in Security, Traffic Management

Alternative for “is_vpn_url”

When using AAA, I usualy setup a ContentSwitch that integrates a non addressable AAA vserver. The policy leading to this VServer is one of those things that I found over-complicated. The “is_vpn_url” policy expression is interfering too much with the contentswitch (my opinion).

When using AAA, I always use Authentication Profiles; this eases up the configuration and prevents mistakes. It also causes a cookie to be created during logon called “NCS_TMAP”, that is destroyed after logon. I found two requests that did not contain this cookie, yet should be handled by AAA: /cgi/tm?xxxxxxxxx and /cgi/selfauth?xxxxxxx

This said, I created a policy-expression: PE_AAA_AUTH: HTTP.REQ.URL.PATH.EQ(“/cgi/tm”) || HTTP.REQ.URL.PATH.EQ(“/cgi/selfauth”) || HTTP.REQ.COOKIE.NAME_VALUE(“NSC_TMAP”).EQ(“”).NOT

If PE_AAA_AUTH evaluates TRUE, the request is send to the AAA VServer; I normaly give this policy a very low priority on the contentswitch (say 10). If FALSE, you should process the request on the loadbalancing vservers bound to the contentswitch.

Websites using a cgi path or a logon path etc…. now can be integrated with AAA using the same FQDN (hurrah!!)

Again, this only works if you use authentication profiles consistently and on a AAA VServer logonpoint (all UAG functionality has been removed).

Snippet:

(the Contentswitch is configured using Core-Logic version 10.3, being released soon in a theater near you)..

Try it and have fun with it…

 

 

 

What do you think?

Comment