Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

APM irule to assign the "advance resource assign" and "static IP" based on username while connecting vpn

Hello Guys,

Im new to irule. I need help to write an irule for my access policy so that when e.g. "abc" username connects to ssl vpn "corporate network resource" assign to it along with a "static IP" and when "xyz" username comes in "dmz network resource" assign to it along with a "static IP". Network resources already defined in Access policy separately. I need to do this for around 100 users.

I have found the irule on f5 site for assign the static IP. but not able to figure out how to assign network resources via irule .

irule for static IP assign.

when ACCESS_POLICY_AGENT_EVENT { if { [ACCESS::policy agent_id] eq "VPN" } { ACCESS::session data set session.requested.clientip [class lookup [ACCESS::session data get "session.logon.last.username"] VPN ] } }

0
Rate this Question
Comments on this Question
Comment made 05-Jul-2018 by youssef 4067

Hi.

Why you want to assign a Network resources using an irule?

You can assign it directly to the VPE?

Regards

0
Comment made 05-Jul-2018 by Ismaeel Butt 17

I want to use irule because i need to assign static IP to each user and also to assign different network resources to different users under same url (cant use different uri).

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Ismael,

In fact you can assign static IP to each user using Irule or VPE. In all case I advise you to use VPE it's more flexible and your configuration is managed on one point.

More you don't need an Irule to assign network ressources assign.

You can can assign "Network ressource" by AD Grp or Username or other depending your need. And to do that you can use VPE and not Irule.

Do you need help to achieve this need using VPE only? I can give you tips/steps to achieve it if you need.

Regards

0
Comments on this Answer
Comment made 08-Jul-2018 by Ismaeel Butt 17

Hi Youssef,

I was thinking for irule because 1) to make it a data group so that easy to assign IP and network resource to specified username in data group. And secondly to avoid AD groups. Although VPN authentication will be done through AD.

Above is poosible only with VPE? Appreciate your help :)

0
Comment made 10-Jul-2018 by youssef 4067

Hi Ismael.

You can do it using VPE and Irule of course.

use an session variable:

custom variable:
session.requested.clientip

Custom expression:
if { [mcget "session.logon.last.username"] contains "bob" } { return "1.1.1.1"}
elseif { [mcget "session.logon.last.username"] contains "mickael" } { return "1.1.1.2" }
elseif { [mcget "session.logon.last.username"] contains "james" } { return "1.1.1.3" }
elseif { [mcget "session.logon.last.username"] contains "william" } { return "1.1.1.4" }

Then create an rdp profile unsing this value: %{session.requested.clientip}

You can alos use Irule: For this you have to user Irule event and call an Irule and as you specify in your previsous mail you can use Data Group:

You have to create an DG user_corespondance_dg:

ltm data-group internal /Common/user_corespondance_dg {
    records {
        mickael {
            data 1.2.3.4
        }
    }
    type string
}

Then set this irule (don't forget to attach it to your VS)

when ACCESS_POLICY_AGENT_EVENT { 

set username "[string tolower [ACCESS::session data get session.logon.last.username]]"

if { [ACCESS::policy agent_id] eq "VPN" } { 
    set clientip [class match -value $username == user_corespondance_dg ]
    ACCESS::session data set session.requested.clientip $clientip
} 

}

You will obtain this logs and the session variable will be set.

Rule /Common/irule_user_ip <ACCESS_POLICY_AGENT_EVENT>: mickael - 1.2.3.4

Keep me in touch. I tested it, it will work!!!

0