Forum Discussion
Nimbostratusapm question
Hi, is it possible to assign resource to users based radius attribute like nested group in active directory. for exm. i have two user group that are technical and sales in radius. if a user from technical group then I will provide to the user a network resource, if user from sales group then I will provide to the user a portal access resource. Thanks,
27 Replies
Rise_77519Hi Kevin, I tried the irule but got some syntax error which is :
error_string : 01070151:3: Rule [/Common/radius_rule] error: /Common/radius_rule:9: error: [parse error: PARSE syntax 422 {syntax error in expression " not ( [string range $bin $i [expr $i + 1]] equal "0x" ) ": variable references require preceding $}][{ not ( [string range $bin $i [expr $i + 1]] equal "0x" ) }]when ACCESS_POLICY_AGENT_EVENT { if { [ACCESS::session data get session.radius.last.attr.class] ne "" } { set bin [ACCESS::session data get session.radius.last.attr.class]
convert this HEX string for binary format input if { [catch { set ascii "" for { set i 0 } { $i < [string length $bin] } { incr i 2 } { if { not ( [string range $bin $i [expr $i + 1]] equal "0x" ) }{ append ascii "0x[string range $bin $i [expr $i + 1]] " } } binary format HEX data to ascii and add to an APM session variable [ACCESS::session data set session.radius.last.attr.class.decoded [binary format c* $ascii]] } err ] } { log local0. "error = $err" } }}
Thanks,
- Kevin_Stewart
Employee
Try this:
when ACCESS_POLICY_AGENT_EVENT { if { [ACCESS::session data get session.radius.last.attr.class] ne "" } { set bin [ACCESS::session data get session.radius.last.attr.class] log local0. "bin = $bin" convert this HEX string for binary format input if { [catch { set ascii "" for { set i 0 } { $i < [string length $bin] } { incr i 2 } { if { not ( [string range $bin $i [expr $i + 1]] equals "0x" ) } { append ascii "0x[string range $bin $i [expr $i + 1]] " } } log local0. "ascii = $ascii" binary format HEX data to ascii and add to an APM session variable [ACCESS::session data set session.radius.last.attr.class.decoded [binary format c* $ascii] log local0. "decoded = [binary format c* $ascii]" } err] } { log local0. "error = $err" } } } - Rise_77519
Hi Kevin, I got the "error = invalid command name "" " error message .Is the error message for irule or the access policy ?
info tmm3[12768]: Rule /Common/radius_rule : bin = 0x4f553d616f62746f74703b info tmm3[12768]: Rule /Common/radius_rule : ascii = 0x4f 0x55 0x3d 0x61 0x6f 0x62 0x74 0x6f 0x74 0x70 0x3b info tmm3[12768]: Rule /Common/radius_rule : error = invalid command name ""
- Kevin_Stewart
Remove the square bracket from the front of the ACCESS::session data set command. A Typo.
- Rise_77519
Hi Kevin, I did not get any error message but at this time I was redirected to the radius group check's fallback section in the policy after I tried to login process.my policy is as follow ;
info tmm3[12768]: Rule /Common/radius_rule : bin = 0x4f553d616f62746f74703b info tmm3[12768]: Rule /Common/radius_rule : ascii = 0x4f 0x55 0x3d 0x61 0x6f 0x62 0x74 0x6f 0x74 0x70 0x3b info tmm3[12768]: Rule /Common/radius_rule : decoded = OU=aobtotp;
Thanks,
- Rise_77519
sorry, the left arrow mark would be for the irule event in the policy.it is not for the radius atuhentication section.
- Kevin_Stewart
Can't really read your Radius group check expression. What does it say?
I'm guessing it should read:
expr { [mcget {session.radius.last.attr.class.decoded}] equals "OU=aobtotp;" }
