Forum Discussion

jack_10574's avatar
jack_10574
Icon for Nimbostratus rankNimbostratus
Nov 12, 2015

APM AD group resources assign with ACL

Hi All

 

I am having an issue with the APM project. Customer is aim to replace juniper ssl vpn with F5 APM with the requirement below

 

The user is authenticated though AD group , when user are memeber of "Group A" , then user can access to 'Group A network" only . but when the user is member of "Group A" and "Group B" , user will assign with able access to "Group A network" and "Group B network"

 

Assume i am create a general network access profile for all user , exmple : network access create for Network A , Network B and NEtwork C.

 

Any solution can suggest to achieve user requirement ? i am using ACL but it fail and the example as below

 

1.)Group A User will able access network A = ACL assign to GROUP A i.) "allow destinaton network A" ii.) "deny any other destination network 2.) Group B User will able access network B = ACL assign to GROUP B i.) "allow destinaton network B" ii.) "deny any other destination network

 

When user belong to "member of GROUP A and GROUP B" , after user authenticated , the APM will assign 2 set ACL for group A and group B to user. I am assume APM will assign user ACL with allow access to "network A and network B" from 2 set of ACL above.

 

But once user hit first set ACL rule with Deny any other destination network , it wont process to second ACL rule which is allow access to Network B

 

Please advice for any suggestion can i merge the allow list for the user belong to "member of "Group A" and Group B"

 

Note: We try not to use different network access profile for all group user . it is because when apm portal show different network access profile for user selection will not ideal as user always not sure which network for select.

 

 

 

thanks Regards Jack

 

APM
application delivery
design
LTM
security

2 Replies

Sort By
  • BinaryCanary_19's avatar
    BinaryCanary_19
    Historic F5 Account
    Nov 13, 2015

    I think that basically you have to remove the "deny" rule in all your ACLs, then have one ACL whose job is only to deny.

     

    The following is how I think I would approach this (I have not tested this out). I'm replying because I noticed that your post has gone a day without response, so you could at least try out my idea.

     

    YOu should have one ACL called "deny all" which has only one rule, deny all. Then for each group, An ACL that allows only their specific traffic. Example:

     

    "Allow Network A" rule -> allow traffic for network A. "Allow Network B" rule -> allow traffic for network B. "Allow Network C" rule -> allow traffic for network C.

     

    Then for Network A, you assign ACL "Allow Network A" AND "deny all" Network B will get "Allow Network B" and "deny all".

     

    Then for the group that needs two networks, you will assign "Allow Network A", then "Allow Network B", then "deny all" in that order.

     

    • jack_10574's avatar
      jack_10574
      Icon for Nimbostratus rankNimbostratus
      Nov 19, 2015
      aFanen01 , thanks for assist .. it work perfectly.