Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

Using APM to secure VS by machine name

Hi,

We are attempting to meet compliance standards and determine a way to secure access to our Virtual Servers. Short of ACLs due to our IP design based on geographic rather than departments in our company, this would cause us to do a complete redesign and be a administrative nightmare. We determined the next best solution would be to utilize the APM. These servers sit directly behind the F5.

Our only requirement is: We must secure access based on machine name (rather than user)

How we had plan to do this was the following: Utilizing our PKI, deploy certificates based on machine name. Then, query AD utilizing the machine name to determine if you're allowed access.

We've been able to create a certificate and use the module Machine Cert Auth to accomplish the first part. The part we're having extreme trouble with is performing a query based on machine name with AD.

My main concern is, how does the F5 gather the machine name to perform this lookup? The cert contains the machine name, it's almost as if we could develop an iRule to strip from the cert that would work (above my head). Also, I know F5 hows this edge client that maybe we could deploy to gather this info to perform the lookup.

I'd really appreciate any feedback on our current design OR any ideas for alternate solutions utilizing the F5.

0
Rate this Question
Comments on this Question
Comment made 19-Feb-2015 by Seth Cooper
I'm guessing just having a valid AD issued certificate isn't enough to validate the machine since you also want to query the domain? What information do you want about the machine from AD? Provide a little bit more info on this and we might be able to help devise a solution to help you out.
0
Comment made 19-Feb-2015 by Nfordhk 389
We we're going to use the actual machine name to query an OU. Put all the machines that we want to have access in a specific OU. Do you have cert? Yes. Are you in this OU? Yes. Okay you can have access.
0
Comment made 19-Feb-2015 by Nfordhk 389
We're open to other options but the requirement is based solely on machine, not user.
0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

What you want to do is possible but is a little complicated and involves many steps. I will share my sample Policy and describe each step. You can place this in just about any order in your policy but you need to have three things in the correct order. You need to have a "Windows Info" then the "iRule Event" then an "AD Query". You can place these before the machine certificate or after, it doesn't matter. Please let me know if you have any questions.

Image Text

  1. You need to have a "Windows Info" VPE Action. This action doesn't have to have any branch rules on it but you need to make sure you run this on a Windows machine.
  2. You need to have an "iRule Event" VPE Action. In the action I used the ID "get_computer_name". This ID matches a name in the iRule.
  3. You need to have an "AD Query" VPE Action. In this you will configure a few things..

    Search Filter: name=%{session.custom.computer}
    

    I also add a branch rule to check if the computer is in the group I created which was "Approved_Computers".

    User is a member of CN=Approved_Computers,CN=Computers,DC=cooper,DC=local 
    

These three VPE Actions along with the following iRule should get this going for you. I have tested this and it works great!

when RULE_INIT {
    set static::THIS_DOMAIN ".cooper.local"
}

when ACCESS_POLICY_AGENT_EVENT {
  if { [ACCESS::policy agent_id] eq "get_computer_name" } {

    set computer [string tolower [ACCESS::session data get "session.windows_info_os.last.computer"]]
    foreach x [split $computer "|"] {
      if { $x ends_with $static::THIS_DOMAIN } {
        set machinename [lindex [split $x "."] 0]
        ACCESS::session data set session.custom.computer $machinename
        return
      }
    }
  }
}

You need to save this iRule and add it to the Virtual Server that is hosting the APM Policy. You will need to modify the variable "THIS_DOMAIN" in the iRule to match your domain you are checking for.

Please let me know if you have any questions on this or need anymore details.

Regards,

Seth Cooper

1
Comments on this Answer
Comment made 20-Feb-2015 by Nfordhk 389
Hi Seth, First let me say thanks so much for taking the time out to assist with our issue. I went ahead and copied your recommendations and modified accordingly. At this time, I'm going to eliminate the cert portion. It did unfortunately fail. I checked the logs and it seems its not stripping the computer name. Will this be shown in the APM logs since the iRule is doing this work? We're not running an F5 edge client or anything. One thing I did want to note is that our DN structure starts with an OU. Is this an issue possibly? Here's an example: OU=Mobile,OU=Computers,OU=NHO,DC=google,DC=com Error message in the logs: AD module: query with 'name=' failed: no matching user found with filter name= (-1) Is it possible at this point that we have our AAA server setup incorrectly for the query?
0
Comment made 20-Feb-2015 by Nfordhk 389
I just looked at the stats for the iRule get_computer_name Common ACCESS_POLICY_AGENT_EVENT 0 0 0 get_computer_name Common RULE_INIT 2 0 executions for access_policy_agent
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

What does your policy look like? Did you create the iRule event correctly?

You need to have an "iRule Event" VPE Action. In the action I used the ID "get_computer_name". This ID matches a name in the iRule.

You need to make sure the ID is correct as this is checked in the iRule.

0
Comments on this Answer
Comment made 20-Feb-2015 by Nfordhk 389
Yes I did create the iRule. I posted some photos in a new response
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Seth,

Yes I created the iRule. Attached are some photos

Image Text Image Text Image Text

0
Comments on this Answer
Comment made 23-Feb-2015 by Seth Cooper
So I assume you are getting to the "Not Approved - Message Box"? I would suggest while at this page do a "sessiondump -allkeys | grep <sessionid>" from the command line and see what is listed in session.windows_info_os.last.computer". It might be that the session variable isn't populated when the iRule runs. It is also strange that your statistics are showing the ACCESS_POLICY_AGENT_EVENT isn't getting triggered. One other thing to try is to run Internet Explorer "as Administrator" and see if that helps if the windows info agent isn't getting anything. -Seth
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Ahh, the command lines show a lot more info

 0e9eba9c.session.windows_info_os.last.computer 167 |testserver2|testserver2|ourdomain.com|testserver2.ourdomain.com|testserver2|testserver2|ourdomain.com|testserver2.ourdomain.com|

I did change the search string to where this server is located.

0
Comments on this Answer
Comment made 23-Feb-2015 by Nfordhk 389
Are these fields suppose to be blank? d4f2c301.session.ad./Common/pra-poc-f5-forum_act_active_directory_query_ag.errmsg 40 no matching user found with filter name= d4f2c301.session.ad./Common/pra-poc-f5-forum_act_active_directory_query_ag.queryresult 1 0 d4f2c301.session.ad.last.errmsg 40 no matching user found with filter name=
0
Comment made 23-Feb-2015 by Seth Cooper
Nope... since we are getting the session.windows_info_os.last.computer variable the iRule should parse the array and create the session.custom.computer variable that the VPE can use in the ADQuery. Does your iRule appear to be firing now? You can add a log statement to the iRule and see if we are getting to the right place. If you can validate that we will move on to the next step which would be your AD Query action. -Seth
0
Comment made 25-Feb-2015 by Nfordhk 389
I dont think the irule is even being utilized. Commented more info below
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Those numbers don't increment at all. I even copied and paste the name. I added the logging

when RULE_INIT {
 set static::THIS_DOMAIN ".insertdomain.com"
 log local0. 
}

when ACCESS_POLICY_AGENT_EVENT {
 if { [ACCESS::policy agent_id] eq "get_computer_name" } {
 log local0.

set computer [string tolower [ACCESS::session data get "session.windows_info_os.last.computer"]]
foreach x [split $computer "|"] {
  if { $x ends_with $static::THIS_DOMAIN } {
    set machinename [lindex [split $x "."] 0]
    ACCESS::session data set session.custom.computer $machinename
    return
  }
}
}
}

I think this is all it gave:

Feb 25 14:13:33 nho-bigip-test info tmm[14917]: 01220002:6: Rule /Common/get_computer_name : local0.

Feb 25 14:13:33 nho-bigip-test info tmm1[14917]: 01220002:6: Rule /Common/get_computer_name : local0.

0
Comments on this Answer
Comment made 25-Feb-2015 by Seth Cooper
Please update the log statements to help determine where the iRule is getting to... log local0. “ACCESS_POLICY_AGENT_EVENT before if” log local0. “ACCESS_POLICY_AGENT_EVENT after if” Place these at different places to see what is getting fired and what isn't getting fired. Just to confirm... you did add the iRule to the Virtual Server that the APM policy is tied to? Seth
0
Comment made 25-Feb-2015 by Nfordhk 389
Doh! Sorry Seth, I wasn't aware it still needed to be applied to the VS in this scenario. I went ahead and did that. I see tons more information in the logs now. Still failing access but now the iRules are executing. Also there is no more blank fields for the AD query portion. I see the correct DN for the server, it's matching my branch rule. Not sure why it would be failing here.
0
Comment made 25-Feb-2015 by Nfordhk 389
i'll add the irule logs and paste the results
0
Comment made 25-Feb-2015 by Seth Cooper
Now that the iRule is working and the ad query is running what is populated in session.ad.last.attr.memberOf and what does your branch rule look like? Seth
0
Comment made 26-Feb-2015 by Nfordhk 389
I do not see that string for "session.ad.last.attr.memberOf" anywhere. Although your previous comment mentioned session.windows_info_os.last.computer. Did you mean that?
0
Comment made 26-Feb-2015 by Seth Cooper
"session.windows_info_os.last.computer" is needed for the iRule to parse the string and then create the variable "session.custom.computer" with the computer name that is passed into the AD Query. The result from the AD Query should be a lot of session variables (session.ad.last.attr.*). One of these variables will be memberOf which is what contains the groups that we are going to check against to see if the computer has access or not. If you post a qkview to iHealth I can look at it.
0
Comment made 02-Mar-2015 by Nfordhk 389
I uploaded it. Do you work for F5? How do you see it?
0
Comment made 02-Mar-2015 by Seth Cooper
Hi, Yes I work for F5 so I can see into the iHealth Database. I don't see anything wrong with the configuration. Can you turn up logging on the Access Policy (under system, logs) to Informational? This will let you see more of what is going on in the /var/log/apm log file. The information you see should help you troubleshoot this. Seth
0
Comment made 02-Mar-2015 by Nfordhk 389
All the LTM is stating is showing the log comments. The iRule is executing successfully it seems. No mention of anything AD query related
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hey Nick,

I have reproduced the issue you are seeing. The only group your computer is in is also the primary group for that computer. In the AD Query object you need to enable "Fetch Primary Group". This will populate the session.ad.last.attr.memberOf session variable with the group your computer is in. After I enabled it on my env I got the following entry...

 489fcf1a.session.ad.last.attr.memberOf 47 CN=Domain Computers,CN=Users,DC=cooper,DC=local

As you can see "Domain Computers" is the primary group and it wouldn't be returned unless you enable it in the AD Query.

Please test and let me know if this resolves your issue.

Seth

0
Comments on this Answer
Comment made 03-Mar-2015 by Seth Cooper
It is always good to clear the "Group Cache" for the AD AAA object after modifying something like this. To clear the cache go to the AD AAA object and click the "Clear Cache" button by the "Group Cache Lifetime" input box.
0
Comment made 03-Mar-2015 by Nfordhk 389
Ahhh awesome! Works great! My only last issue is it created the attribute: 90f995f3.session.ad.last.attr.memberOf 60 | CN=Domain Computers,CN=Users,DC=ourdomain, DC=com And if I change my branch rule to match this, it works. However, we were trying to match based on our DN OU structure. Such as: 90f995f3.session.ad.last.attr.dn 61 CN=SERVERNAME,OU=Servers,OU=NHO,DC=OURDOMAIN,DC=com but obviously just "OU=Servers,OU=NHO,DC=OURDOMAIN,DC=com" What would be the path of least resistance to achieve this?
0
Comment made 03-Mar-2015 by Nfordhk 389
Oh awesome, I was just able to change it to: expr { [mcget {session.ad.last.attr.distinguishedName}] contains
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Great! Yea... you just need to see what values you have to choose from that AD returns and base your logic off of that. If distinguishedName is better for your scenario then use it.

Glad you could get it working!

Seth

0
Comments on this Answer
Comment made 03-Mar-2015 by Nfordhk 389
Seth you're the best. Thanks so much for all of your help :)
0
Comment made 03-Mar-2015 by Seth Cooper
Thanks Nick!
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Is there a possible update to this answer? I'm interested in implementing a solution like this but am wondering if querying AD for membership of the device has been baked into the platform now.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I have similar scenario and have done all adviced here. But i am getting the below error

Your session could not be established.

The session reference number: f08d3ea4

Access was denied by the access policy. This may be due to a failure to meet access policy requirements.

If you are an administrator, please go to Access Policy >> Reports : All Sessions page and look up the session reference number displayed above.

To open a new session, please click here

Can someone help in this regard

0