Limit particular AD users on APM?

Question

I am doing a very basic AD login with an Active Directory AAA server and access profile.  Is there a way to limit a list of users that can access the virtual server with the applied APM profile?&nbsp;
I assume you could do it with an iRule and data group by comparing ACCESS::session data get session.logon.last.username to the data group, but is there a built in mechanism  that I am not seeing?&nbsp;
What about limiting particular AD groups?&nbsp;

alan_b__139698 · Answer

There's user limiting via AD, and there's also limiting via a local user database and checking that after AD authentication succeeds. I use that for VPN to assign network access profiles based on the presence of the user in the local db as well as the group name they're assigned to (ex. Network team folks have a slightly different access policy than Server team folks, and both teams have their own SNAT pool address, whereas everyone else gets a "default" or auto one. Works fine for a reasonably small number of users.&nbsp;
With what you're doing you could add a local user db and populate it with the people who should have access. Check that db for the user (use the same IDs they use for AD auth) after AD auth succeeds. If they're there, fine, proceed. If not, deny access.&nbsp;
All this if/then stuff you add/modify in the Access Policy using the Visual Policy Editor.&nbsp;

patonbike · Answer

Here is what I am doing right now, not quite sure if this is a "good" solution, seems a little clunky:
when HTTP_REQUEST {
if { [string length [ACCESS::session data get session.logon.last.username]] &gt; 0 } {
if { ((! [class match [string tolower [ACCESS::session data get session.logon.last.username]]   contains MyDataGroup-acl] )) } {
HTTP::respond 200 content "Please contact XXXXXXX for access to this site."
}
}
}

woytaz · Answer

Hi&nbsp;
Create new group in Active Directory. Add to your Apm profile after AD Auth simple AD Query and check if user is a member of the new created AD group&nbsp;

amiles_377865 · Answer

Hi Patrick,&nbsp;
APM can easily handle authorization in addition to accounting.  The easiest way to limit access to the VIP would be to create different groups on your AD server; one for each team with different levels of access. Then, in your VPE, add an AD query, and configure your VPE to make decisions based on the results of the query.  i.e., if a user is a member of a particular group, they can be allowed through, denied, or receive a specific message, etc.&nbsp;
Your iRule solution looks like it would work fine, but it might be more difficult to maintain rather than just directly changing your access policy.  F5 has a guide on implementing AD queries if you're interested.  At the end of the day it might just come down to whatever is easiest for you.&nbsp;
Best of luck,&nbsp;
Austin&nbsp;

Forum Discussion

Limit particular AD users on APM?

4 Replies

Recent Discussions

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Enabling AVR and creating Profiles

Get associated pool name from VIP IP using F5-LTM

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

Related Content

Rate Limiting SSL VPN User Traffic

DEVCENTRAL END-USER LICENSE AGREEMENT

Update your DevCentral user profile

Introduction to F5 Distributed Cloud Console Rate Limiting Feature

ASM filtered HTML exceeded limit: event code C190 Filtered Response HTML exceeded max limit