Forum Discussion

rafaelbn_176840's avatar
rafaelbn_176840
Icon for Altocumulus rankAltocumulus
Jan 09, 2018

APM conditional policy

Hello devs! Happy 2018 guys!

 

We have an APM on our environment serving as VPN. The policy first authenticates the user against AD and after talks to a SMS device users can receive their two factor password.

 

The problem is that sometimes this SMS device does down and nobody is actually watching. When this happens, as you can imagine, users can't log in on the VPN. And that's bad.

 

I was trying to come up with an automatic solution inside the policy but I only thought of this two:

 

  1. Duplicate the policy to a new one that does NOT use two-factor and when the SMS device goes down, manually change the policy with this new no two-factor one. It works but it's not automatic.
  2. Put a decision box after the AD auth asking the user to choose between two-factor or one-factor. Which again works but we shouldn't leave this to the users will I think.

So my question is:

 

Is there a way of monitoring this SMS device? I wish I could put it in a pool and on the APM policy I had something like a decision box based on the availability of the pool. If up go this branch, if down go this other branch.

 

Any ideas?

 

Thanks!

 

Rafael

 

6 Replies

  • Configure a pool with you SMS server. You can configure an irule in your access police to verify how many members are available and set a session variable based on that. After that you just need to check then value of that variable to enable or disable MFA. You can use [active_members $pool_name] to see how many members are up.

     

  • That's exactly what I was looking! I will lab this and I let you know if it works! Thanks so much Daniel!

     

  • Hello Daniel!

    I came up with the following iRule but I don't think it's working. Sorry to bother you... I'm still learning both iRules and APM.

    when CLIENT_ACCEPTED {
        if {[active_members pool_SMS] > 1} {
            set varSMS 1
        } else {
            set varSMS 0
        }
    }
    

    I added this iRule inside a policy like this:

    My VS still works but when I do a sessiondump --allkeys I don't see this varSMS variable.

    Another question I have is how am I gonna evaluate this variable inside the APM policy?

    Thank you so much!

  • Rafael,

    APM makes use of an special EVENT that is only triggered when the policy is evaluated and you have an irule event box. You need an irule more like this:

    when ACCESS_POLICY_AGENT_EVENT {
         if { [ACCESS::policy agent_id] eq "event_name_in_your_accesspolicy" } {
                if {[active_members pool_SMS] > 1} {
                    ACCESS::session data set session.custom.sms_server 1
                } else {
                    ACCESS::session data set session.custom.sms_server 0
            }
          }
    }
    

    I have not tested the irule but it should be something like that. Pay special attention to the agent_id in your policy as it must match. If everything is fine then you should see that variable when you execute sessiondump

  • Woohoooo!

    It worked!!! \o/

    This is the final iRule.

    when ACCESS_POLICY_AGENT_EVENT {
         if { [ACCESS::policy agent_id] eq "irule_SMS" } {
                if {[active_members pool_SMS] > 0} {
                    ACCESS::session data set session.custom.sms_server "up"
                } else {
                    ACCESS::session data set session.custom.sms_server "down"
            }
          }
    }
    

    The policy was like this:

    The iRule event like this:

    And the branch rule like this:

    Believe it or not, I got stuck because I forgot to apply this iRule under the VS that this APM policy is running.

    Session variables were logged like this:

    5c319b08.session.custom.sms_server 4 down
    e33364e8.session.custom.sms_server 2 up
    

    In this specific test, the result was that when the pool_SMS was available (active members were greater than zero), user got the logon page and when pool_SMS was down (active members was zero), user got the message box. Now I just have to replicate this on my environment before the MFA policy block.

    Thanks Daniel! Really appreciate the help!

  • Hi,

     

    I recommend to use ACCESS_SESSION_STARTED instead of ACCESS_POLICY_AGENT_EVENT

     

    when ACCESS_SESSION_STARTED {
        if {[active_members pool_SMS] > 0} {
            ACCESS::session data set session.custom.sms_server "up"
        } else {
            ACCESS::session data set session.custom.sms_server "down"
        }
    }

    with this code, remove the irule event box in the VPE. this irule event raise at the beginning of session before VPE is evaluated.

     

    you can see in this thread the latency impact of ACCESS_POLICY_AGENT_EVENT.