APM Dynamic ACL assignment from AD
Greetings! I had a static ACL applied to a Network Access Resource. In testing static assignment, it worked fine. So I took the same logic and formatted as a F5 ACL, put it in AD, in the test account's "info" attribute. Using my test client, and viewing the debug logs, it seems to load the ACL (as HEX encoded which seems a little weird) but clearly isn't working. The test client can access any resources it can route to. I tried : to send the entire list as a "one liner" and it wouldn't load. to set the list, one ACL per line using widows default line termination (cr/lf) and that didn't work (it loaded as Hex encoded though). to set the list, one ACL per line using Unix line termination (lf) and that ostensibly worked the same as number 2 above. Question: Has anyone done this? The ACL looks like this: { allow tcp any 10.100.32.15:3389 } { allow tcp any 10.100.32.15:80 } { allow tcp any 10.100.32.15:443 } { allow udp any 10.100.1.84:53 } { allow udp any 10.100.1.85:53 } { deny ip any any } The goal is to allow remote web developers access to a workstation over RDP and connect to web services they use for testing their work. What am I doing wrong? Thanks for any pointers. MikeF5 Dynamic ACL format for AD based attribute
I have reviewed the dynamic acl documentation at: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-implementations-11-5-0/2.html However, acls are not working as I expect them to. Is there a way to debug how APM is parsing the ACLs being returned from LDAP? I can see messages in the debug mode but the page is not producing an ACL deny message: Sep 2 13:09:00 TST-VE-BIGIP debug apd[11021]: 01490000:7: modules/ResourceAssignment/DynamicAcl/DynamicAclAgent.cpp func: "DynamicAclAgentexecuteInstance()" line: 484 Msg: agent_dynamic_acl source session.ad.last.attr.extensionAttribute5: deny https any 10.0.0.0/8 *://*/app1/Engine On the frontend the url is HTTPS, but on the backend it is HTTP over port 443. What I am not certain about is what the target URLs should match. I have implemented this ACL via a statically defined ACL within APM, however I want to evaluate centralizing our ACLs within the LDAP directory where account management and access control occurs. Thank-You.
APM dynamic ACLs attached to AD or LDAP groups
Hi, I am building a client vpn setup with F5 APM. It's working quite good so far. I have a static ACL configured for now. I would like to use dynamic ACLs in the future so managers can give their Team members access themselves by adding them to specific ldap or AD groups (we use both). My question is, is this even possible? Can I add ACLs to groups? And if yes, how does the F5 then knows which groups it should read ACLs from, since a user could be in different groups. The groups would be preconfigured in LDAP/AD and all ACLs would be configured on the group. e.g. Sales guys need access to specific tools. I would create a group in LDAP/AD for this purpose and add the appropriate ACLs to this group. The manager could then add his Team members to this group and thus the Group members have access to the needed services. But the user could be also in many other groups. I was thinking about some sort of naming convention for the groups. Like acl-sales, acl-internet-access. So the F5 only looks in groups that start with acl-. Hope you understand my question and I have understood dynamic ACLs correctly. Thanks in advance.
APM dynamic ACLs attached to AD or LDAP groups
Hi, I am building a client vpn setup with F5 APM. It's working quite good so far. I have a static ACL configured for now. I would like to use dynamic ACLs in the future so managers can give their Team members access themselves by adding them to specific ldap or AD groups (we use both). My question is, is this even possible? Can I add ACLs to groups? And if yes, how does the F5 then knows which groups it should read ACLs from, since a user could be in different groups. The groups would be preconfigured in LDAP/AD and all ACLs would be configured on the group. e.g. Sales guys need access to specific tools. I would create a group in LDAP/AD for this purpose and add the appropriate ACLs to this group. The manager could then add his Team members to this group and thus the Group members have access to the needed services. But the user could be also in many other groups. I was thinking about some sort of naming convention for the groups. Like acl-sales, acl-internet-access. So the F5 only looks in groups that start with acl-. Hope you understand my question and I have understood dynamic ACLs correctly. Thanks in advance.
