Forum Discussion

malek_133882's avatar
malek_133882
Icon for Nimbostratus rankNimbostratus
Sep 05, 2017

Challenge adding Difference of resource assign to different users not group after authintcating AAA (Radius)

Hello everybody,

 

in dead, I have a challenge for adding Difference of resource assign to different users not group after authenticating AAA (Radius).

 

my case is: i have different contractor access via VPN through radius, and each contractor must to access different resources. for example contractor Tom has to access ABC application only and contractor Joy must access xyz application only (contractor accounts created on AAA radius), means the resource shouldn't be share between contractors. so after contractor authentication via radius i have to create multiple branch for each contract and assign its resource. my challenge that how can i achieve that?

 

APM
security

2 Replies

Sort By
  • Jad_Tabbara__J1's avatar
    Jad_Tabbara__J1
    Icon for Cirrostratus rankCirrostratus
    Sep 05, 2017

    Hi Malek,

     

    As you said, you will need to create multiple branch (one for each contractor).

     

    There are many ways to manage this but it depends on your config also :

     

    1) If contractors are using their emails to authenticate, based on the domain used you can attribute assign resources (tom@contractor1.com => all contractor1.com goes to branch1 then joy@contractor2.com goes to branch2 and so on)

     

    2) If contractors are populated in a directory, you can make an AD Query or LDAP Query to retrieve the "memberOf" attribute. If your Directory is configured like this, each contractor is in a group (example: contrator1; contractor2;...)...

     

    3) On F5 APM, you could create a local user DB with groups of users, then in the same manner described on option 2 you can make a query to "Local Database". Based on the group returned you can assign a resources.

     

    Hope it helps

     

    Please give me a feedback

     

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Sep 05, 2017

    Hi Malek,

     

    in addition to what JTI has already explained (performing authorization within APM via the individual usernames), you could also implement custom Radius-Reply AV-pairs on your Radius Server Policies to reflect the users permissions / group memberships.

     

    VPE will be able to read your custom AV-Pairs and enforce rules based on the provided information.

     

    Cheers, Kai