Forum Discussion
Grey1
Nimbostratus
Nimbostratusauthentication iRule
Below is an iRule which is a customized version of the standard _sys_radius_auth iRule. The purpose of the modification is to not have to make a RADIUS call for every object i.e. the result of the...
Kevin_Stewart
Employee
EmployeePlease try this minor modification:
when RULE_INIT {
set static::DEBUGLOG 1
set static::TABLENAME "RADUSERS"
set static::TIMEOUT 60
}
when HTTP_REQUEST {
set key "[HTTP::username][b64encode [HTTP::password][HTTP::header User-Agent]]"
if { $static::DEBUGLOG } { log local0. "key = [substr $key 0 30]" }
if { [table lookup -subtable $static::TABLENAME $key] eq "" } {
if { $static::DEBUGLOG } { log local0. "not authed yet" }
if {not [info exists tmm_auth_http_sids(radius)]} {
set tmm_auth_sid [AUTH::start pam default_radius]
set tmm_auth_http_sids(radius) $tmm_auth_sid
if {[info exists tmm_auth_subscription]} {
AUTH::subscribe $tmm_auth_sid
}
} else {
set tmm_auth_sid $tmm_auth_http_sids(radius)
}
AUTH::username_credential $tmm_auth_sid [HTTP::username]
AUTH::password_credential $tmm_auth_sid [HTTP::password]
AUTH::authenticate $tmm_auth_sid
if {not [info exists tmm_auth_http_collect_count]} {
HTTP::collect
set tmm_auth_http_successes 0
set tmm_auth_http_collect_count 1
} else {
incr tmm_auth_http_collect_count
}
} else {
if { $static::DEBUGLOG } { log local0. "found existing auth" }
}
}
when AUTH_RESULT {
if {not [info exists tmm_auth_http_sids(radius)] or ($tmm_auth_http_sids(radius) != [AUTH::last_event_session_id]) or (not [info exists tmm_auth_http_collect_count])} {
return
}
if {[AUTH::status] == 0} {
incr tmm_auth_http_successes
if { $static::DEBUGLOG } { log local0. "adding authed user to table: [substr $key 0 30]" }
table add -subtable $static::TABLENAME $key $static::TIMEOUT
}
If multiple auth sessions are pending and
one failure results in termination and this is a failure
or enough successes have now occurred
if {([array size tmm_auth_http_sids] > 1) and ((not [info exists tmm_auth_http_sufficient_successes] or ($tmm_auth_http_successes >= $tmm_auth_http_sufficient_successes)))} {
Abort the other auth sessions
foreach {type sid} [array get tmm_auth_http_sids] {
unset tmm_auth_http_sids($type)
if {($type ne "radius") and ($sid != -1)} {
AUTH::abort $sid
incr tmm_auth_http_collect_count -1
}
}
}
If this is the last outstanding auth then either
release or respond to this session
incr tmm_auth_http_collect_count -1
if {$tmm_auth_http_collect_count == 0} {
unset tmm_auth_http_collect_count
if { [AUTH::status] == 0 } {
HTTP::release
} else {
HTTP::respond 401
}
}
}
