Forum Discussion
Pulling Group Attribute via Authentication Rules
I've had several prospects ask for the ability for BIGIP not only to authenticate against an external device (AD, Radius, LDAP) but also have the ability to extract/store group attributes so that we can make load balancing decisions based on group membership. For now I just need to know if it would be possible.
Over the last 2 months I had this asked at least 4 times.
Also, can V9 authenticate to NIS+ environments?
If a CSR would be needed for any of this please let me know.
On a side note, are there any plans to provide more default auth rules that are in a standard build? One issue I keep running into is that fact that we "reject" packets if they fail the authentication. For the most part they would rather redirect to some sort of error page/etc rather than the client just not getting a response at all (i.e. think increasing helpdesk calls b/c of auth errors)
- Here's the response from one of our developers working in the auth area:
1) We do not authenticate to NIS+.
2) There are no currently scheduled releases with enhanced auth rules that have the ability to redirect to an error page. That said, a simple modification to the rule should allow this to happen quite easily. I am currently working on some auth enhancements, and I'll see if I can't figure out how to get that into an auth option. I think it makes the most sense to make a redirect page part of the auth profile. If the rule can get arguments from the profile, then we can write one rule that always redirects correctly.
3) Big-IP cannot currently pass information up from the bottom of the PAM stack. i.e. once a user is authenticated, no additional information (such as group affiliation, user attributes, etc.) is passed up to the BIG-IP to be used for authorization. However, I have written up an example of what I call "selective authentication". Using this method, you can authenticate users who are in a chosen group, have a certain attribute, etc.
I'm not sure if that will solve the problem this user has. However, again, we have a plan to do this in a future release.
Regards,
Loc - Some further updates from developers on 2 above:
- A rule can query a profile attribute with the syntax:PROFILE::
- In the case where authentication fails, and one wants to redirect to some error pages, he just needs to change the HTTP action upon failure, responding 3xx with a proper header. The redirection URL should be outside of that virtual, otherwise, he will hit this rule again, i.e. change HTTP::respond 401 to be:HTTP::respond 303 Location http://new-URL/
Loc
