Forum Discussion

George_Tz_34325's avatar
George_Tz_34325
Icon for Nimbostratus rankNimbostratus
Feb 06, 2013

APM Policy, How to failback to login page

Dear All,

 

I am trying to build a APM policy with an external web page for login (i.e. http://www.externalloginpage.com).

 

The external login posts, back to the F5 my.policy uri. The post is authenticated by APM and AD authentication.

 

I have created custom branches for the AD Authentication object based on session.ad.last.authresult and session.ad.last.errmsg parameters, for separating the different AD authentication errors. Based on the values of this parameteres I want to redirect back to the external login page + custom html parameter for pointing out the error, i.e http://www.externalloginpage.com?error=00001.

 

If I do this, the APM policy never reaches the "DENY" block, and the initial APM session is not killed. Then, at the next post of credentials to the my.policy page, I get the following error:

 

 

Your session could not be established.

 

Access was denied by the access policy. This may be due to a failure to meet access policy requirements. If you are an administrator, please go to Access Policy >> Reports : All Sessions page and look up the session reference number displayed above. To open a new session, please click here

 

 

Does anyone know how to tackle this problem, by either forcing the old session to be killed, or try to reusing it, or by any other method that I cannot think of ?

 

Any help would be appreciated.

 

Thanks,

 

George

 

 

APM
remote access
security

7 Replies

Sort By
  • Seth_Cooper's avatar
    Seth_Cooper
    Icon for Employee rankEmployee
    Feb 06, 2013
    Hi George,

     

     

    Have you tried setting the Access Policy Timeout to a shorter time frame? The default is 300 seconds which is 5 minutes. I'm not sure what you are checking in your policy but say you are just doing AD auth... set the timeout to 30 seconds maybe 15... by the time you redirect them to the login page with the error and they try again the session should have already expired. I have not tested this so please let me know if it works for you.

     

     

    - Information from online Help -

     

    Access Policy Timeout

     

    The timeout requires that a user, who has executed an access policy, must complete the access policy before the timeout expires. This means that the various security checks contained within the access policy (end point security checks, authentication checks, etc.) must execute completely within the specified time duration.

     

    -----------------------------------------

     

     

    You can change this timeout by going to the Access Profile section and clicking on the profile name, then under "Settings" you will modify the "Access Policy Timeout".

     

     

    Thanks,

     

    Seth Cooper
  • George_Tz_34325's avatar
    George_Tz_34325
    Icon for Nimbostratus rankNimbostratus
    Feb 06, 2013

    Hi Seth,

     

    Thanks for your reply. I tried your suggestion, but it did not work. I think I must find a way to forcefully close the session, prior loading the external login page.

     

    What I am trying to do, is find a way to notify the user of the AD Authentication errors, as invalid credentials, locked user, etc.

     

    If I was using the F5’s (internal) login page, I would be able to see all the AD Authentication error messages automatically on that screen. With an external login page, I haven’t found the functionality of passing to it the error indication, which is why I am trying to do it with URL parameters and external page redirection, upon an error (i.e session.ad.last.authresult = 0).

     

    How could one do this, with an external login page?

     

    Thank you for your time,

     

    George

     

  • George_Tz_34325's avatar
    George_Tz_34325
    Icon for Nimbostratus rankNimbostratus
    Feb 07, 2013
    Hi All,

     

     

    there is a "Redirect" type APM ending, which I 've managed to completely miss. I can add the redirect to my external login page and I can set the ending to end the APM session.

     

     

    I think this will work. I will try it now.
  • George_Tz_34325's avatar
    George_Tz_34325
    Icon for Nimbostratus rankNimbostratus
    Feb 08, 2013
    Hi,

     

     

    As I previous wrote, I tried to use the redirect apm ending, to feed url parameters to the external login page. The redirect works ok, but then I had no way to start the apm policy.

     

     

    I can't find a way to cleanly overcome my problem. I will try to re-explain my situation, in case anyone knows a different approach for what I am trying to accomplish.

     

     

    I have an apm policy with an external login page, which authenticates with an AD Object. If I was using the F5's login page and a user inputs wrong username or password to the form, after submitting the form returns with the following error message: "The username or password is not correct. Please try again.". With the external login page, after wrong credentials are submitted, it will just reload the page, with no indication of what went wrong, which the external log in page has no way to detect the error.

     

     

    How can I make the AD Authentication object of the APM policy, communicate the error message to the external login page?

     

     

    Does anyone, ever had the same requirement?

     

     

    Any help will be appreciated.

     

     

    Regards,

     

     

    George
  • Seth_Cooper's avatar
    Seth_Cooper
    Icon for Employee rankEmployee
    Feb 08, 2013
    Hi George,

     

     

    I have created your scenario in my lab and I have it working as you want... Can you confirm on your redirect ending you have the "Close session after redirect" box checked?

     

     

    Here is what I did to recreate... I have an external login page which does a post to my APM VIP and an iRule that pulls the information and puts it into a session variable. I then check for the variable and go into an AD Auth action. When I exit the auth after I fail I then go to the redirect ending which sends me back to my exteral login page.

     

     

    Can you explain how your use case is different from how I tested?

     

     

    Thanks,

     

    Seth Cooper
  • George_Tz_34325's avatar
    George_Tz_34325
    Icon for Nimbostratus rankNimbostratus
    Feb 08, 2013
    Hi Seth,

     

     

    Yes, the "Close session after redirect" was checked.

     

     

    My APM starts when a user access a specific page with a web form, handled by a virtual server. When the APM starts, the client gets redirected to the external web page.

     

     

    The only thing that was missing from the APM, is an i-rule that fires just after the amp starts and stores the uri parametes found on the url of the page with the form, into a custom session variable. Then the external login page block starts. I configured the uri of the external login page to include the session variable of the i-rule. When a redirect end is reached, I redirect to the web page with the form, plus my parameter, and problem solved!

     

     

    Thanks for looking into it,

     

     

    George