iRule check multiple logon in APM

APM can already do this:

 

 

In the Max Sessions Per User field, type the maximum number of concurrent sessions that one user can start. Type 0 to set no maximum. You must select the associated Custom check box before you can configure this setting.

 

 

http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm_portal_access_11_0_0/4.html

Hi Chris. Thank you for your suggestion. I already test your suggestion. Max Sessions Per User is global policy then I cannot specific to each group of user. The requirement is

 

1. Using only 1 logon page

 

2. User group A can logon multiple device sametime

 

3. User group B can logon only single device sametime

 

4. If user group B logon second time on other device then cannot logon. But connection in first device still working.

 

 

Are you saying that you have multiple APM device, perhaps in different locations? And you want a user to only be able to logon via one location at a time?

I can't help you with your APM problem, but the reason that you're getting that error message is because ACCESS_SESSION_CLOSED is a global event (meaning, not associated with a connection), and the table command does not yet work in global events.

I think I may have something.

1. Create an access policy that authenticates a user (ie. logon page + AD Auth) - make sure that the user's logon name gets applied to the session.logon.last.username session variable.

2. After the authentication, perform a query (AD or LDAP) that pulls the group membership value for that user. In the below iRule example I've populated the AD "comment" block with either "GROUPA" or "GROUPB".

3. Add an iRule event after the successful query. In the example below the iRule event ID is "GROUPCHECK".

4. Add the following iRule to the virtual server (tweak as required):

when RULE_INIT {
   set static::policy_debug 1
}
when ACCESS_POLICY_AGENT_EVENT {
   if { [ACCESS::policy agent_id] equals "GROUPCHECK" } {
      if { [ACCESS::session data get session.ldap.last.attr.comment] equals "GROUPB" } {
         if { [expr [llength [ACCESS::uuid getsid "[ACCESS::session data get session.access.profile].[ACCESS::session data get session.logon.last.username]"]] > 0] } {
            if { $static::policy_debug } { log local0. "[ACCESS::session data get session.logon.last.username] in GROUP B attempted multiple sessions" }
            ACCESS::session remove
         }
      }
   }
}

Within the APM iRule event (based on the "GROUPCHECK" ID), we'll check the query result. If the query value equals "GROUPB" AND the count of sessions for this user, using the ACCESS::uuid getsid command exceeds 1 session, remove the session.

If the first session is closed by simply closing the browser, the session will remain in the session cache until it expires, preventing another session from opening. So while the above should work to prevent multiple sessions for a given group of users, you'll need a way to more proactively close the session when the user leaves, which is not always an easy thing to do.