Forum Discussion

zafer's avatar
zafer
Icon for Nimbostratus rankNimbostratus
Apr 11, 2016

Time based VPN restriction

Hi All,

 

Our users Authenticate from Active Directory. We have custom software and DB for storing users info and credential.

 

For example : User A : vpn enabled user and AD group X and work time 8-9 AM

 

User B : vpn enabled user and AD group Y and work time 11-12 AM

 

User C : vpn disabled user and AD group Z and work time 5-9 PM

 

Also we have web service we can call the web service get information about users

 

We want do with APM;

 

1- Time based VPN session (APM will get info from DB or use webservice) and assign recourse the client

 

2- we want sent email alert to the active users before the work time finish and AutoDisconnect them when worktime finished

 

how can i do this

 

regards

 

zafer

 

auto disconnect
BIG-IP Access Policy Manager (APM)
devops
time based
    • AP_129594's avatar
      AP_129594
      Icon for Nimbostratus rankNimbostratus
      Apr 13, 2016
      I would imagine you can do a AD Query and add the "logonHours" as the required attributes, then create branch rules base on the Date Time.
    • zafer's avatar
      zafer
      Icon for Nimbostratus rankNimbostratus
      Apr 14, 2016
      logon hours is not static and i need the integrade with other systems
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Apr 14, 2016

    Hi,

    you can :

    • Configure AD attributes like starthour and endhour with format : 8:00
    • create variable assign with following expression: 
      • session.custom.starthour = [clock scan [mcget {session.ad.last.attr.starthour}]]
      • session.custom.endhour = [clock scan [mcget {session.ad.last.attr.endhour}]]
    • check if starttime is in expected range with:

    Branch expression

    expr { [mcget {session.user.starttime}] >= [mcget {session.custom.starthour}] && [mcget {session.custom.endhour}] >= [mcget {session.user.starttime}] }
    • define max session timeout variable to disconnect user at expected hour

    session.max_session_timeout =

    expr { [mcget {session.custom.endhour}] - [mcget {session.user.starttime}] }

    So, you can do what you want...

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Apr 21, 2016

    Hi,

    To retreive logon and logout time from web server, you need to configure AAA HTTP server (even if you don't want to authenticate on this server)

    parameters must be contained in HTTP cookie.

    After the HTTP auth, you can obtain values with following variable assign:

    session.custom.starthour = 
expr { [lindex [regexp -inline {starthour=([^;\\\r]*)} [mcget session.http.last.response_cookie]] 1] }

session.custom.endhour = 
expr { [lindex [regexp -inline {endhour=([^;\\\r]*)} [mcget session.http.last.response_cookie]] 1] }

    If your HTTP server does not include informations in cookies, you can use a virtual server (with irule) between APM and HTTP server to insert expected format in response.