Forum Discussion
NimbostratusSession Limit for different users
Currently, there is only one global setting for session time for an access profile. I'd like to know if there is a way that I could set, for example, a session time of 10 hours for AD group "mission critical" and 3 hours for "OTP" users, using iRules. I don't have experience writing such rules, and we have a new deployment that we've configured, that is either not sufficient time for some users, or would be beyond our security policy for others.
Any help would be great...any examples would be greater!
Thanks.
9 Replies
Michael_JenkinsCirrostratus
We're doing something like this in our environment. The way I've gotten it to work is by using an iRule that gets called from the during the APM flow (added in the policy editor (VPE)). The iRule you're looking for might look something like this:
when ACCESS_POLICY_AGENT_EVENT { if { [ACCESS::policy agent_id] eq "setSessionTimeoutAgent" } { if { [ACCESS::session data get session.ad.last.attr.memberOf] contains "AD_GROUP_NAME" } { ACCESS::session data set session.inactivity_timeout 10800 } } }I'm not sure how to check for an OTP user since I've yet to do that, but this should help get you started...
RyanDM2_175490Hmm, ok so I thought I knew what I was doing. Not so. I created the irule, however, I'm not sure that the box is actually referencing it when I apply it in the vpe. EG: "Custom IRule Event Agent" ID.
I am quite new with APM, so sorry if what I'm asking is obvious.
- Michael_JenkinsYou'll need to make sure that you set the agent name to the same as is specified in the iRule (in my case, it's "setSessionTimeoutAgent"), and that the iRule is associated with your virtual server that uses the access policy. you can also add a log to the ltm log to see if it's even getting there... something like: log local0. "Entered agent event. ID = [ACCESS::policy agent_id]"
- RyanDM2_175490
I was messing with this for too long. It turns out there is a variable that can be created . It's in the help!
- Michael_JenkinsYou mean within the APM policy editor? If that's what you're referring to, make sure to test it. I had some problems updating the timeout from the VPE and it not working properly for some reason until I updated it in the iRule...
- RyanDM2_175490
Yes, what I'm talking about is the Variable Assign. You can use Predefined Session Variables, Customer Variables, Configuration Variables.
In my case, I used a Predefined Session Variable called "Maximum Session Timeout" and could set the session variable to 10800.
Super easy, works like a charm.
- Michael_JenkinsI think one thing to note is the difference between maximum session timeout and session timeout. I think the Maximum Session Timeout is the max it can go regardless of usage, vs the session.inactivity_timeout session var which I think slides with session usage.
- RyanDM2_175490
All I was interested in from the start was having a different max session timeout for otp users versus our mission critical users. So, yes, the session.inactivity_timeout is not what I was looking for, though there is a variable for that in the setting I referred to above.
- Michael_JenkinsGood deal then. :)
