Configuring the BIG-IP as an SSH Jump Server using Smart Card Authentication and WebSSH Client

Josh,

Sorry for the delayed response. I am not tracking your question 100% though I will still try and add some more color. So the custom variable assign does have new lines. As shown in the article I will use the "Add New Entry" for the UPN simply to extract it so we can perform the LDAP query against it later in order to gather the sAMAccountName. When I am normally doing variable assign for smart card auth and the UPN @ is different than the domains realm I often add the variable session.logon.last.domain though in this case it really is not needed. With that, adding custom variables are awesome because it allows you to make so many more access based decisions based on them.

In regards to the URL and different IP's, absolutely. In my example I simply used the BIG-IP because unfortunately I don't have a ton of other vendor equipment in my lab environment. There is even a document out there which I may write an article on to import a large number of devices to authenticate versus manually inputting each one. The thing to remember though when using other equipment is that if using LDAP or LDAPS you will need to point the device to the BIG-IP VS or the TACACS server to the BIG-IP as the LDAP server. Also, I didn't really get into it though if you notice there is a Radius Server VS created by the script. This also allows the BIG-IP to act as a radius server with authentication, authorization and accounting capabilities your normal radius server does not have.

There really is so much you can do with this solution so I will do my best to continue writing how to articles to expose the broader community to them. Hope this helps.

Steve