apm question

If the Radius auth is returning this group information to you, it should be available in session variables. I don't remember which session variable this would be in, but you could essentially add an Empty agent in the visual policy, evaluate on the value of this session variable in the branch rules, and then assign different resources to different branches. Something like this:

expr { [mcget {session.radius.last.attr.groupid}] equals "sales" }

Hi Kevin, Thanks for your response. I created the policy as the below screenshot but it did not work. I also used an empty agent nothing changed.Are you sure that the ..attr.groupid is correct value to extract radius group id. Have you tested the value before? Many thanks,

Are you sure that the ..attr.groupid is correct value to extract radius group id?

Absolutely not. At the time of writing the last post I used this as an example for syntax only. I've had a little more time to dig into it though, and I'd direct you to this document:

that states "session.RADIUS.last.attr.$attr_name" is the set of variables that you'd expect to see if RADIUS completed successfully. The "$attr_name" part is dynamic, so I'd suggest you either:

1. Perform a successful RADIUS auth first without doing any evaluation on its return values so that you can run an access policy report and see what is actually being returned. The report should show you what values are extracted into separate session variables and what those variables are named.

    

2. Run a network capture and see what the RADIUS server is sending back in its response packets (WireShark is probably best for this given its ability to filter and display the protocol data). I would do this as a troubleshooting step if the above doesn't produce any session variables.

    

Hi Kevin, May I need to send the radius group information of users to server to authentication it because I only send username and password to server by f5. I need to create a box to send group information in the logon page? Thanks,

I'm not sure I understand the question. I assumed from your first post that you wanted to perform a RADIUS auth based on user credentials, and would have the RADIUS server configured to send user attributes back in its response. If that's still the case, then you need to look at what those attributes are before you can configure anything in the APM visual policy to allow access to different resources based on them. I'd recommend creating a visual policy that does a simple allow at the end of the RADIUS auth agent. Then once you have a successful auth, run an access policy report in the GUI and see what session variables are available from the RADIUS server's response.

So for example, let's say RADIUS returns a "groupid" value, which is assigned to the session.radius.last.attr.groupid session variable (again, arbitrary for the sake of this example). In the visual policy, directly after the RADIUS auth, place an Empty agent (it's actually called that). Open it up and go to the branch rules tab. Create TWO branches (it'll 3 branches including the fallback branch). For the first branch, enter something like the following:

expr { [mcget {session.radius.last.attr.groupid}] equals "sales" }

For the second branch, enter something like the following:

expr { [mcget {session.radius.last.attr.groupid}] equals "tech" }

In the visual policy, place the appropriate full resource assignment after each respective branch of the Empty agent.

Hi Kevin, the server returns "AVP: l=13 t=Class(25): 4f553d616f62746f74703b" response code. I coverted the" 4f553d616f62746f74703b" and I see that the value correspond to the radius group name that is aobtotp.Then I changed the expression as expr {[mcget {session.radius.last.attr.class}] == "aobtotp" but it did not work.I think my policy is wrong or may apm does not work properly. I created the policy tree as below.

Can you elaborate on how you "I converted the 4f553d616f62746f74703b" value? After a test, run an access policy report in the GUI and see what RADIUS session variables are available. Do you see "4f553d616f62746f74703b" or do you see "aobtotp"?

Hi Kevin, I used the wireshark by the right click on the "4f553d616f62746f74703b" and copy -> value finally pasted the copied value and I get the aobtotp radius group id. I run access policy report after perform a test and see the same values that are "Session variable 'session.radius.last.attr.class' set to '4f553d616f62746f74703b' . what is your suggestion for the latest status. Do I need open a ticket for the issue?