Forum Discussion

Haara_212103's avatar
Haara_212103
Icon for Nimbostratus rankNimbostratus
Apr 14, 2016

Filter DC:s for use with APM authentication

Hello, we have an issue with ldap authentication in a multi domain forest and several Domain Controllers in restricted VLANs where the APM don't have access. Is there any way to filter which DCs that the f5 will try to use for authentication because right now we get timeouts during the authentication when it tries to reach the restricted DCs? We have tried with both the weight and priority in DNS but that doesn't help.

 

Regards, Haara

 

APM
security

4 Replies

Sort By
  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Apr 14, 2016

    This is more of a Microsoft AD structure question that you should address to a Microsoft trained network architect, or Microsoft.

     

    APM can authenticate using RADIUS, Kerberos (AD), LDAP, or HTTP (among others). So if you can expose any of those interfaces toward APM by using some DC-DC trust relationship setup, it will work.

     

    • Haara_212103's avatar
      Haara_212103
      Icon for Nimbostratus rankNimbostratus
      Apr 25, 2016
      Well I don't really think so, the issue lies within the APM and how it treats weight and priority in the DNS records or really how it doesn't treat it since changing the values doesn't have any effect on which domain controller it tries to use. And also when the APM does the DNS lookup for the ldap and kerberos services it gets a list of multiple domain controllers but if the one it tries to use times out it won't go to another is there any reason for this behaviour?
    • Lucas_Thompson_'s avatar
      Lucas_Thompson_
      Historic F5 Account
      Apr 27, 2016
      Absolutely correct. APM does not pay attention to these factors. There is an existing enhancement request for APM's authentication-DNS client to pay attention to "Sites and Services" information for geo-weighting and similar use cases. It's F5 RFE 495587. Few customers have expressed interest in this feature though, but feel free to open a support ticket or speak with your sales rep. Here's a Microsoft article that describes it: https://technet.microsoft.com/en-us/library/cc754697.aspx
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Apr 25, 2016

    Hi,

    You can request global catalog to know which Domain request.

    • create a AAA LDAP server with Global catalog servers (port 3268)
    • create a LDAP query between Logon page and AD Auth

    In LDAP query branches, use following expression to split tree for different domains:

    expr {[string tolower [mcget {session.ldap.last.attr.dn}]] ends_with "DC=company, DC=local"

    or 

    expr {[string tolower [mcget {session.ldap.last.attr.dn}]] contains "DC=company" }