Use a Virtual Attribute to pass an IP Range List for an Access Manager Authorization Policy

2 Likes
over 1 year ago
  • Comma separated IP Range List should be retrieved by running REST Calls to an external Web
    Service.

    192.168.0.1-192.168.0.254,10.2.92.1-10.2.92.254
  • Configure a data Source for REST
    RESTDataSource_NetIQ_Access_Manager.png

  • Configure a Virtual Attribute Source

    RESTAttributeSource_NetIQ_Access_Manager.png
  • Configure a Virtual Attribute

    VirutalAttributeWithScript.png
    Note: The important part here is the JavaScript. The Access Gateway Authorization Policy expects an Array of IP Address Range List. Pass the list as one parameter will cause a failure at the Access Gateway Embedded Service Provider processing the policy ( "/var/opt/novell/nam/logs/mag/tomcat/catalina.out" )
    <amLogEntry> 2020-05-15T12:09:07Z INFO NIDS Application: AM#501102050: AMDEVICEID#esp-38B3F24F8BAD9546: AMAUTHID#c44e5f991d1fd1235ba1539d74a51bbd49a42d9f7a94ea61c8d15baa901b4ffa: PolicyID#2200P6
    77-OL09-1867-43M8-123MM31429P5: NXPESID#25:  AGAuthorization Policy Trace:    ~~RL~1~~~~Rule Count: 1~~Success(0)
       ~~RU~RuleID_1589206845724~IP-Address-Check~DNF~~1:1~~Success(0)
       ~~CS~1~~ANDs~~1~~True(69)
       ~~CO~0~ClientIP(2504):::10.44.167.2:~com.novell.nxpe.condition.NxpeOperator@ip-in-range~virtualAttribute(6648)::::~~~True(69)~ResultOnError<invalid range = 192.168.0.1-192.168.0.254,10.2.92.1-10.2.92.254
    .147.2.92.252>
       ~~PA~1~~Deny~~~~Success(0)
       ~~PC~1~~Document=(ou=xpemlPEP,ou=1lsi7q1dpjuxs2f,ou=ContentPublisherContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell:romaContentCollectionXMLDoc),Policy=(IP-Address-Check),Rule=(1::RuleID_1589206845724),Action=(Deny::1)~~~~Success(0)
     </amLogEntry>
  • If everything has been configured correctly the IDP login process the Virtual Attribute calculation should create two values which you can review from within the logs

    Calculated the value of the Virtual attribute VAIPRangeList successfully
    Value is : [xxxx, xxxx] </amLogEntry>
  • An Access Gateway Authorization Policy will use the Virtual Attribute as source for comparing the Client IP address (allow / deny access)

    AG-Authorization-Policy_NetIQ_Access_Manager.png

  • For troubleshooting turn on the following IDP cluster Auditing and Logging settings

    Logging_Settings_NetIQ_Access_Manager.png

Labels:

Support Tip
How To-Best Practice
Comment List
Anonymous
Related Discussions
Recommended