Forum Discussion

Carlos_Alperin's avatar
Carlos_Alperin
Icon for Nimbostratus rankNimbostratus
Oct 14, 2014

F5 APM authentication on AD using Groups

I tried to validate Groups in AD with no luck.

 

Do somebody has a working example of AD authentication with Groups in F5 APM v11.5.1?

 

Thanks,

 

11 Replies

  • Hi,

     

    How do you validate it ? Actually, you need :

     

    • Logon page
    • AD auth
    • AD query

    Into AD Query box, on the branch, select option Member Of, and enter the full member of LDAP string (CN=xxxxx, OU=xxxx ...)

     

    Show me your configuration.

     

    Matt

     

  • I can't put a copy of the access policy flow, but

     

    I have The start followed the Logon page that fallback to the AD Auth, in which I point to the AD Server, by success I go to AD Query that on the server I enable a SearchFilter

     

    CN=HQ-VPN-USERS, CN=Users, DC=domain.com

     

    With Fetch Primary Group Enabled, but Fetch Nested Disabled.

     

  • Greg_Crosby_319's avatar
    Greg_Crosby_319
    Historic F5 Account
    Your branch expression should look something similar to: expr { [mcget {session.ad.last.attr.memberOf}] contains "CN=Example Group" }. Were 'Example Group' is the name of the group you want to match, note the group name is case sensitive.
  • Hi, what do you have so far ?

     

    You need to implement an AD query agent in the VPE after the AD auth agent. having done that if you look at your session report, you will have groups retrieved in an attribute.

     

    you can then either use condition in resource assign matching group names or use group based resource assign in latest release.

     

  • Arnaud,

     

    I create different access policies. If I don't use Group, I have no problem. My issue start when i add the Group on the Authentication.

     

    • Arnaud_Lemaire's avatar
      Arnaud_Lemaire
      Icon for Employee rankEmployee
      could you display an example of VPE, that will help to see if anything is blocking you.
  • Calperin, have a look on my comment above. To validate a group, you have to set a condition on the branch (my comment below) or use Advanced Ressource Assign box and use group expression as Arnaud said.

     

  • Session variable 'session.ad./Common/domain_AD_act_active_directory_ag.actualdomain' set to 'domain.com' Session variable 'session.ad./Common/domain_AD_act_active_directory_ag.authresult' set to '1' Session variable 'session.ad./Common/domain_AD_act_active_directory_ag.errmsg' set to ' ' Session variable 'session.ad.last.actualdomain' set to 'domain.com' Session variable 'session.ad.last.authresult' set to '1' Session variable 'session.ad.last.errmsg' set to ' ' Session variable 'session.assigned.resources.na' set to '/Common/domain_AD_na_res' Session variable 'session.assigned.webtop' set to '' Session variable 'session.logon./Common/domain_AD_act_logon_page_ag.logonname' set to 'calperin' Session variable 'session.logon./Common/domain_AD_act_logon_page_ag.result' set to '1' Session variable 'session.logon./Common/domain_AD_act_logon_page_ag.username' set to 'calperin' Session variable 'session.logon.last.logonname' set to 'calperin' Session variable 'session.logon.last.result' set to '1' Session variable 'session.logon.last.username' set to 'calperin' Session variable 'session.logon.page.errorcode' set to '1' Session variable 'session.logout.page.customization.group' set to '/Common/domain_AD_end_deny_ag' Session variable 'session.policy.result' set to 'deny' AccessPolicyD.cpp func: "sendAccessPolicyResponse()" line: 1562 Msg: DONE WITH ACCESS POLICY - send 'we are done with access policy for this session' code AccessPolicyD.cpp func: "process_request()" line: 741 Msg: ** done with the request processing ** Session deleted due to user logout request.

     

  • You do not make any AD Query, I assume. You should see all attributs from the user in session.ad.last.attr

     

    Check the logs "tail -f /var/log/apm" after changing log level to debug on Access Policy logs.

     

    Can you tell me which option is checked and filled in your AD query box please ?

     

  • Hi,

     

    there is no requirements about where to add AD Query. it depends of variables you want to use is SSO credential mapping and variable assign...

     

    In search filter, it depends of your configuration (authentication with Samaccountname, email address, or UPN...). it is recommended to define requested attributes to limit variables, I had a issue in 11.4 version where a user had a image on his profile generating a core dump. Setting memberof attribute only solved the issue.

     

  • I am having the same issue of the AD Query always going to the fallback. I have verified the memberOf properties appear in the session attributes. I have even copied that string and pasted into the branch member of box to insure all characters are a match but the query always goes to fallback.

     

    I have the memberOf as a required component. Without that I find the message in the APM logs that the variable is not found in memcache.

     

    11.4.1 HF8