Forum Discussion
Nimbostratusapm question
Hi, is it possible to assign resource to users based radius attribute like nested group in active directory. for exm. i have two user group that are technical and sales in radius. if a user from technical group then I will provide to the user a network resource, if user from sales group then I will provide to the user a portal access resource. Thanks,
27 Replies
- Kevin_Stewart
Employee
Okay, so "4f553d616f62746f74703b" is what is returned in the RADIUS auth, and what populates the session.radius.last.attr.class session variable. I still don't get how you derive the aobtotp radius group id from that value.
Rise_77519Hi Kevin, I selected and then right clicked on the value.And go the copy-> Bytes->Printable Test Only.Later I pasted the value and I derived the aobtotp radius group id.
- Kevin_Stewart
Okay, this was a fun one. You would need to convert this HEX value to ASCII, which is what WireShark is doing. So in an iRule attached to the VIP, insert the following:
when ACCESS_POLICY_AGENT_EVENT { if { [ACCESS::session data get session.radius.last.attr.class] ne "" } { set bin [ACCESS::session data get session.radius.last.attr.class] convert this HEX string for binary format input if { [catch { set ascii "" for { set i 0 } { $i < [string length $bin] } { incr i 2 } { append ascii "0x[string range $bin $i [expr $i + 1]] " } binary format HEX data to ascii and add to an APM session variable [ACCESS::session data set session.radius.last.attr.class.decoded [binary format c* $ascii] } err] } { log local0. "error = $err" } } }The ACCESS_POLICY_AGENT_EVENT event is triggered from an iRule event agent inserted into the visual policy (after the RADIUS auth) agent. If the session.radius.last.attr.class value is populated from a good auth:
-
The HEX string will be formatted for binary conversion. So "4f553d616f62746f74703b" will become:
"0x4f 0x55 0x3d 0x61 0x6f 0x62 0x74 0x6f 0x74 0x70 0x3b" -
The new value will then be converted to ASCII and shoved into a new session variable: session.radius.last.attr.class.decoded, which should become:
OU=aobtotp; -
From there you can evaluate this value in your access policy and beyond.
-
- Kevin_Stewart
There is no dollar sign before the err variable in the catch statement. Please take a closer look at my previous iRule sample. Notice the $err value in the log local0. statement, and the err variable in the catch statement immediately before that line.
- Rise_77519
Hi Kevin, Thank you for your all answers. I edited the $err value and I run load sys conf command but get the use curly error message . I also get the expected integer but got "0x0x" error message. I could not sure the second error message is due to the curl error. I also used "0x4f 0x55 0x3d 0x61 0x6f 0x62 0x74 0x6f 0x74 0x70 0x3b" , "4f553d616f62746f74703b" values on the irule event in policy but the same expected integer error message. Thanks again,
- Kevin_Stewart
Can you show your current iRule?
- Rise_77519
Hi Kevin, My current irule ;
when ACCESS_POLICY_AGENT_EVENT { if { [ACCESS::session data get session.radius.last.attr.class] ne "" } { set bin [ACCESS::session data get session.radius.last.attr.class]
convert this HEX string for binary format input if { [catch { set ascii "" for { set i 0 } { $i < [string length $bin] } { incr i 2 } { append ascii "0x[string range $bin $i [expr $i + 1]] " } binary format HEX data to ascii and add to an APM session variable [ACCESS::session data set session.radius.last.attr.class.decoded [binary format c* $ascii]] } err ] } { log local0. "error = $err" } }}
Thanks,
- Kevin_Stewart
Let's throw some additional logging in there:
when ACCESS_POLICY_AGENT_EVENT { if { [ACCESS::session data get session.radius.last.attr.class] ne "" } { set bin [ACCESS::session data get session.radius.last.attr.class] log local0. "bin = $bin" convert this HEX string for binary format input if { [catch { set ascii "" for { set i 0 } { $i < [string length $bin] } { incr i 2 } { append ascii "0x[string range $bin $i [expr $i + 1]] " } log local0. "ascii = $ascii" binary format HEX data to ascii and add to an APM session variable [ACCESS::session data set session.radius.last.attr.class.decoded [binary format c* $ascii] log local0. "decoded = [binary format c* $ascii]" } err] } { log local0. "error = $err" } } }Please test and report the results.
- Rise_77519
Hi Kevin, I tested the rule and got the below log messages.
info tmm5[13204]: Rule /Common/radius_rule : bin = 0x4f553d616f62746f74703b info tmm5[13204]: Rule /Common/radius_rule : ascii = 0x0x 0x4f 0x55 0x3d 0x61 0x6f 0x62 0x74 0x6f 0x74 0x70 0x3b info tmm5[13204]: Rule /Common/radius_rule : error = expected integer but got "0x0x"
- Kevin_Stewart
Interesting. Your hex-encoded binary string starts with "0x", which is getting added to the ascii string. Probably the easiest fix would be something like this:
for { set i 0 } { $i < [string length $bin] } { incr i 2 } { if { not ( [string range $bin $i [expr $i + 1]] equal "0x" ) } { append ascii "0x[string range $bin $i [expr $i + 1]] " } }
