Forum Discussion
NimbostratusAPM - Visual policy - Combining session variables in one Branche
I try to understand if the following is possible APM > Visual Policy > Branche > in there in want to achieve to following:
The following two strings (bogus values) belongs to one Device, now i have build two branches, each checks for:
a) MAC address check
Controlle op MAC address:
expr { [mcget {session.client.mac_address}] == "00:11:22:33:44:55" }
b) UDID check
Controlle op UDID:
expr { [mcget {session.client.unique_id}] == "1234567890123456789012345678901234567890" }
I want to build one Branche where these two strings should match for one device only, When MAC 'Y' is found, a UDID 'Z' should coresponded to it, any other matching combination is not valid. These two checks are a pair and there are many pairs in a Banche.
Thank you.
10 Replies
- Kevin_Stewart
Employee
You should be able to use a logical AND in your expression:
expr { [mcget {session.client.mac_address}] == "00:11:22:33:44:55" && [mcget {session.client.unique_id}] == "1234567890123456789012345678901234567890" }
You might be better off, however, using a set of data groups and an iRule call-out to do this, if for no other reason easier manageability. 
d_y_gobel_11576Thank you!
I like the easiness of this product :)And thank you for your tip.
If I understand it right, place the expressions in an iRule and call that iRule from the Branche. I like that idea, iRule is indeed much easier to edit.- Kevin_StewartSuppose you have a data group with a set of concatenated MAC-UUID pairs:
ltm-data-group internal /Common/macuuid-list-datagroup {
records {
00:11:22:33:44:55-1234567890123456789012345678901234567890
00:11:22:33:44:56-1234567890123456789012345678901234567891
00:11:22:33:44:57-1234567890123456789012345678901234567892
}
}
Then create an iRule event agent in your policy and give it a unique ID (example: CLIENTINFO)
Your iRule would then look something like this:when ACCESS_POLICY_AGENT_EVENT { switch [ACCESS::policy agent_id] { "CLIENTINFO" { set clientinfo "[ACCESS::session data get session.client.mac_address]-[ACCESS::session data get session.client.unique_id]" if { [class match $clientinfo equals macuuid-list-datagroup] } { ACCESS::session data set session.custom.clientfound 1 } } } }
So you trigger the iRule event based on the event ID, concatenate the MAC and UUID values into a single string, then look that string up in the data group using the class match command. If the key exists, create a new session value (ex. session.custom.clientfound) and set it to 1 (or any value). Then in your visual policy after the iRule event, create an empty agent and create a branch rule that evaluates the custom variable:
expr { [mcget session.custom.clientfound] }. If it's true (exists), then take one branch, otherwise take another. This way you can maintain your client list in a MUCH easier format that doesn't require re-applying the policy every time you make a change. - d_y_gobel_11576
Got it working.
==================== Overview of used scripts an made steps ===============
Add a new iRule, just give it a name to it:
when ACCESS_POLICY_AGENT_EVENT {
switch [ACCESS::policy agent_id] {
"TRIGGER-STRING-FOR-iRULE EVENT" {
set clientinfo "[ACCESS::session data get session.client.mac_address]-[ACCESS::session data get session.client.unique_id]"
if { [class match $clientinfo equals macuuid-list-datagroup] } {
ACCESS::session data set session.custom.clientfound 1
}
}
}
}Add a new Data Group List with the name: macuuid-list-datagroup
Add a String in the following order: 00:11:22:33:44:55-1234567890123456789012345678901234567890Add the iRule in your Virtual Servers (vpntest_vs) > Resources > (point to your created iRule)
Add in Visual Access Policy a new iRule Event after XxX-Auth > edit the ID with your switch name: TRIGGER-STRING-FOR-iRULE EVENT
Directly after iRule Event create a Empty Action and add a string within the Branche Rule: expr {[mcget {session.custom.clientfound}] == 1}
Place Full Resource Assign at Branch Rule 1 (not fallback, a littlebit confussing actually, you will think when it hit the string in the Branche Rule, it will choose the path: fallback, well it does not.)====================================================
Afterall, the Data Group List within th WEB GUI isn't very convenient to add many strings (hundreds), i was thinking if I can add strings through the CLI (and where) or doing something with the iFile List.
Anyway, thank you Kevin for helping me out.
edit: made more better readable.
- Kevin_StewartAdding entries to a data group via CLI is (sort of) straight forward:
tmsh modify ltm data-group internal macuuid-list-datagroup records add { 00:11:22:33:44:55-1234567890123456789012345678901234567890 } - d_y_gobel_11576Great for huge batches... Ty.
- Luke_Lehman
Does this break in iOS7? I'm testing from my iPhone (iOS7) and I've turned up logging in the iRule for the value: [ACCESS::session data get session.client.mac_address] and nothing is showing up...curious.
- Kevin_Stewart
See the following:
https://developer.apple.com/news/?id=8222013a
MAC addresses in iOS 7 - August 22, 2013
If your apps use the MAC address to identify an iOS device, the system will return the same static value for all devices running iOS 7. Please update your apps to use the identifierForVendor property of UIDevice. If you need an identifier for advertising purposes, use the advertisingIdentifier property of ASIdentifierManager.
- Luke_Lehman
Kevin - thanks that makes sense. However, will the newest version of the BIG-IP Edge Client still have access to the UDID or will an update to the iRule code be needed? Simply put, will this syntax need to change: "ACCESS::session data get session.client.unique_id" ?
- Kevin_Stewart
No, unique_id should still be available. You just won't have access to the MAC address.
