Forum Discussion

M_Petr's avatar
M_Petr
Icon for Altostratus rankAltostratus
Sep 05, 2019
Solved

AD MemberOF

Hi everyone, Please answer me a question and explain:

 

Is it possible to change to what URL it is forwarding on request to f5 depending on the user's membership in the AD group?

 

Thanks!

BIG-IP Access Policy Manager (APM)
security
  • Dave_W's avatar
    Dave_W
    Sep 09, 2019

    Hello, if the AD auth or AD query fails the session variable for memberOf will not be populated. In the AAA server object do you have an Administrator account configured? Are you sure the credentials for the user (or admin account in the AAA configuration) are correct?

7 Replies

Sort By
  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    Sep 06, 2019

    Hi Petr,

     

    Yes you can do It using APM following this steps:

     

    You have to create a policy per session policy and of course a per request session in order to check each request (URI).

    The per request policy let your analyse every user request...

     

    Let me know if you need more details.

    regards

    • M_Petr's avatar
      M_Petr
      Icon for Altostratus rankAltostratus
      Sep 09, 2019

      Hi, I have a problem.

      When I add :

      • Logon page
      • AD auth

      It's OK! Authentication is successed.

      But if I add

      • Logon page
      • AD auth
      • AD query with (expr { [mcget {session.ad.last.attr.memberOf}] contains "CN=GroupPod1" })

      I get a message -

      "AD module: query with '(sAMAccountName=userpod1)' failed: Preauthentication failed, principal name: ldap_user@CORP.AVALIS.CO.UA. Invalid user credentials. (-1765328360)"

      And I dont see {session.ad.last.attr.memberOf} in the REPORTS.

       

      What do you think?

      Thanks!

       

  • Dave_W's avatar
    Dave_W
    Icon for Employee rankEmployee
    Sep 09, 2019

    Hello, if the AD auth or AD query fails the session variable for memberOf will not be populated. In the AAA server object do you have an Administrator account configured? Are you sure the credentials for the user (or admin account in the AAA configuration) are correct?

    • M_Petr's avatar
      M_Petr
      Icon for Altostratus rankAltostratus
      Sep 10, 2019

      Thank you, the Administrator account is configured incorrectly.