Forum Discussion
AltostratusIs network access bypassing APM logon pages?
If APM is being the gatekeeper then if you have a VPN session then you are authenticated. If you then want to access the app then you are already authenticated with APM.
AltostratusThank you Pete for your reply.
In that case, it seems that the APM checks (AD query for example) and variable assigments are bypassed, right? Is there any solution for these ?
Thank you
PeteWhiteEmployee
Hi Thomas, Take a look at https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-0-0/20.html and possibly https://devcentral.f5.com/s/articles/apm-full-step-up-authentication-903- Bazsi
Hello PeteWhite, If I understand there is no way to change this behaviour, the Edge Client has no respect to the profile scope setting?
My usecase is that the new service I'm working on should be fully independent. Testers should be able to use the service the same way regardless where they are coming from, internal networks, VPN or the internet (in the future). Futhurermore the new service uses completely different preprod AAA thant the production VPN and the testers usually impersonate test users.- Lucas_Thompson
Users coming in from a VPN that is terminated on a BIG-IP are already APM-scoped into their existing Access session on that BIG-IP. They may not create another separate user session through that connection.
On the one hand, it allows BIG-IP to apply any user data to a network flow, such as inserting SSO information gathered during authentication or authorization inside of the VPN connection so that users can have completely transparent L4 SSO. Other interesting things are also possible with iRules.
On the other hand, it means that a user cannot connect to the VPN and then login to a webtop where both belong to the same BIG-IP.
