Forum Discussion

gam's avatar
gam
Icon for Nimbostratus rankNimbostratus
Oct 18, 2022

F5 Access Policy Authentication Using Domain Prefix

Greeting, Need a little assistance.  Trying to integrate our F5 Access Policy using RADIUS Authentication in support of our PortalGuard 2FA solution.  PortalGurad uses LDAP Authentication on it's en...
security
  • iaine's avatar
    iaine
    Oct 20, 2022

    Hi

    So if I'm reading this right, you want to rewrite the session.logon.last.username variable to include the DOMAIN/ in it prior to AD auth?

    If so, then add in a new Variable Assign object into your policy and rewrite the username variable as you have done with your SSO object.  Stanislas wrote a great post regarding APM variables which includes such an example. https://community.f5.com/t5/codeshare/apm-variable-assign-examples/ta-p/287962

iaine's avatar
iaine
Icon for Nacreous rankNacreous

Hi

So if I'm reading this right, you want to rewrite the session.logon.last.username variable to include the DOMAIN/ in it prior to AD auth?

If so, then add in a new Variable Assign object into your policy and rewrite the username variable as you have done with your SSO object.  Stanislas wrote a great post regarding APM variables which includes such an example. https://community.f5.com/t5/codeshare/apm-variable-assign-examples/ta-p/287962

gam's avatar
gam
Icon for Nimbostratus rankNimbostratus
Oct 20, 2022

Yes your undestanding is correct.  Thanks for the reference and came across this article a while back and was trying out refrenced variable but I don't think I was using the correct one and\or nor applying it correctly.  You have to excuse me, I'm still learning as to Access Policy matter of things.

So I see what looks like 2 possible variable options in the article that looks like applies to Domain and username below.   Which of the two is more fitting as to what I'm trying to achieve

expr { "[mcget {session.logon.last.domain}]\\[mcget {session.logon.last.username}]" } 
if { [mcget {session.logon.last.username}] contains "\\" } { 
    set username [string tolower [mcget {session.logon.last.logonname}]];  
    return [string range $username 0 [expr {[string first "\\" $username] -1}] ];  
} else {  
    return {}  
}

So based on my Access Policy example I uploaded, where would I inject the appropriate variable to perform the rewrite? Before Domain select or after Domain Select prior to the RADIUS Server?

Thank you for your time and assitance and much appreciated.