Forum Discussion
ThomasP
Altostratus
AltostratusIs network access bypassing APM logon pages?
Hello, Maybe it's a stupid question but I've been wondering about it for a while without finding a proper answer. Usually, you can either access your web apps remotely through APM or you can use a...
If APM is being the gatekeeper then if you have a VPN session then you are authenticated. If you then want to access the app then you are already authenticated with APM.
PeteWhite
Employee
EmployeeHi Thomas,
Take a look at https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-0-0/20.html and possibly https://devcentral.f5.com/s/articles/apm-full-step-up-authentication-903
BazsiAltostratus
AltostratusHello PeteWhite, If I understand there is no way to change this behaviour, the Edge Client has no respect to the profile scope setting?
My usecase is that the new service I'm working on should be fully independent. Testers should be able to use the service the same way regardless where they are coming from, internal networks, VPN or the internet (in the future). Futhurermore the new service uses completely different preprod AAA thant the production VPN and the testers usually impersonate test users.
- Lucas_Thompson
Users coming in from a VPN that is terminated on a BIG-IP are already APM-scoped into their existing Access session on that BIG-IP. They may not create another separate user session through that connection.
On the one hand, it allows BIG-IP to apply any user data to a network flow, such as inserting SSO information gathered during authentication or authorization inside of the VPN connection so that users can have completely transparent L4 SSO. Other interesting things are also possible with iRules.
On the other hand, it means that a user cannot connect to the VPN and then login to a webtop where both belong to the same BIG-IP.
- Bazsi
Hi Lucas_Thompson, Thanks for the clarification! I've found that if the second access policy is in an other route domain than the VPN it can maintain a separate APM session so it could be one way to work around this.
- Lucas_Thompson
These results are interesting! Thanks for the info.
When you configure APM services on a BIG-IP, APMD compiles the access policies and stores this information inside of TMM's sessiondb, which is indeed scoped so that the data are separated. However, APMD ordinarily will only operate on policies that belong to a single route domain and ignore other policies.
Can you share how you're setting up the administrative partitions, route domain, and VLANs in your environment, and what version you're using? Additionally if you're declaring route domains explicitly on your APM-profile vips, or inferring them from an admin partition. I'd like to try to reproduce this in a lab to examine what's happening more closely.
