Forum Discussion

Mariappan_S_156's avatar
Mariappan_S_156
Icon for Nimbostratus rankNimbostratus
Jun 20, 2014

F5 APM CLIENT SECURITY MAC ADDRESS

Our objective was we have list of mac address’s of our corparate systems in a text file lik below.

 

00:19:DB:DC:3E:8F 00:1D:92:47:75:EF

 

we need to check the user system mac address at the time of login ssl vpn , if user system mac address match with the list, then we allow for resource assign.

 

We go to use below irules for that.

 

when ACCESS_POLICY_AGENT_EVENT { switch [ACCESS::policy agent_id] { "Your_iRule_event_name" { set Client_MAC "[ACCESS::session data get session.client.mac_address]"; if { [class match $Client_MAC equals mac-datagroup] } { ACCESS::session data set session.custom.mac_accepted 1 } } } }

 

We need clarifications on below points

 

  • Which type of data group should be used internal or external?
  • In data group how format we enter the data. (00:1D:92:47:75:EF or mac := 00:1D:92:47:75:EF)
  • In which column String or Value we need to enter Mac address.
  • In VPC what is value we need to enter on Custom iRule Event Agent ID
application delivery
BIG-IP Access Policy Manager (APM)
deployment
design
devops
iRules
security
  • kunjan_118660's avatar
    kunjan_118660
    Jun 20, 2014

    • Which type of data group should be used internal or external?

       

      internal as it is not in file

       

    • In data group how format we enter the data. (00:1D:92:47:75:EF or mac := 00:1D:92:47:75:EF)

       

      Just 00:1D:92:47:75:EF

       

    • In which column String or Value we need to enter Mac address.

       

      Enter the mac address list in column string

       

    • In VPC what is value we need to enter on Custom iRule Event Agent ID

       

      You can use any string as ID.

       

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    Jun 20, 2014

    • Which type of data group should be used internal or external?

       

      internal as it is not in file

       

    • In data group how format we enter the data. (00:1D:92:47:75:EF or mac := 00:1D:92:47:75:EF)

       

      Just 00:1D:92:47:75:EF

       

    • In which column String or Value we need to enter Mac address.

       

      Enter the mac address list in column string

       

    • In VPC what is value we need to enter on Custom iRule Event Agent ID

       

      You can use any string as ID.

       

  • kunjan_118660's avatar
    kunjan_118660
    Icon for Cumulonimbus rankCumulonimbus
    Jun 20, 2014

    • Which type of data group should be used internal or external?

       

      internal as it is not in file

       

    • In data group how format we enter the data. (00:1D:92:47:75:EF or mac := 00:1D:92:47:75:EF)

       

      Just 00:1D:92:47:75:EF

       

    • In which column String or Value we need to enter Mac address.

       

      Enter the mac address list in column string

       

    • In VPC what is value we need to enter on Custom iRule Event Agent ID

       

      You can use any string as ID.

       

    • Mariappan_S_156's avatar
      Mariappan_S_156
      Icon for Nimbostratus rankNimbostratus
      Jun 20, 2014
      We Completed. thanks and we just add machineinfo infront irule event. Thanks
  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    Jun 20, 2014

    • Which type of data group should be used internal or external?

       

      internal as it is not in file

       

    • In data group how format we enter the data. (00:1D:92:47:75:EF or mac := 00:1D:92:47:75:EF)

       

      Just 00:1D:92:47:75:EF

       

    • In which column String or Value we need to enter Mac address.

       

      Enter the mac address list in column string

       

    • In VPC what is value we need to enter on Custom iRule Event Agent ID

       

      You can use any string as ID.

       

    • Mariappan_S_156's avatar
      Mariappan_S_156
      Icon for Nimbostratus rankNimbostratus
      Jun 20, 2014
      We Completed. thanks and we just add machineinfo infront irule event. Thanks
  • MichaelJordan_1's avatar
    MichaelJordan_1
    Icon for Nimbostratus rankNimbostratus
    Aug 16, 2015

    Hi I been developing an iRule to detect if the user already has any other VPN session to same End Point. Can you share your iRule ? I think, it 'll be useful to create a new one.

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Aug 17, 2015

    Hi,

    I wrote this irule to count and close previous session before this feature is included in APM.

    when ACCESS_POLICY_AGENT_EVENT {
     switch [ACCESS::policy agent_id] {
     "close" {
          set apm_csid [ ACCESS::session data get session.custom.concurrentid ]
          if {$apm_csid != 0} {
               log local0. "fin de la session $apm_csid"
               ACCESS::session remove -sid $apm_csid
               }
          }
     "user_count" {
          set apm_uuid "[PROFILE::access name].[ACCESS::session data get session.logon.last.username]"
          set apm_cookie_list [ ACCESS::uuid getsid $apm_uuid ]
          if {[llength $apm_cookie_list] != 0} {
               set apm_concurentid [ lindex $apm_cookie_list 0 ]
               set apm_concurentip [ACCESS::session data get session.user.clientip]
          }
          else {
               set apm_concurentid 0
               set apm_concurentip 0
          }
               ACCESS::session data set session.custom.concurrentnum [llength $apm_cookie_list]
               ACCESS::session data set session.custom.concurrentid $apm_concurentid
               ACCESS::session data set session.custom.concurrentip $apm_concurentip
               log local0. "session concurrente $apm_concurentid"
          }
    }
}

    in this irule policy_id is the event ID of irule event in VPE. the user authenticated on a policy is identified by its uuid : 

          set apm_uuid "[PROFILE::access name].[ACCESS::session data get session.logon.last.username]"