APM variable assign examples
Problem this snippet solves: APM variable assign is a powerful tool to manipulate APM variable during policy evaluation supporting tcl code. On Devcentral answers, there are lots of variable assignment done with irule event ACCESS_POLICY_AGENT_EVENT. these snippets show how to do the same as irule without irule event. Note : I wrote most of codes, some others are from threads I found in DevCentral Answers section. How to use this snippet: create a variable assign box in VPE, then Add new entry In left side, let custom variable / unsecure default choice set the new variable name (or name of the variable you want to change the value). you should use bold value above tcl code. for timeout changes, you must use bold value above tcl code. In expression : let custom expression default choice paste provided code Username / Domain management session.logon.last.username extract CN from certificate subject and set it in username variable set subject [split [mcget {session.ssl.cert.subject}] ",="]; foreach {name value} $subject { if {[string trim $name] equals "CN"} { return [string trim $value]; } } session.logon.last.username combine username and domain variables expr{"[mcget{session.logon.last.domain}]\\[mcget{session.logon.last.username}]"} session.logon.last.ntdomain extract NT domain name from logon name if { [mcget {session.logon.last.username}] contains "\\" } { set username [string tolower [mcget {session.logon.last.logonname}]]; return [string range $username 0 [expr {[string first "\\" $username] -1}] ]; } else { return {} } one-line code expr {[set username [string tolower [mcget {session.logon.last.logonname}]]] contains "\\" ? [string range $username 0 [expr {[string first "\\" $username] -1}] ] : "" } session.logon.last.domain static assignment from ntdomain switch[stringtolower[mcget{session.logon.last.ntdomain}]]{ "domain1"{return "domain1.local"} "domain2"{return "domain2.local"} default{return "default.local" } } session.logon.last.username Extract username name from logonname (full username from logon page even if split domain from username is checked) setusername[stringtrim[mcget{session.logon.last.logonname}]]; if{$usernamecontains"\\"}{ return[stringrange$username[expr{[stringfirst"\\"$username]+1}]end]; }else{return$username} session.logon.last.upn Extract UPN value from Certificate X509Extension setextension[stringtolower[mcget{session.ssl.cert.x509extension}]]; return[stringrange$extension[expr{[stringfirst"othername:upn<"$extension]+14}][expr{[stringlast">"$extension]-1}]]; session timeout management session.inactivity_timeout Change inactivity session timeout based on a checkbox on the logon page (logon variable trusted) if { [mcget {session.logon.last.trusted}] == 1 } { return {5400} } else { return {1800} } one-line code (5400 seconds if condition before ? success, 1800 seconds else) expr { [mcget {session.logon.last.trusted}] == 1 ? {5400} : {1800}} session.inactivity_timeout Change inactivity session timeout based on client type (iOS, Android and WindowsPhone : half of inactivity timeout configured in profile parameters) expr { [mcget {session.client.platform}] == "WindowsPhone" || [mcget {session.client.platform}] == "Android" || [mcget {session.client.platform}] == "iOS" ? [mcget {session.inactivity_timeout}]/2 : [mcget {session.inactivity_timeout}] } session.max_session_timeout force to close the session à 17:00 expr { [clock scan "17:00"] - [mcget {session.user.starttime}] } session.max_session_timeout After a AD query which retreive attribute logonHours, force to close the session when user at the end of allowed logon hours set maximumSessionSeconds 604800 if {[set logonHours [mcget {session.ad.last.attr.logonHours}]] != "" && $logonHours != "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"} { #convert string to binary string binary scan [binary format H* $logonHours] b* logon_hours_binary_string # evaluate the number of seconds from last sunday set time_from_sunday [expr {[clock seconds] - [clock scan "last sunday"]}]; # search in string next hours with 0 value set current_index [expr {$time_from_sunday / 3600}]; # convert the index to number of seconds from last sunday if {[set next_denied_index [string first 0 $logon_hours_binary_string$logon_hours_binary_string $current_index]] == $current_index } {return 0} # evaluate number on seconds to disconnect time return [expr { $next_denied_index*3600 - $time_from_sunday}] } else { return $maximumSessionSeconds} Windows Info session.windows_info_os.last.fqdn search and return FQDN hostname in computer names list after windows Info Box foreach x [split [mcget {session.windows_info_os.last.computer}] "|"] { if { $x ends_with ".f5demo.lab" } { return $x } } session.windows_info_os.last.computer_name search FQDN hostname in computer names list after windows Info Box, then return shortname (without domain name) foreach x [split [mcget {session.windows_info_os.last.computer}] "|"] { if { $x ends_with ".f5demo.lab" } { return [lindex [split $x "."] 0] } } Machine cert To allow machine certificate revocation validation, add a variable assign with 2 following variables before OCSP or CRLDP boxes. session.ssl.cert.whole store machine certificate as it was user certificate expr {[mcget {session.check_machinecert.last.cert.cert}]} session.ssl.cert.certissuer store machine certificate issuer as it was user certificate issuer expr {[mcget {session.check_machinecert.last.cert.issuer}]} HTTP auth returned cookie parsing session.custom.http_auth_mycookie extract from HTTP auth cookie list the cookie value of mycookie expr { [lindex [regexp -inline {mycookie=([^;\\\r]*)} [mcget session.http.last.response_cookie]] 1] } replace portal or network access Webtop by full webtop if unsupported resource are assigned Webtop can be: Portal webtop : define an internal web server as home page Network access Webtop : start automatically Network access when connected Full Webtop : display all assigned ressources in one page hosted on the F5. Some customers want to assign different webtop based on assigned ressources. one portal ressource only -> portal webtop one Network access ressource only -> Network Access ressource more than one portal ressource -> Full webtop more than one Network access ressource -> Full webtop RDP, Application tunnel, SAML ressources assigned -> Full Webtop In Advanced ressource assign, the last assigned webtop is applied to the session. If the user is assigned non portal ressource (ex : RDP) and portal webtop, he will not be allowed to connect. session.assigned.webtop this code code is used if portal or network access webtop are assigned and number of resources is supported only with full webtop set fullwt /Common/wt-Full; set wt [mcget {session.assigned.webtop}]; set pa [llength [mcget {session.assigned.resources.pa}]]; set at [llength [mcget {session.assigned.resources.at}]]; set na [llength [mcget {session.assigned.resources.na}]]; set rd [llength [mcget {session.assigned.resources.rd}]]; set saml [llength [mcget {session.assigned.resources.saml}]]; if {$rd || $at || $saml || ([expr { $pa + $na }] > 1)} {set wt $fullwt}; unset fullwt; unset pa; unset at; unset na; unset rd; unset saml; return $wt; one-line code. Don't forget to replace "/Common/wt-Full" with your own webtop full in expression. expr { [llength [concat [mcget {session.assigned.resources.rd}] [mcget {session.assigned.resources.at}] [mcget {session.assigned.resources.atsaml}]]] || [llength [concat [mcget {session.assigned.resources.pa}] [mcget {session.assigned.resources.na}]]] >1 ? "/Common/wt-Full" : [mcget {session.assigned.webtop}]} Same condition for Advanced resource Assign condition. This condition doesn't match with previous rules in the same Advanced resource assign. must be in a dedicated resource assign box. expr { [llength [concat [mcget {session.assigned.resources.rd}] [mcget {session.assigned.resources.at}] [mcget {session.assigned.resources.atsaml}]]] || [llength [concat [mcget {session.assigned.resources.pa}] [mcget {session.assigned.resources.na}]]] >1} For Kerberos SSO when working with Kerberos SSO, 2 variable sources must be set: username : must be equal to user sAMAccountName domain : must be equal to user FQDN domain When working on access policy with multiple SSO method depending on the URI, Host header or some other parameters, you may have conflict on default SSO variables. For example, for Exchange : activesync SSO profile is basic with username format is NTDOMAIN\username Autodiscover SSP profile can be NTLM with username format is username domain format is NTDOMAIN OWA SSO profile can be kerberos with username : must be equal to user sAMAccountName domain : must be equal to user FQDN domain like DOMAIN.LOCAL (different than NT Domain) default SSO variables are : session.sso.token.last.username session.sso.token.last.password session.logon.last.domain to support multiple SSO on the same Access policy, I recommende to set new variables based on previous AD Query session.krbsso.username expr {[mcget {session.ad.last.attr.sAMAccountName}]} session.krbsso.domain expr {[mcget {session.ad.last.actualdomain}]} Code : No code
Assign a variable based on AD query
I think I have this figured it but was hoping to get a sanity check. I have an access policy that is querying AD. Later on I am sending an email to the user but there are two potential email fields. If the user has f5EmailAddress as an AD attribute then I need to use that - if they don’t then I need to use session.ad.last.email. I think this should just be a variable assignment after the AD query but I’m not sure if my syntax is correct. Here’s what I have (forgive me in advance I’m writing this on an iPhone) session.custom.company.email = if { ( [mcget {session.ad.last.attr.f5ProfileEmailAddress}] contains “@“)} { return ([mcget {session.ad.last.attr.f5ProfileEmailAddress }]} else { return ([mcget {session.ad.last.attr.email}])}
BIG-IP : variable value in case set fails
f5 BIG-IP LTM VE v11.4.0 on ESXi tcl does not have a concept of null nil undefined So what value do variables assume in the case where the set operation fails to retrieve a value ? set param1 [URI::query [HTTP::uri] param1 ] What is param1 value for case where "param1=xxx" not present in query-string ? set cookie1 [HTTP::cookie value "cookie1"] What's cookie1 value for case where request doesn't contain cookie "cookie1" ?
(APM) I have a need to combine two fields from login page for AD authentication
In AD we have our user accounts in format of username.clientid Our login page contains fields for: username, password and clientid. Username in format of login page entry is just the user's name without the client id attached. Can anyone assist with the process to concatenate the username and clientid in format listed above for AD authentication "username.clientid"? Thanks
