Forum Discussion
karthik_sriniva
Nimbostratus
NimbostratusAuthentication status
Hi,
Is there a way to check the status of Authentication, if it's success, failure or etc after the call [AUTH::authenticate $tmm_auth_radius_sid].
I would like to know before the AUTH_SUCCESS or AUTH_FAIL event is fired
Thanx.
10 Replies
karthik_srinivaHi,
In my iRULE I want to get the result of the authentication that I am performing, so this is the command I am using which is throwing the error shown below
AUTH::authenticate $tmm_auth_radius_sid
log [AUTH::last_event_session_id]
set authSessionId [AUTH::last_event_session_id]
set authStatus [AUTH::status $authSessionId]
TCL error: Rule EVENTLOGGING - invalid command name "AUTH::status" while executing "AUTH::status $authSessionId
I would appreciate if you could point out the error in my iRULE.
Thanks!!!- karthik_srinivaI would appreciate if someone could let me know, if it's possible to check the status of Authentication call.
Thanks. - There is no command to retrieve the status of ongoing transaction so far. Once it is rejected or succeeds, relevant EVENT will be triggered, which are AUTH_SUCCESS and AUTH_FAILURE.
- karthik_srinivaThanks for your clarification. The problem I am facing is, if I put the redirect
HTTP::respond 303 Location http://blah/blah in the AUTH::wantcredential, BigIp is not redirecting the request to the URL specified in the respond cmd, instead it continue's processing, as if the authentication was successful.
Is it possible to force BigIp to execute some block of code after the authentication event code is executed.
Thanks!!! - Send your complete rule here, let's take a look.
- karthik_srinivaPlease find below the complete iRule. I tried to add comments, but I think the rule is too simple to need additional documentation for you guru's
when CLIENT_ACCEPTED {
variable to hold state
set tmm_auth_radius_sid [AUTH::start pam default_radius]
set setCookieFlag 0
set cookiename "MEDINSTGTW"
set usrcookiename "MEDINSTUSRGTW"
set cookievalue "GTW9.105"
set cookiepass "1400med"
set performAuth 1
set performRedirect 0
}
when HTTP_REQUEST {
log "IN REQUEST"
set content_length [HTTP::header Content-Length]
HTTP::collect $content_length
if the cookie exists no need to perform authentication
log [HTTP::cookie exists MEDINSTUSRGTW]
if { [HTTP::cookie exists MEDINSTUSRGTW] } {
set rcvusername [HTTP::cookie $usrcookiename]
if { $rcvusername eq [HTTP::username] } {
set performAuth 0
}
}
}
when HTTP_REQUEST_DATA {
log [HTTP::payload]
if no auth required, make pool process request
if {$performAuth eq 0 } {
use pool xxxDev
HTTP::release
}
if auth required, get username and password & perform auth
if { $performAuth eq 1 } {
set recvData [HTTP::payload]
log $recvData
set uname [findstr $recvData "username" 9]
set username [getfield $uname "&" 1]
log $username
set upwd [findstr $recvData "password" 9]
set userpwd [getfield $upwd "&" 1]
log $userpwd
AUTH::username_credential $tmm_auth_radius_sid $username
AUTH::password_credential $tmm_auth_radius_sid $userpwd
AUTH::authenticate $tmm_auth_radius_sid
}
}
when AUTH_SUCCESS {
if auth success, set variable cookieFlag 1
log "IN AUTH SUCCESS"
if {$tmm_auth_radius_sid eq [AUTH::last_event_session_id]} {
log "setting cookieFlag 1"
set setCookieFlag 1
HTTP::release
}
}
when AUTH_FAILURE {
if auth failed, redirect to login page
if {$tmm_auth_radius_sid eq [AUTH::last_event_session_id]} {
HTTP::respond 303 Location http://bbb.com/login.htm
}
}
when AUTH_WANTCREDENTIAL {
if auth want credentials, redirect to login page
log "IN AUTH WCRED"
if {$tmm_auth_radius_sid eq [AUTH::last_event_session_id]} {
HTTP::respond 303 Location http://bbb.com/login.htm
}
}
when AUTH_ERROR {
if auth error, redirect to login page
if {$tmm_auth_radius_sid eq [AUTH::last_event_session_id]} {
HTTP::respond 303 Location http://bbb.com/login.htm
}
}
when HTTP_RESPONSE {
log "IN Response $performRedirect"
if { $setCookieFlag eq 1 } {
if auth success, set required cookie
HTTP::cookie insert name $cookiename value $cookievalue path /
HTTP::cookie secure $cookiename enable
HTTP::cookie encrypt $cookiename $cookiepass 128
HTTP::cookie insert name $usrcookiename value $username
}
}
when HTTP_RESPONSE_DATA
{
log "IN Response $performRedirect"
}
when SERVER_DATA {
log "IN SERVER DATA"
}
Thanks!!! - I c what you want to do. Per your question, you need to add HTTP::collect after calling AUTH::authenticate, otherwise it will continue implicitly.
- karthik_srinivaWell Sorry to keep bothering u, adding the HTTP::collect throws the following error
http_process_state_parse_header - Invalid state transition to ST_HTTP_XFER_HEADER
when CLIENT_ACCEPTED {
set tmm_auth_radius_sid [AUTH::start pam default_radius]
set setCookieFlag 0
set cookiename "MEDINSTGTW"
set usrcookiename "MEDINSTUSRGTW"
set cookievalue "GTW9.105"
set cookiepass "1100ed"
set performAuth 1
set performRedirect 0
}
when HTTP_REQUEST {
log "IN REQUEST"
set content_length [HTTP::header Content-Length]
log $content_length
HTTP::collect $content_length
log [HTTP::cookie exists MEDINSTUSRGTW]
if { [HTTP::cookie exists MEDINSTUSRGTW] } {
set rcvusername [HTTP::cookie $usrcookiename]
if { $rcvusername eq [HTTP::username] } {
set performAuth 0
}
}
}
when HTTP_REQUEST_DATA
{
log [HTTP::payload]
if {$performAuth eq 0 } {
use pool gtwDev
HTTP::release
}
if { $performAuth eq 1 } {
set recvData [HTTP::payload]
log $recvData
set uname [findstr $recvData "username" 9]
set username [getfield $uname "&" 1]
log $username
set upwd [findstr $recvData "password" 9]
set userpwd [getfield $upwd "&" 1]
log $userpwd
AUTH::username_credential $tmm_auth_radius_sid $username
AUTH::password_credential $tmm_auth_radius_sid $userpwd
AUTH::authenticate $tmm_auth_radius_sid
HTTP::collect
}
}
when AUTH_SUCCESS {
log "IN AUTH SUCCESS"
use pool gtwDevTomcat
if {$tmm_auth_radius_sid eq [AUTH::last_event_session_id]} {
log "setting cookieFlag 1"
set setCookieFlag 1
HTTP::release
}
}
when AUTH_FAILURE {
if {$tmm_auth_radius_sid eq [AUTH::last_event_session_id]} {
set performRedirect 1
}
}
when AUTH_WANTCREDENTIAL {
log "IN AUTH WCRED"
if {$tmm_auth_radius_sid eq [AUTH::last_event_session_id]} {
set performRedirect 1
}
}
when AUTH_ERROR {
if {$tmm_auth_radius_sid eq [AUTH::last_event_session_id]} {
set performRedirect 1
}
}
when HTTP_RESPONSE {
log "IN Response $performRedirect"
if {$performRedirect eq 1} {
HTTP::redirect http://192.168.74.202/login.htm
}
if { $setCookieFlag eq 1 } {
HTTP::cookie insert name $cookiename value $cookievalue path /
HTTP::cookie secure $cookiename enable
HTTP::cookie encrypt $cookiename $cookiepass 128
HTTP::cookie insert name $usrcookiename value $username
}
}
when HTTP_RESPONSE_DATA
{
log "IN Response $performRedirect"
}
when SERVER_DATA {
log "IN SERVER DATA"
}
I think it's because I am already in the HTTP_REQUEST_DATA method. But if I move all my code to HTTP_REQUEST then I don't get the complete data from the post..
I would appreciate if you can provide me any pointer or suggestions to resolve this issue. - It is a bit hard. If possible, could you modify the authentication form
to use method GET, so you can parse out username/password from the uri.when HTTP_REQUEST { log "IN REQUEST" if the cookie exists no need to perform authentication log [HTTP::cookie exists MEDINSTUSRGTW] if { [HTTP::cookie exists MEDINSTUSRGTW] } { set rcvusername [HTTP::cookie $usrcookiename] if { $rcvusername eq [HTTP::username] } { set performAuth 0 } } if auth required, get username and password & perform auth if { $performAuth eq 1 } { set recvData [HTTP::uri] log $recvData set uname [findstr $recvData "username" 9] set username [getfield $uname "&" 1] log $username set upwd [findstr $recvData "password" 9] set userpwd [getfield $upwd "&" 1] log $userpwd AUTH::username_credential $tmm_auth_radius_sid $username AUTH::password_credential $tmm_auth_radius_sid $userpwd AUTH::authenticate $tmm_auth_radius_sid HTTP::collect } } - karthik_srinivaI will try this, but I can not use plain get. Because when the user submits the form and if anyone else is starring at the monitor, then they could see the password in the address bar. First I have figure out if JavaScript support encoding, so I can modify according.
Will let you know after I try the same, thank you sir.
