Forum Discussion

janholtz's avatar
janholtz
Icon for Altostratus rankAltostratus
May 04, 2011

Firepass and Active directory session vars

Hi

 

I currently have a prospective client doing a competitive POC involving Firepass.

 

We are using Active Directory for authentication, and the client would like to assign static IP addresses via the msRADIUSFramedIPAddress active directory attribute.

 

Currently using the variable as defined in logging gives us a signed BCD (e.g -1407320190) instead of a dotted quad.

 

Obviously the network access isn't happy with that when I use that session variable value.

 

So either:

 

1) There is a shortcut where we can get the value in the correct format from the AD controller

 

or

 

2) I need to create an advanced session var, and figure out a script to convert -1407320190 to 192.168.foo.bar.

 

 

SO

 

If anyone has solved this before, some advice would be appreciated...

 

 

Thanks

 

Jan

 

5 Replies

  • I don't have this problem, what table are you using on your radius DB? The attribute is number 8 for framed IP's.
  • Hi Mike

    I'm not querying an actual RADUIS server, there lies the rub.

    Active directory, in it's infinite wisdom returns the IP as a 32bit signed integer.

    I know the Cisco SSL VPN solution can do the conversion internally, so why not Firepass?

    Here's the vbscript from David Wiseman to convert to IP:

    ---------------------------------------------------

    OPTIONEXPLICITConst E_ADS_PROPERTY_NOT_FOUND  = &h8000500DDIM objUser,msRADIUSFramedIPAddress'<<<< Bind to the user object using the distinguished name >>>>set objUser = GetObject("LDAP://cn=user1,cn=users,dc=wisesoft,dc=org,dc=uk")ONERRORRESUMENEXT
    msRADIUSFramedIPAddress= objUser.get("msRADIUSFramedIPAddress")IF Err.Number = E_ADS_PROPERTY_NOT_FOUND then
    wscript.echo "Static IP Address Not Assigned"
    err.clearelse
    wscript.echo IntegerToIPAddress(msRADIUSFramedIPAddress)EndIf' Function to convert Integer value to IP Address.Function IntegerToIPAddress(intIP)Const FourthOctet = 1Const ThirdOctet = 256Const SecondOctet = 65536Const FirstOctet = 16777216dim strIP,intFirstRemainder,intSecondRemainder,intThirdRemainderIfsgn(intIP) = -1 Then
            strIP =  (256 + (int(intIP/FirstOctet))) & "."
            intFirstRemainder = intIP mod FirstOctet
            strIP = strIP &  (256 + (int(intFirstRemainder/SecondOctet))) & "."
            intSecondRemainder = intFirstRemainder mod SecondOctet
            strIP = strIP & (256 + (int(intSecondRemainder/ThirdOctet))) & "."
           intThirdRemainder = intSecondRemainder mod ThirdOctet
            strIP = strIP & (256 + (int(intThirdRemainder/FourthOctet)))Else
            strIP = int(intIP/FirstOctet) & "."
            intFirstRemainder = intIP mod FirstOctet
            strIP = strIP & int(intFirstRemainder/SecondOctet) & "."
            intSecondRemainder = intFirstRemainder mod SecondOctet
            strIP = strIP & int(intSecondRemainder/ThirdOctet) & "."
            intThirdRemainder = intSecondRemainder mod ThirdOctet
            strIP = strIP & int(intThirdRemainder/FourthOctet)EndIf
    IntegerToIPAddress = strIPendfunction
    --------------------------------------------------------------------------------------------
    So how do I do this on firepass???
    Jan

  • Well, all I can say is that the Firepass takes it as a literal value. The only thing I could recommend is to use a Radius server or run a script to convert them and add it into another attribute with just the values needed.

     

     

    I guess you could use a Regex_r type value but I have no idea on how to do a conversion like that in perl.

     

  • Hi Mike

     

    OK, where can i run the script?

     

    I understand where I can define a session variable as the value needed for IP address assignment, and I see that I can enter some evaluation criteria for advanced session vars, but how can I get from A to B?

     

     

    Please let me know if I'm just being dense on this, I keep remembering why I prefer LTM & iRules ... :)

     

     

     

    Best Regards

     

    Jan

     

  • Posted By janholtz on 05/09/2011 12:59 AM

     

    Hi Mike

     

    OK, where can i run the script?

     

    I understand where I can define a session variable as the value needed for IP address assignment, and I see that I can enter some evaluation criteria for advanced session vars, but how can I get from A to B?

     

     

    Please let me know if I'm just being dense on this, I keep remembering why I prefer LTM & iRules ... :)

     

     

     

    Best Regards

     

    Jan

     

     

     

    I apologize for the late response, we created a script on the backend that looked at every user and assigned them the special variable that you're looking for. Once complete, we had Firepass look at the AD session variable.