Forum Discussion

Dan_Pacheco's avatar
Dan_Pacheco
Icon for Cirrus rankCirrus
May 17, 2023

Cisco ISE Persist irule

Good Day,
iRule “radius_callingid_persist_irule” is referenced in the Cisco’s How To: Cisco & F5 Deployment Guide: ISE Load Balancing Using BIG-IP.
https://community.cisco.com/t5/security-knowledge-base/how-to-cisco-amp-f5-deployment-guide-ise-load-balancing-using/ta-p/3631159#toc-hId--1235153972

According to the link: “This document is the result of a joint effort on behalf of Cisco and F5 to detail best practice design and configurations for deploying BIG-IP Local Traffic Manager with Cisco Identity Services Engine.” So presumably there are thousands of deployments using this configuration. I'm running v16.1.4.x and getting a ton of errors related to this irule.

May 15 04:11:01 slot1/LB err tmm[11966]: 01220001:3: TCL error: /hoc-caz/radius_callingid_persist_irule <CLIENT_DATA> - attempt to use empty persistence key (line 5) invoked from within "persist uie $nas_ip $persist_ttl"

The iRule is copy/pasted from the article with no customization. Does anyone else have this iRule implemented? If so, are you getting the same logs? If not, what version are you running? Any idea what the fix is?

 

application delivery
  • Enes_Afsin_Al's avatar
    Enes_Afsin_Al
    Icon for MVP rankMVP
    May 17, 2023

    Hi Dan_Pacheco,

    I think if [RADIUS::avp 4 ip4] is empty, you may be encountered this error. Can you try adding catch or if statement before persist command?

    when CLIENT_DATA {
	# 0: No Debug Logging  1: Debug Logging
	set debug 0

	# Persist timeout (seconds)
	set nas_port_type [RADIUS::avp 61 "integer"]
	if { $nas_port_type equals "19" } {
		set persist_ttl 3600
		if { $debug } {
			set access_media "Wireless"
		}
	}
	else {
		set persist_ttl 28800
		if { $debug } {
			set access_media "Wired"
		}
	}

	# If MAC address is present - use it as persistent identifier
	# See Radius AV Pair documentation on https://devcentral.f5.com/wiki/irules.RADIUS__avp.ashx
	if {[RADIUS::avp 31] ne "" } {
		set mac [RADIUS::avp 31 "string"]
		
		# Normalize MAC address to upper case
		set mac_up [string toupper $mac]
		persist uie $mac_up $persist_ttl	   
		if { $debug } {
			set target [persist lookup uie $mac_up] 
			log local0.alert "Username=[RADIUS::avp 1] MAC=$mac Normal MAC=$mac_up MEDIA=$access_media TARGET=$target"
		}
	}
	else {
		set nas_ip [RADIUS::avp 4 ip4]
		if { $nas_ip ne ""} {
			persist uie $nas_ip $persist_ttl
			if { $debug } {
				set target [persist lookup uie $nas_ip]
				log local0.alert "No MAC Address found - Using NAS IP as persist id. Username=[RADIUS::avp 1] NAS IP=$nas_ip MEDIA=$access_media TARGET=$target"
			}
		}
	}
}

    In this state, persistence will not be applied if the [RADIUS::avp 4 ip4] value is empty.

    • vishnu22121's avatar
      vishnu22121
      Icon for Nimbostratus rankNimbostratus
      Aug 27, 2024

      by applying this iRule it won't affect any wired and wireless radius authentications, right?