APM modify VPE flow state

Question

Hello,&nbsp;
Within an APM access policy, if you have a basic logon page followed by an AD query to check if the username exists in a domain. If the result of the username AD Query passes, it then proceeds to AD Auth against domain ONE otherwise do an AD Auth against domain TWO&nbsp;
If a user enters an incorrect 'username' that does not match the AD query they enter the "wrong" AD auth state for domain TWO in VPE.&nbsp;
Then if the client corrects the 'username' for domain ONE, is there anyway to re-run the AD query again as there login will always then fail against domain TWO ?&nbsp;
.. or is starting a whole new session the only way to restart the VPE state ?&nbsp;
.. or is there someway to run an AD Query and/or AD Auth from within an iRule&nbsp;
Thanks for any hints.&nbsp;

seth_cooper · Answer

Hi,&nbsp;
You should be able to have the "Logon Page" and "AD Query" in a Macro and let it loop. So the workflow would be they login, hit AD Query, if name doesn't match one of the two domains then they loop back to the login page to correct the userid. You can have them loop "x" amount of times and then if it still fails then send them to a "Deny" ending.&nbsp;
Seth&nbsp;

martin_robbins · Answer

Hi,&nbsp;
Great, thanks for the answer indeed a loop does work but ..&nbsp;
.. is there anyway to add an error into the logon page if the lookups fail ?&nbsp;
I have tried setting the session variable session.logon.page.errorcode but nothing is displayed.&nbsp;
Any ideas ?&nbsp;
thanks&nbsp;

martin_robbins · Answer

Hi,&nbsp;
That's great thanks very much for your help !!!&nbsp;
Final question, do you know if within the Macro loop whether there is a counter ?&nbsp;
regards&nbsp;

seth_cooper · Answer

You can configured the Maximum Macro Loop Count in the settings for the Macro. I don't see a session variable that is available out of the box that tracks how many times the loop has happened. You could always set your own counter if needed.&nbsp;
What is your reason for the counter? Are you wanting to display or log the count?&nbsp;
Seth&nbsp;

martin_robbins · Answer

Actually I wanted to change the number of retries on one of the AD's but I created a custom variable assigment on entry to the macro and incremented it.&nbsp;
&nbsp;&nbsp;
"Loop Count Inc"&nbsp;
session.custom.auth.loop.count =  expr { [mcget {session.custom.auth.loop.count}] + 1 }&nbsp;
&nbsp;
Thanks again.&nbsp;

Forum Discussion

APM modify VPE flow state

5 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

TLS Stateful vs Stateless Session Resumption

iRule to modify a content-security-policy header

BigIP 5200 traffic flow

F5 2023 State of Application Strategy Report

Mitigation of OWASP API Security Risk: Unrestricted Access to Sensitive Business Flows using F5 XC