apm question

Okay, this was a fun one. You would need to convert this HEX value to ASCII, which is what WireShark is doing. So in an iRule attached to the VIP, insert the following:

when ACCESS_POLICY_AGENT_EVENT {
    if { [ACCESS::session data get session.radius.last.attr.class] ne "" } {
        set bin [ACCESS::session data get session.radius.last.attr.class]

         convert this HEX string for binary format input
        if { [catch {
            set ascii ""
            for { set i 0 } { $i < [string length $bin] } { incr i 2 } {
                append ascii "0x[string range $bin $i [expr $i + 1]] "
            }
             binary format HEX data to ascii and add to an APM session variable
            [ACCESS::session data set session.radius.last.attr.class.decoded [binary format c* $ascii]
        } err] } {
            log local0. "error = $err"
        }   
    }
}

The ACCESS_POLICY_AGENT_EVENT event is triggered from an iRule event agent inserted into the visual policy (after the RADIUS auth) agent. If the session.radius.last.attr.class value is populated from a good auth:

1. The HEX string will be formatted for binary conversion. So "4f553d616f62746f74703b" will become:

   "0x4f 0x55 0x3d 0x61 0x6f 0x62 0x74 0x6f 0x74 0x70 0x3b"
   

2. The new value will then be converted to ASCII and shoved into a new session variable: session.radius.last.attr.class.decoded, which should become:

   OU=aobtotp;
   

3. From there you can evaluate this value in your access policy and beyond.