Forum Discussion

Dan_Pacheco's avatar
Dan_Pacheco
Icon for Cirrus rankCirrus
May 17, 2023

Cisco ISE Persist irule

Good Day, iRule “radius_callingid_persist_irule” is referenced in the Cisco’s How To: Cisco & F5 Deployment Guide: ISE Load Balancing Using BIG-IP. https://community.cisco.com/t5/security-knowledge...
application delivery
Enes_Afsin_Al's avatar
Enes_Afsin_Al
Icon for MVP rankMVP

Hi Dan_Pacheco,

I think if [RADIUS::avp 4 ip4] is empty, you may be encountered this error. Can you try adding catch or if statement before persist command?

when CLIENT_DATA {
	# 0: No Debug Logging  1: Debug Logging
	set debug 0

	# Persist timeout (seconds)
	set nas_port_type [RADIUS::avp 61 "integer"]
	if { $nas_port_type equals "19" } {
		set persist_ttl 3600
		if { $debug } {
			set access_media "Wireless"
		}
	}
	else {
		set persist_ttl 28800
		if { $debug } {
			set access_media "Wired"
		}
	}

	# If MAC address is present - use it as persistent identifier
	# See Radius AV Pair documentation on https://devcentral.f5.com/wiki/irules.RADIUS__avp.ashx
	if {[RADIUS::avp 31] ne "" } {
		set mac [RADIUS::avp 31 "string"]
		
		# Normalize MAC address to upper case
		set mac_up [string toupper $mac]
		persist uie $mac_up $persist_ttl	   
		if { $debug } {
			set target [persist lookup uie $mac_up] 
			log local0.alert "Username=[RADIUS::avp 1] MAC=$mac Normal MAC=$mac_up MEDIA=$access_media TARGET=$target"
		}
	}
	else {
		set nas_ip [RADIUS::avp 4 ip4]
		if { $nas_ip ne ""} {
			persist uie $nas_ip $persist_ttl
			if { $debug } {
				set target [persist lookup uie $nas_ip]
				log local0.alert "No MAC Address found - Using NAS IP as persist id. Username=[RADIUS::avp 1] NAS IP=$nas_ip MEDIA=$access_media TARGET=$target"
			}
		}
	}
}

In this state, persistence will not be applied if the [RADIUS::avp 4 ip4] value is empty.

vishnu22121's avatar
vishnu22121
Icon for Nimbostratus rankNimbostratus
Aug 27, 2024

by applying this iRule it won't affect any wired and wireless radius authentications, right?