Forum Discussion
janholtz
Altostratus
AltostratusFirepass and Active directory session vars
Hi
I currently have a prospective client doing a competitive POC involving Firepass.
We are using Active Directory for authentication, and the client would like to assign static IP addresses via the msRADIUSFramedIPAddress active directory attribute.
Currently using the variable as defined in logging gives us a signed BCD (e.g -1407320190) instead of a dotted quad.
Obviously the network access isn't happy with that when I use that session variable value.
So either:
1) There is a shortcut where we can get the value in the correct format from the AD controller
or
2) I need to create an advanced session var, and figure out a script to convert -1407320190 to 192.168.foo.bar.
SO
If anyone has solved this before, some advice would be appreciated...
Thanks
Jan
5 Replies
Mike_61719Cirrus
I don't have this problem, what table are you using on your radius DB? The attribute is number 8 for framed IP's.
janholtzHi Mike
I'm not querying an actual RADUIS server, there lies the rub.
Active directory, in it's infinite wisdom returns the IP as a 32bit signed integer.
I know the Cisco SSL VPN solution can do the conversion internally, so why not Firepass?
Here's the vbscript from David Wiseman to convert to IP:
---------------------------------------------------OPTIONEXPLICITConst E_ADS_PROPERTY_NOT_FOUND = &h8000500DDIM objUser,msRADIUSFramedIPAddress'<<<< Bind to the user object using the distinguished name >>>>set objUser = GetObject("LDAP://cn=user1,cn=users,dc=wisesoft,dc=org,dc=uk")ONERRORRESUMENEXT msRADIUSFramedIPAddress= objUser.get("msRADIUSFramedIPAddress")IF Err.Number = E_ADS_PROPERTY_NOT_FOUND then wscript.echo "Static IP Address Not Assigned" err.clearelse wscript.echo IntegerToIPAddress(msRADIUSFramedIPAddress)EndIf' Function to convert Integer value to IP Address.Function IntegerToIPAddress(intIP)Const FourthOctet = 1Const ThirdOctet = 256Const SecondOctet = 65536Const FirstOctet = 16777216dim strIP,intFirstRemainder,intSecondRemainder,intThirdRemainderIfsgn(intIP) = -1 Then strIP = (256 + (int(intIP/FirstOctet))) & "." intFirstRemainder = intIP mod FirstOctet strIP = strIP & (256 + (int(intFirstRemainder/SecondOctet))) & "." intSecondRemainder = intFirstRemainder mod SecondOctet strIP = strIP & (256 + (int(intSecondRemainder/ThirdOctet))) & "." intThirdRemainder = intSecondRemainder mod ThirdOctet strIP = strIP & (256 + (int(intThirdRemainder/FourthOctet)))Else strIP = int(intIP/FirstOctet) & "." intFirstRemainder = intIP mod FirstOctet strIP = strIP & int(intFirstRemainder/SecondOctet) & "." intSecondRemainder = intFirstRemainder mod SecondOctet strIP = strIP & int(intSecondRemainder/ThirdOctet) & "." intThirdRemainder = intSecondRemainder mod ThirdOctet strIP = strIP & int(intThirdRemainder/FourthOctet)EndIf IntegerToIPAddress = strIPendfunction -------------------------------------------------------------------------------------------- So how do I do this on firepass??? Jan- Mike_61719Well, all I can say is that the Firepass takes it as a literal value. The only thing I could recommend is to use a Radius server or run a script to convert them and add it into another attribute with just the values needed.
I guess you could use a Regex_r type value but I have no idea on how to do a conversion like that in perl. - janholtzHi Mike
OK, where can i run the script?
I understand where I can define a session variable as the value needed for IP address assignment, and I see that I can enter some evaluation criteria for advanced session vars, but how can I get from A to B?
Please let me know if I'm just being dense on this, I keep remembering why I prefer LTM & iRules ... :)
Best Regards
Jan - Mike_61719Posted By janholtz on 05/09/2011 12:59 AM
Hi Mike
OK, where can i run the script?
I understand where I can define a session variable as the value needed for IP address assignment, and I see that I can enter some evaluation criteria for advanced session vars, but how can I get from A to B?
Please let me know if I'm just being dense on this, I keep remembering why I prefer LTM & iRules ... :)
Best Regards
Jan
I apologize for the late response, we created a script on the backend that looked at every user and assigned them the special variable that you're looking for. Once complete, we had Firepass look at the AD session variable.
