Forum Discussion

Jorjjj's avatar
Jorjjj
Icon for Nimbostratus rankNimbostratus
May 09, 2015

APM - SSL VPN Client Side check based on pre-defined list of MAC ADDRESSES

Hello There I am configuring an SSL VPN policy, where i need to filter Users connecting based on their MAC ADDRESSes

 

When creating my Policy, i have chosen the Client side check MACHINE INFO, but can't see any info related to client MAC Address

 

Can someone please provide with steps needed to create a list of allowed MAC ADDRESSES? From my readings, i think i should create a datagroup, but i'm not sure about the type i need to create, and what info to fill in it (String, Value)

 

Do i need to create any Irule for that? Or i could add the check directly on the Machine Info Check in the VPE?

 

If so, how to add the check to match the collected client MAC ADDRESS with the Pre-Defined list?

 

Thanks, Regards,

 

APM
application delivery
devops
iRules
security

5 Replies

Sort By
  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    May 09, 2015

    1) You can create a DG with string.

    ltm data-group internal macDG {
    records {
        00:50:56:B3:7B:4E { }
    }
    type string
}

    2) Create an ACCESS_POLICY_AGENT_EVENT iRule

    when ACCESS_POLICY_AGENT_EVENT {
   if { [ACCESS::policy agent_id] eq "chkmac" } {
      set mac [ACCESS::session data get "session.machine_info.last.net_adapter.list.\[0\].mac_address" ]
      if { [class match $mac equals macDG } {
         ACCESS::session data set "session.logon.custom.chkmac" 1
      } else {
         ACCESS::session data set "session.logon.custom.chkmac" 0
      }
   }

    3) Create VPE with iRule event with ID "chkmac"

    4) Verify the session.logon.custom.chkmac in the VPE

    apm policy policy-item /Common/ap_maccheck_act_empty {
    caption chkmac
    color 1
    item-type action
    rules {
        {
            caption "MacVerified"
            expression "expr { [mcget {session.logon.custom.chkmac}] == 1 }"
            next-item ....
        }
        {
            caption fallback
            next-item ...
        }
    }
}
  • Jorjjj's avatar
    Jorjjj
    Icon for Nimbostratus rankNimbostratus
    May 11, 2015

    Hello There Thanks for your answer

     

    I am having some errors while applying the iRule,

     

     

    I added the Datagroup as the following :

     

    And here how my Policy looks like, where should I add the last Part? (4) Verify the session.logon.custom.chkmac in the VPE?

     

     

    Thanks, Regards, Georges

     

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    May 11, 2015

    You can add (4) after the chkmac_iRule_Event

    Try this, there was typo earlier

    when ACCESS_POLICY_AGENT_EVENT {
   if { [ACCESS::policy agent_id] eq "chkmac" } {
      set mac [ACCESS::session data get "session.machine_info.last.net_adapter.list.\[0\].mac_address" ]
      if { [class match $mac equals macDG] } {
         ACCESS::session data set "session.logon.custom.chkmac" 1
      } else {
         ACCESS::session data set "session.logon.custom.chkmac" 0
      }
   }
}
  • Jorjjj's avatar
    Jorjjj
    Icon for Nimbostratus rankNimbostratus
    May 11, 2015

    Hello The iRule was Saved properly, Thx!

     

    Once last question, How should i add the (4) after the iRule? Should be a branch Rule within the iRule box? Or a seperate function/Box to be added? If so, what type should it be?

     

    Thanks Regards,

     

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    May 11, 2015

    You can do following

    1) Insert 'Empty' empty action

    2) Go to 'Add branch rule' (change -> Advanced -> 
    expr { [mcget {session.logon.custom.chkmac}] == 1 }
    )