Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

Are you an expert?    Interested in presenting at F5 AppWorld 2024?    Submit a proposal by Nov 29th!

access policy to check for AD group membership based on URI

dcarterjr
Altostratus
Altostratus

‎04-Oct-2023 13:15

Hi.  Trying to check for AD group membership to allow access to URL based on a string in the URI.  

dcarterjr_89-1696450198617.png

In the Look for Login box, I'm using the branch rule expr {[mcget {session.server.landinguri}] contains "/login.html".  I've tried several others, but it doesn't restrict based on AD group.  Any ideas?  Thanks 

 

 

 

Labels:
0 Kudos
4 REPLIES 4

Amine_Kadimi
MVP
MVP

‎04-Oct-2023 16:38 - edited ‎05-Oct-2023 04:35

The variable "session.server.landinguri" will contain the first URI that triggered the access policy, and will not change each time you visit a new URI, so if you requested /home then /login, the first one will be your landing URI, the one that caused the creation of an APM session.

You shoud use another method to apply rules selectively depending on the requested URI, for example per request policy: Adding a URL branching rule (f5.com) 

Nikoolayy1
MVP
MVP

‎05-Oct-2023 06:16 - edited ‎05-Oct-2023 14:27

You can attach layer 7 acl so after the access policy evaluation is done then the users that do not have ad group will be blocked for some url.

 

https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-config-11-4-0/apm_config_re...

 

https://my.f5.com/manage/s/article/K08200035

 

 

You can also see the link below as if you do not decrypt the traffic FQDN domains or SSL SNI  with irule/local traffic policy can be used or Per request policy that will check each request:

 

https://community.f5.com/t5/technical-forum/l7-https-acl-with-apm-ssl-vpn-not-working/td-p/207920

 

https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-secure-web-gateway-implemen...

Edit:

You can also use the per-request policy to trigger an irule that will get the session group membership and if the users do not have the group but are trying to reach the destination fqdn/sni or url if you are decrypting the traffic and this not a VPN APM implementation (for VPN /Portal you will need layered VS https://my.f5.com/manage/s/article/K03113285 ) and to block users if they do not have the group.

 

https://clouddocs.f5.com/cli/tmsh-reference/v14/modules/apm/apm_policy_agent_irule-event.html

T-Trust
MVP
MVP

‎15-Oct-2023 00:54

Hi dcarterjr,

So i think the first step please try to login and then you go to overview session and click session variable to see about expression that match landinguri

0 Kudos

PSFletchTheTek
MVP
MVP

‎16-Oct-2023 08:55

have you looked at ACL's?
You can create one and set it on authorisation. 

0 Kudos
Copyright © 2023 Khoros, LLC