Select Between Multiple Network Access Resources with the Edge Client – Local DB Auth

In a previous article I wrote about selecting multiple network access resources when using the Edge Client. (https://devcentral.f5.com/s/articles/select-between-multiple-network-access-resources-with-the-edge-client)

The previous article was directed to using AD Auth as the authentication source. This article will be to accomplish the same thing but using Local DB Auth as the authentication source.

The following is from the previous article:

The recent announcements that web browsers will be removing plugin support means that customers will no longer be able to provide Network Access resources to their end users via the APM web top. Instead customers will require their end users to install the Edge Client for their Network Access connections. This poses a problem to customers who require that their end users have the ability to manually choose which Network Access resource they will connect to. Currently (as of this article’s posting date) the Edge Client does not have the ability for end users to select from multiple Network Access resources. Instead end users will automatically connect to only one Network Access resource based on which resource was provisioned first. See AskF5 solution SOL15326 for more information (https://support.f5.com/kb/en-us/solutions/public/15000/300/sol15326).

I have created a customized way to provide end users the ability to select which Network Access resource to connect to within the Edge Client. This customization is pretty straightforward and can be further customized to fit the needs of your organization. I have tried to make this solution flexible and easy to implement but if you have any questions or need any help with adapting it to your organization please comment below.

NOTE: There are limitations on this workaround compared to the full browser web top.

Limitations:
- To change between Network Access resources you must disconnect and reconnect which requires re-authentication.
- Using the iOS Edge Client you must select “Web Logon”.

We have new considerations when talking about Local DB verse AD Auth.

Considerations:
- This solution assumes that you have GROUPS assigned to all users in the Local DB and have a corresponding Network Access resource configured and mapped in the VPE.
- The name of the GROUP will be the name listed on the dropdown list that end users select from. This means you SHOULD have meaningful group names for end users to select from. Spaces are not allowed for group names in the Local DB so you might have to use underscore or CamelCase when defining your group names.
- I have only tested this on Windows 7.
- These instructions are written for TMOS build version 11.6.0

Overall View of Config:

Here I will show screen captures of the config with a little bit of a description of each section and below I will give step by step instructions to configure.

VPE:

The VPE is pretty straight forward. We start with a standard “Logon Page” with username and password, we then do an “LocalDB Auth” and if successful we go to “Local Database”. The “Local Database” action is listed under the General Purpose tab when adding a VPE action. The following object is the “Client Type” which determines if the user is connecting from the “Edge Client” or “Browser”. We only need this customization on the “Edge Client” path. The browser Message Box is to alert the user that they must use the Edge Client. You can customize this to anything you need. If you want you could provide a link for the Edge Client installer or allow access with a Resource Assign. This is all pretty standard at this point.

After the Client Type we have another “Logon Page” VPE Event labeled “VPN Decision – LP”. This is the place where the end user will make the decision on which Network Access resource they want to access. This page we configure a “select” box with the post and session variable names of “group_name” with the value of “value=>value”. This will be overwritten later but we need it as a placeholder. I also modified the Form Header, Field Label and Logon Button Label.

Last we have an “Advanced Resource Assign” to provision the access. Here we check to see what the value of “session.logon.last.group_name” and to make sure the user is a member of the group (this is a security check to make sure they are allowed access). In the screen shot below the group mapping is listed in entries 1 through 4 and in entry 5 we have the webtop assign which everybody gets.

The only other piece to this is a customized logon.inc page which will be applied to the second logon page. I will provide the full logon.inc page you can use to replace the current one as an attachment below. The screenshot is here to show you the custom code. This is just basic JavaScript to take the list of groups you are a member and split it into an array then we eventually append it to the “dynamicInput” element we will also create on the logon.inc page.

I hope this configure will help with any deployments you need and gives you an idea of how flexible and powerful APM can be for your organization.

If you have any questions about the changes to the logon.inc file and the JavaScript please ask in the comments below.

Steps to Configure:

I am going to assume that you are familiar with APM and the VPE so I will not go into great detail on most of these steps. If you need clarification on any step please let me know.

1. Create a new Access Policy

2. Open the VPE and configure the following Actions (see the screenshot above for placement of each action).

3. Add a Logon Page Action: This is a standard logon page with a username and password box.

4. Add an LocalDB Auth Action: This is a standard LocalDB Auth AAA pointed to an existing LocalDB Instance.

5. Add an Local Database Action: To add this action you will look under the “General Purpose” tab and select “Local Database”. In this you need to configure it as defined in the screen shot below. We target the same LocalDB instance we used in step 4. You will want to have the “User Name” set to the username captured in the Logon Page. You will then create a “Read” action for the DB Property “groups” and store it as “session.localdb.groups”.

6. Add a Client Type Action: This is a normal Client Type Action with three branches. Edge Client, Full or Mobile Browser and fallback.

7. Add a Logon Page Action: I labeled this “VPN Decision – LP”

In input 1 configure the following:
Type: select
Post Variable Name: group_name
Session Variable Name: group_name
Values:   Value: value   Text: value
Read Only: No

Leave input 2 – 5 as type of “none”.

Modify the following in the bottom Customization section:
Form Header Text: Please select which network you want to access.
Logon Page Input Field #1: Select Network
Logon Button: Continue

8. Add an Advanced Resource Assign Action: Create the following entries. You will need to enter the expression below in the Advanced Tab.

ENTRY 1
Expression: expr { [mcget {session.logon.last.group_name}] == "VEND2-DEV" && [mcget {session.localdb.groups}] contains "VEND2-DEV" }
Assignment:   Network Access: /Common/vend2-dev (this is a network access resource configured with all appropriate settings for the group assigned)

ENTRY 2
Expression: expr { [mcget {session.logon.last.group_name}] == "VEND1-PROD" && [mcget {session.localdb.groups}] contains "VEND1-PROD" }Assignment:   Network Access: /Common/vend1-prod

ENTRY 3
Expression: expr { [mcget {session.logon.last.group_name}] == "VEND1-QA" && [mcget {session.localdb.groups}] contains "VEND1-QA" }
Assignment:   Network Access: /Common/vend1-qa

ENTRY 4
Expression: Empty
Assignment:   Webtop: /Common/full_wt (this is just a full webtop object)

9. Add an Message Box on the browser branch of the Client Type Action: I labeled this one “Message Box - No Access Browser”. This is a standard message box alerting the user to use the edge client. You can allow users by using an Advanced Resource Assign, you can direct to a link to download the Edge Client.

10. Now that we have the Access Policy Create and the VPE configured the next step is to go into advanced customization and replace the logon.inc for the second logon page labeled “VPN Decision – LP”.

To modify the page we need to go to Access Policy > Customization > Advanced.

11. Expand the folder tree to get to the logon.inc page. Customization Settings > Access Profiles > /Common/edge_client_select_local_db > Access Policy > Logon Pages > VPN Decision – LP > logon.inc