Forum Discussion

David_E__Smith_'s avatar
David_E__Smith_
Icon for Nimbostratus rankNimbostratus
Jun 16, 2015

How to switch AAA server based on user input?

I'm trying to move an internal client from Microsoft ISA Server to our F5 APM (running 11.4). The client isn't doing anything too fancy -- they're using ISA's SSO listener to present a form, and translating it to NTLM credentials on the back-end.

 

I've done this before, but only with users authenticating to a single AD domain. This client's logon form includes a radio button, where the user can select one of several domains to authenticate against.

 

Conceptually, it's easy enough. I need to see what a certain HTML form variable is set to, and based on that value, select which AAA server to use. I just don't know the F5-ish way to do this.

 

In the Visual Policy Editor, for a single domain, it's just "Logon Page --> AD Auth". I assume that, between those two, I need to put in some sort of decision node, switching based on form input (if session.logon.last.domain == 'DOM1' follow this branch, and so on, and if none of the above go straight to a deny). But I can't quite suss out the F5 way to do this. Nothing in Branch Rules looks like it can act on a form input. What am I overlooking?

 

2 Replies

  • you can modify the branch rule of the Logon Page agent and create additional branches, based on a variable (the one with the value=DOMAIN). In the branch, select "Advanced" and enter an expression such as

    expr { [mcget {}] ==  }

  • That wasn't quite the right syntax, but it definitely was the right idea. Thanks!

     

    I created a few branches on my logon form, with values resembling this:

     

    expr { [mcget {session.logon.last.domain}] equals "DOMAINHERE" }

     

    I'm still testing, but I'm optimistic. Thanks!