Forum Discussion
Nimbostratusinsert HTTP header according to a value received in Radius accounting
I'd like to know if the following is somehow achievable:
I want that from Every Radius Accounting message (UDP 1813) the BIGIP will look for 3 attributes: Calling-Station-Id, Framed-IP-Address & Acct-Status-Type
In case the Radius attribute Acct-Status-Type=1 (Start) the BIGIP will insert an entry to a table in which the key will be the Framed-IP-Address and the value will be the Calling-Station-Id.
In case the Radius attribute Acct-Status-Type=2 (Stop) the BIGIP will remove the value of an entry in the same table (remove the value which is the calling-station-id assigned to the framed-ip-address)
Then when HTTP transaction arrive from a client IP which appears as a key in the table, the BIGIP will insert the value assigned to that key in the table (i.e. the corresponding Calling-Station-Id) to an HTTP header called "MSISDN".
Example:
Radius accounting arrives with following attributes:
Acct-Status-Type=1
Calling-Station-Id=123456789
Framed-IP-Address=1.1.1.1
An entry is inserted to a table
1.1.1.1 (key) -> 123456789 (value)
HTTP request arrives from source IP 1.1.1.1
The F5 will insert a header "MSISDN: 123456789" to the HTTP request before forwarding.
Radius accounting arrives with following attributes:
Acct-Status-Type=2
Calling-Station-Id=123456789
Framed-IP-Address=1.1.1.1
The value is removed
1.1.1.1 (key) -> (empty)
HTTP request arrives from source IP 1.1.1.1
The F5 will not insert a header (not "MSISDN: 123456789" and not "MSISDN: ")
Hope it's clear.
Thanks in advance,
Yaniv
10 Replies
hoolioCirrostratus
Hi Yaniv,
This seems possible using the table command in v10 or the session command in v9 to add the IP and corresponding MSISDN value on the Radius virtual server. You could then reference that subtable or session entry from an iRule on the HTTP virtual server.
http://devcentral.f5.com/wiki/default.aspx/iRules/table
http://devcentral.f5.com/wiki/default.aspx/iRules/session
Aaron
Yaniv_99962Thanks Aaron,
I made it working.
I created an iRule under the Radius accounting Virtual Server (UDP 1813) so that for every Radius Start (Acct-Status-Type[40]=1) the F5 will write an entry to a memory table called “ip2msisdn” using the subscriber IP as the key (Framed-IP-Address[8]) and the subscriber MSISDN as value (Calling-Station-Id[31]). For every Radius Stop (Acct-Status-Type[40]=2) the F5 will delete the value assigned to the key.when CLIENT_DATA { if { [RADIUS::avp 40 integer] equals 1}{ table set -subtable "ip2msisdn" [RADIUS::avp 8 ip4] [RADIUS::avp 31 string] } elseif { [RADIUS::avp 40 integer] equals 2}{ table delete -subtable "ip2msisdn" [RADIUS::avp 8 ip4] } }
I created an iRule under the HTTP Virtual Server (TCP 80) so that for every HTTP request it will look at the source IP of the packet and use it to lookup in the “ip2msisdn” table to get the MSISDN of that subscriber and insert it into an HTTP header called MSISDN.when HTTP_REQUEST { HTTP::header insert MSISDN [table lookup -subtable "ip2msisdn" [IP::client_addr]] forward }
Thanks a lot- Since your code got munged by the forums (grumble grumble, we're working on it..sorry), I'll just mention that you should likely make sure you're specifically setting timeout and lifetime on this type of table entry, since it sounds like you don't want them randomly disappearing on you if you're using them to keep a count of starts/stops.
Colin - Yaniv_99962Right,
I added the "indefinite" to make sure the entries will remain forever (as I want to)
Thanks
Here is the code again (in clear text, I cant manage to post the code normally)
I created an iRule under the Radius accounting Virtual Server (UDP 1813) so that for every Radius Start (Acct-Status-Type[40]=1) the F5 will write an entry to a memory table called “ip2msisdn” using the subscriber IP as the key (Framed-IP-Address[8]) and the subscriber MSISDN as value (Calling-Station-Id[31]). For every Radius Stop (Acct-Status-Type[40]=2) the F5 will delete the value assigned to the key.
when CLIENT_DATA {
if { [RADIUS::avp 40 integer] equals 1}{
table set -subtable "ip2msisdn" [RADIUS::avp 8 ip4] [RADIUS::avp 31 string] indefinite
}
elseif { [RADIUS::avp 40 integer] equals 2}{
table delete -subtable "ip2msisdn" [RADIUS::avp 8 ip4]
}
}
I created an iRule under the HTTP Virtual Server (TCP 80) so that for every HTTP request it will look at the source IP of the packet and use it to lookup in the “ip2msisdn” table to get the MSISDN of that subscriber and insert it into an HTTP header called MSISDN.
when HTTP_REQUEST {
HTTP::header insert MSISDN [table lookup -subtable "ip2msisdn" [IP::client_addr]]
forward
} - Yaniv_99962Hi experts,
Now that I got this working I need to further complicate things :)
(It is not really related to this topic... I'll open a new thread if required).
I'd like that the HTTP request will trigger an LDAP query by the F5 towards an LDAP server to retrieve some information related to the MSISDN (reminder: the MSISDN was obtained from the Radius, it doesn't appear in any HTTP header that arrived in the client's HTTP request) and to insert the information retrieved from the LDAP to an HTTP header.
it is important that only the very first HTTP request by the user (first one after the Radius Start) will trigger the LDAP query as I don't want to overload the LDAP server.
Is this doable? - While this should be technically doable, it's going to be a bit of a juggling act. ;)
With the way that iRules handles connections right now there is no direct way to say "Connect to host $x, send request $y, and wait for a response, then do something with that response". It's something we've been looking at adding for quite a while, and I'm confident it will be available very soon as a feature.
For now though, you'd have to play a bit of trickery with the AUTH commands and use that to contact the LDAP system in question and process the response that way. Technically possible? Yes, I believe so (though I'd have to do some testing to be sure), but it's going to add to the complexity a bit.
Colin - Yaniv_99962Colin,
You are absolutely right, this type of flexibility is exactly what i'm looking for (trigger a connection to an external server and use the response to take some decision).
The requirement I gave is just one example out of many where such functionally would have been a great help for me.
Do you have any idea when such functionality will be available?
Until such functionality exist can you advise how to tackle this? I don't have any experience with the AUTH commands... - I can't give any specific timelines as to when that sort of functionality will be available, unfortunately, but keep an eye out for release notes when new versions come out, and make sure to keep checking back here as we'll definitely make a big fuss on DevCentral about it. ;)
As for the auth commands you can check them out here: Click Here
The functionality isn't precisely what you're looking for, but it's a way to work around it for now as long as you're talking about accessing data from an auth type source, like LDAP or RADIUS.
There are a few examples in the CodeShare as well that are doing this kind of trickery, I believe. If you have trouble along the way or getting started, holler and I'll try to be more specific.
Colin - Yaniv_99962Thanks a lot Colin.
I'll give it a try.
but don't I need that ACA module (Advanced Client Authentication) in order to interact with LDAP server? (http://www.hardware.com/store/f5/F5-ADD-BIG-ACA)
Eventually I'm striving to utilize the F5 to be much more than a load balancer in front of my servers, but to actually replace my servers :)
Having this kind of flexibility is a major step towards this...
Regards,
Yaniv - I'm glad to hear you're enjoying the BIG-IPs and looking to make better use of them. That's awesome. :)
And yes, I believe you would need that module.
Colin
