User lock out policy

Maakt gebruik van een irule die de table vult met de gebruikersnaam en leest na de logon pagina de table uit of de gebruiker bestaat. Als deze bestaat kom je op de failure branche uit. De user wordt in de table gezet op de fallback van de AD Auth

iRule:

# version mgmt
# version 0.1 06092017 kvdBos (kees@kees4ip.nl)
# irule for user lockout (in combination with irule events in the vpe)
# if authentication fails aftr X time (depends on AD settings) the user will be added to the session table for 300 secondes
# The next login try the user wil be presented with an error page.
when ACCESS_POLICY_AGENT_EVENT {
   if { [ACCESS::policy agent_id] eq "failed_logon" }{
      table set [ACCESS::session data get session.logon.last.username] 100 300
   }
   elseif { [ACCESS::policy agent_id] eq "check_logon" }{
       ACCESS::session data set session.custom.locked_out "0"
      if { !([table lookup -notouch [ACCESS::session data get session.logon.last.username]] eq "")}{
        ACCESS::session data set session.custom.locked_out "1"
      }
   }
      elseif { [ACCESS::policy agent_id] eq "lookup_timeout" }{
      set livetime [table lifetime -remaining [ACCESS::session data get session.logon.last.username]]
      set timeout [table timeout -remaining [ACCESS::session data get session.logon.last.username]]
      ACCESS::session data set session.custom.lockout.timeout $timeout
      log local0. "timeout $timeout"
      log local0. "livetime $livetime"
      }
}

Access Policy (macro van maken):


 

Check Locked out branche rule:

expr { [mcget {session.custom.locked_out}] == 1 }

kees4IP