Forum Discussion
Dan_Pacheco
Cirrus
CirrusCisco ISE Persist irule
Good Day, iRule “radius_callingid_persist_irule” is referenced in the Cisco’s How To: Cisco & F5 Deployment Guide: ISE Load Balancing Using BIG-IP. https://community.cisco.com/t5/security-knowledge...
Hi Dan_Pacheco,
I think if [RADIUS::avp 4 ip4] is empty, you may be encountered this error. Can you try adding catch or if statement before persist command?
when CLIENT_DATA {
# 0: No Debug Logging 1: Debug Logging
set debug 0
# Persist timeout (seconds)
set nas_port_type [RADIUS::avp 61 "integer"]
if { $nas_port_type equals "19" } {
set persist_ttl 3600
if { $debug } {
set access_media "Wireless"
}
}
else {
set persist_ttl 28800
if { $debug } {
set access_media "Wired"
}
}
# If MAC address is present - use it as persistent identifier
# See Radius AV Pair documentation on https://devcentral.f5.com/wiki/irules.RADIUS__avp.ashx
if {[RADIUS::avp 31] ne "" } {
set mac [RADIUS::avp 31 "string"]
# Normalize MAC address to upper case
set mac_up [string toupper $mac]
persist uie $mac_up $persist_ttl
if { $debug } {
set target [persist lookup uie $mac_up]
log local0.alert "Username=[RADIUS::avp 1] MAC=$mac Normal MAC=$mac_up MEDIA=$access_media TARGET=$target"
}
}
else {
set nas_ip [RADIUS::avp 4 ip4]
if { $nas_ip ne ""} {
persist uie $nas_ip $persist_ttl
if { $debug } {
set target [persist lookup uie $nas_ip]
log local0.alert "No MAC Address found - Using NAS IP as persist id. Username=[RADIUS::avp 1] NAS IP=$nas_ip MEDIA=$access_media TARGET=$target"
}
}
}
}In this state, persistence will not be applied if the [RADIUS::avp 4 ip4] value is empty.
vishnu22121
Nimbostratus
Nimbostratusby applying this iRule it won't affect any wired and wireless radius authentications, right?
