Forum Discussion

Mariappan_S_156's avatar
Mariappan_S_156
Icon for Nimbostratus rankNimbostratus
Jun 20, 2014

F5 APM CLIENT SECURITY MAC ADDRESS

Our objective was we have list of mac address’s of our corparate systems in a text file lik below.

 

00:19:DB:DC:3E:8F 00:1D:92:47:75:EF

 

we need to check the user system mac address at the time of login ssl vpn , if user system mac address match with the list, then we allow for resource assign.

 

We go to use below irules for that.

 

when ACCESS_POLICY_AGENT_EVENT { switch [ACCESS::policy agent_id] { "Your_iRule_event_name" { set Client_MAC "[ACCESS::session data get session.client.mac_address]"; if { [class match $Client_MAC equals mac-datagroup] } { ACCESS::session data set session.custom.mac_accepted 1 } } } }

 

We need clarifications on below points

 

  • Which type of data group should be used internal or external?
  • In data group how format we enter the data. (00:1D:92:47:75:EF or mac := 00:1D:92:47:75:EF)
  • In which column String or Value we need to enter Mac address.
  • In VPC what is value we need to enter on Custom iRule Event Agent ID
    • Which type of data group should be used internal or external?

       

      internal as it is not in file

       

    • In data group how format we enter the data. (00:1D:92:47:75:EF or mac := 00:1D:92:47:75:EF)

       

      Just 00:1D:92:47:75:EF

       

    • In which column String or Value we need to enter Mac address.

       

      Enter the mac address list in column string

       

    • In VPC what is value we need to enter on Custom iRule Event Agent ID

       

      You can use any string as ID.

       

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    • Which type of data group should be used internal or external?

       

      internal as it is not in file

       

    • In data group how format we enter the data. (00:1D:92:47:75:EF or mac := 00:1D:92:47:75:EF)

       

      Just 00:1D:92:47:75:EF

       

    • In which column String or Value we need to enter Mac address.

       

      Enter the mac address list in column string

       

    • In VPC what is value we need to enter on Custom iRule Event Agent ID

       

      You can use any string as ID.

       

    • Which type of data group should be used internal or external?

       

      internal as it is not in file

       

    • In data group how format we enter the data. (00:1D:92:47:75:EF or mac := 00:1D:92:47:75:EF)

       

      Just 00:1D:92:47:75:EF

       

    • In which column String or Value we need to enter Mac address.

       

      Enter the mac address list in column string

       

    • In VPC what is value we need to enter on Custom iRule Event Agent ID

       

      You can use any string as ID.

       

    • Mariappan_S_156's avatar
      Mariappan_S_156
      Icon for Nimbostratus rankNimbostratus
      We Completed. thanks and we just add machineinfo infront irule event. Thanks
  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    • Which type of data group should be used internal or external?

       

      internal as it is not in file

       

    • In data group how format we enter the data. (00:1D:92:47:75:EF or mac := 00:1D:92:47:75:EF)

       

      Just 00:1D:92:47:75:EF

       

    • In which column String or Value we need to enter Mac address.

       

      Enter the mac address list in column string

       

    • In VPC what is value we need to enter on Custom iRule Event Agent ID

       

      You can use any string as ID.

       

    • Mariappan_S_156's avatar
      Mariappan_S_156
      Icon for Nimbostratus rankNimbostratus
      We Completed. thanks and we just add machineinfo infront irule event. Thanks
  • Hi I been developing an iRule to detect if the user already has any other VPN session to same End Point. Can you share your iRule ? I think, it 'll be useful to create a new one.

     

  • Hi,

    I wrote this irule to count and close previous session before this feature is included in APM.

    when ACCESS_POLICY_AGENT_EVENT {
         switch [ACCESS::policy agent_id] {
         "close" {
              set apm_csid [ ACCESS::session data get session.custom.concurrentid ]
              if {$apm_csid != 0} {
                   log local0. "fin de la session $apm_csid"
                   ACCESS::session remove -sid $apm_csid
                   }
              }
         "user_count" {
              set apm_uuid "[PROFILE::access name].[ACCESS::session data get session.logon.last.username]"
              set apm_cookie_list [ ACCESS::uuid getsid $apm_uuid ]
              if {[llength $apm_cookie_list] != 0} {
                   set apm_concurentid [ lindex $apm_cookie_list 0 ]
                   set apm_concurentip [ACCESS::session data get session.user.clientip]
              }
              else {
                   set apm_concurentid 0
                   set apm_concurentip 0
              }
                   ACCESS::session data set session.custom.concurrentnum [llength $apm_cookie_list]
                   ACCESS::session data set session.custom.concurrentid $apm_concurentid
                   ACCESS::session data set session.custom.concurrentip $apm_concurentip
                   log local0. "session concurrente $apm_concurentid"
              }
        }
    }
    

    in this irule policy_id is the event ID of irule event in VPE. the user authenticated on a policy is identified by its uuid :

          set apm_uuid "[PROFILE::access name].[ACCESS::session data get session.logon.last.username]"