F5 APM authentication on AD using Groups

Hi,

How do you validate it ? Actually, you need :

• Logon page
• AD auth
• AD query

Into AD Query box, on the branch, select option Member Of, and enter the full member of LDAP string (CN=xxxxx, OU=xxxx ...)

Show me your configuration.

Matt

I can't put a copy of the access policy flow, but

I have The start followed the Logon page that fallback to the AD Auth, in which I point to the AD Server, by success I go to AD Query that on the server I enable a SearchFilter

CN=HQ-VPN-USERS, CN=Users, DC=domain.com

With Fetch Primary Group Enabled, but Fetch Nested Disabled.

Hi, what do you have so far ?

You need to implement an AD query agent in the VPE after the AD auth agent. having done that if you look at your session report, you will have groups retrieved in an attribute.

you can then either use condition in resource assign matching group names or use group based resource assign in latest release.

Arnaud,

I create different access policies. If I don't use Group, I have no problem. My issue start when i add the Group on the Authentication.

Calperin, have a look on my comment above. To validate a group, you have to set a condition on the branch (my comment below) or use Advanced Ressource Assign box and use group expression as Arnaud said.

Session variable 'session.ad./Common/domain_AD_act_active_directory_ag.actualdomain' set to 'domain.com' Session variable 'session.ad./Common/domain_AD_act_active_directory_ag.authresult' set to '1' Session variable 'session.ad./Common/domain_AD_act_active_directory_ag.errmsg' set to ' ' Session variable 'session.ad.last.actualdomain' set to 'domain.com' Session variable 'session.ad.last.authresult' set to '1' Session variable 'session.ad.last.errmsg' set to ' ' Session variable 'session.assigned.resources.na' set to '/Common/domain_AD_na_res' Session variable 'session.assigned.webtop' set to '' Session variable 'session.logon./Common/domain_AD_act_logon_page_ag.logonname' set to 'calperin' Session variable 'session.logon./Common/domain_AD_act_logon_page_ag.result' set to '1' Session variable 'session.logon./Common/domain_AD_act_logon_page_ag.username' set to 'calperin' Session variable 'session.logon.last.logonname' set to 'calperin' Session variable 'session.logon.last.result' set to '1' Session variable 'session.logon.last.username' set to 'calperin' Session variable 'session.logon.page.errorcode' set to '1' Session variable 'session.logout.page.customization.group' set to '/Common/domain_AD_end_deny_ag' Session variable 'session.policy.result' set to 'deny' AccessPolicyD.cpp func: "sendAccessPolicyResponse()" line: 1562 Msg: DONE WITH ACCESS POLICY - send 'we are done with access policy for this session' code AccessPolicyD.cpp func: "process_request()" line: 741 Msg: ** done with the request processing ** Session deleted due to user logout request.

You do not make any AD Query, I assume. You should see all attributs from the user in session.ad.last.attr

Check the logs "tail -f /var/log/apm" after changing log level to debug on Access Policy logs.

Can you tell me which option is checked and filled in your AD query box please ?

Hi,

there is no requirements about where to add AD Query. it depends of variables you want to use is SSO credential mapping and variable assign...

In search filter, it depends of your configuration (authentication with Samaccountname, email address, or UPN...). it is recommended to define requested attributes to limit variables, I had a issue in 11.4 version where a user had a image on his profile generating a core dump. Setting memberof attribute only solved the issue.

I am having the same issue of the AD Query always going to the fallback. I have verified the memberOf properties appear in the session attributes. I have even copied that string and pasted into the branch member of box to insure all characters are a match but the query always goes to fallback.

I have the memberOf as a required component. Without that I find the message in the APM logs that the variable is not found in memcache.

11.4.1 HF8