalGuard RADIUS Authentication inserted between the Domain Select and SSO Credential Mapping using expr { "[mcget {session.logon.last.domain}]\\[mcget {session.logon.last.username}]" }. 

How do I configure the Access policy to use a prefixed logon scheme domain\username rather than just a SAM account only?  I need to satisfy AD Auth as the 1st authentication and pass along the authentication format to PortalGuard as the 2nd factor.  Hope this makes sense.

  • Hi

    So if I'm reading this right, you want to rewrite the session.logon.last.username variable to include the DOMAIN/ in it prior to AD auth?

    If so, then add in a new Variable Assign object into your policy and rewrite the username variable as you have done with your SSO object.  Stanislas wrote a great post regarding APM variables which includes such an example. https://community.f5.com/t5/codeshare/apm-variable-assign-examples/ta-p/287962

  • Hi

    So if I'm reading this right, you want to rewrite the session.logon.last.username variable to include the DOMAIN/ in it prior to AD auth?

    If so, then add in a new Variable Assign object into your policy and rewrite the username variable as you have done with your SSO object.  Stanislas wrote a great post regarding APM variables which includes such an example. https://community.f5.com/t5/codeshare/apm-variable-assign-examples/ta-p/287962

    • gam's avatar
      gam
      Icon for Nimbostratus rankNimbostratus

      Yes your undestanding is correct.  Thanks for the reference and came across this article a while back and was trying out refrenced variable but I don't think I was using the correct one and\or nor applying it correctly.  You have to excuse me, I'm still learning as to Access Policy matter of things.

      So I see what looks like 2 possible variable options in the article that looks like applies to Domain and username below.   Which of the two is more fitting as to what I'm trying to achieve

      expr { "[mcget {session.logon.last.domain}]\\[mcget {session.logon.last.username}]" } 
      if { [mcget {session.logon.last.username}] contains "\\" } { 
          set username [string tolower [mcget {session.logon.last.logonname}]];  
          return [string range $username 0 [expr {[string first "\\" $username] -1}] ];  
      } else {  
          return {}  
      }

      So based on my Access Policy example I uploaded, where would I inject the appropriate variable to perform the rewrite? Before Domain select or after Domain Select prior to the RADIUS Server?

      Thank you for your time and assitance and much appreciated.

    • gam's avatar
      gam
      Icon for Nimbostratus rankNimbostratus

      Ok using your guidence with the article with some thought and trial I was able to insert the rewrite viarable and everything is working as it should.  Thank you again for your help.