Forum Discussion
CirrusiRule not working to have a RADIUS presistant load balancing.
Hello All,
I having trouble with an iRule that I created to load balance the RADIUS traffic on F5. I have a virtual server created that is listening on "all ports" and I have created an iRule in which it will only accept packets with ports 1812 & 1813.
This iRule is called in a Persistent profile I created (where parent profile is Universal). This Persistent profile was called under the Virtual server --resources--> Default Persistent profile.
Somehow this is it is not working for me. I see that the packets are reaching the F5 , but "Access-Request" packets are not being sent out to the pool members. iRule for reference is shown below :
when RULE_INIT {
array set ::attr_code2name {
1 User-Name
2 User-Password
3 CHAP-Password
4 NAS-IP-Address
5 NAS-Port
6 Service-Type
7 Framed-Protocol
8 Framed-IP-Address
9 Framed-IP-Netmask
10 Framed-Routing
11 Filter-Id
12 Framed-MTU
13 Framed-Compression
14 Login-IP-Host
15 Login-Service
16 Login-TCP-Port
17 (unassigned)
18 Reply-Message
19 Callback-Number
20 Callback-Id
21 (unassigned)
22 Framed-Route
23 Framed-IPX-Network
24 State
25 Class
26 Vendor-Specific
27 Session-Timeout
28 Idle-Timeout
29 Termination-Action
30 Called-Station-Id
31 Calling-Station-Id
32 NAS-Identifier
33 Proxy-State
34 Login-LAT-Service
35 Login-LAT-Node
36 Login-LAT-Group
37 Framed-AppleTalk-Link
38 Framed-AppleTalk-Network
39 Framed-AppleTalk-Zone
60 CHAP-Challenge
61 NAS-Port-Type
62 Port-Limit
63 Login-LAT-Port
}
}
when CLIENT_ACCEPTED {
if { ([UDP::local_port] != 1812) && ([UDP::local_port] != 1813) } {
log local0. "packet on port [UDP::local_port] dropped"
drop
}else {
set CALLID [RADIUS::avp 31 string]
persist uie $CALLID
log local0. "persisted $CALLID"
}
}
when CLIENT_DATA {
if { [UDP::local_port] == 1813 } {
set CALLID [RADIUS::avp 31 string]
set IP [RADIUS::avp 8 ip4]
if { $IP != "" } {
table set $IP [LB::server addr] 900
log local0. "Radius maps $IP to [LB::server addr] for $CALLID"
}
}
}
when LB_SELECTED {
log local0. "Selected [LB::server addr] [LB::server port]"
}
when SERVER_DATA {
persist add uie $CALLID
log local0. "persist added for $CALLID to [LB::server addr]"
}
2 Replies
Hi ZANOOB,
[RADIUS::avp 31 string] may be returning empty string. If empty, iRule will throw an error.
Can you investigate the ltm logs and try this iRule?
when CLIENT_DATA { if { [UDP::local_port] == 1813 } { set CALLID [RADIUS::avp 31 string] set IP [RADIUS::avp 8 ip4] if { $IP != "" } { table set $IP [LB::server addr] 900 log local0. "Radius maps $IP to [LB::server addr] for $CALLID" } } } when CLIENT_ACCEPTED { if { ([UDP::local_port] != 1812) && ([UDP::local_port] != 1813) } { log local0. "packet on port [UDP::local_port] dropped" drop } elseif { set CALLID [RADIUS::avp 31 string] log local0. "persisted $CALLID" if { $CALLID ne "" } { persist uie $CALLID } } } when CLIENT_DATA { if { [UDP::local_port] == 1813 } { set CALLID [RADIUS::avp 31 string] set IP [RADIUS::avp 8 ip4] if { $IP ne "" && $CALLID ne "" } { table set $IP [LB::server addr] 900 log local0. "Radius maps $IP to [LB::server addr] for $CALLID" } } } when LB_SELECTED { log local0. "Selected [LB::server addr] [LB::server port]" } when SERVER_DATA { if { $CALLID ne "" } { persist add uie $CALLID log local0. "persist added for $CALLID to [LB::server addr]" } }
ZANOOBHello Enes Afsin Al,
Thank you for your reply. Much appreciated.
The above iRule, I was not able to save it since it shows some syntax errors. Not an expert in scripts, so couldn't find what is wrong with the syntax of it.
-------------------------------
01070151:3: Rule [/Common/CallIDUIE2] error: /Common/CallIDUIE2:17: error: [parse error: PARSE syntax 501 {syntax error in expression "
set CALLID [RADIUS::avp 31 string]
log local0. ...": variable references require preceding $}][{
set CALLID [RADIUS::avp 31 string]
log local0. "persisted $CALLID"
if { $CALLID ne "" } {
persist uie $CALLID
}
}]
/Common/CallIDUIE2:24: error: [missing a script after "elseif"][]
/Common/CallIDUIE2:27: error: ["Duplicate event"][when CLIENT_DATA {
if { [UDP::local_port] == 1813 } {
set CALLID [RADIUS::avp 31 string]
set IP [RADIUS::avp 8 ip4]
if { $IP ne "" && $CALLID ne "" } {
table set $IP [LB::server addr] 900
log local0. "Radius maps $IP to [LB::server addr] for $CALLID"
}
}
}]
--------------------------------
The packet capture shows the AVP 31 attribute ( Calling-Station-Id) in it. So the issue is not the attribute value missing, however, something that F5 is not able to understand is the packet not processing it forwards.
Frame 2: 317 bytes on wire (2536 bits), 317 bytes captured (2536 bits)
Ethernet II, Src: Fortinet_09:00:12 (00:09:0f:09:00:12), Dst: VMware_f5:03:01 (00:50:56:f5:03:01)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 4091
Internet Protocol Version 4, Src: 172.17.70.60, Dst: 10.1.6.100
User Datagram Protocol, Src Port: 54892, Dst Port: 1812
RADIUS Protocol
Code: Access-Request (1)
Packet identifier: 0x5e (94)
Length: 164
Authenticator: e0a10849518a2fc1f0827505db9f8a5c
Attribute Value Pairs
AVP: t=NAS-IP-Address(4) l=6 val=172.17.70.60
AVP: t=NAS-Port(5) l=6 val=0
AVP: t=NAS-Port-Type(61) l=6 val=Virtual(5)
AVP: t=User-Name(1) l=15 val=mgalantowicza
AVP: t=User-Password(2) l=18 val=Encrypted
AVP: t=Service-Type(6) l=6 val=Shell-User(6)
AVP: t=Calling-Station-Id(31) l=14 val=b0b867cd68ee
Type: 31
Length: 14
Calling-Station-Id: b0b867cd68ee
AVP: t=Called-Station-Id(30) l=14 val=b0b867cd68ee
AVP: t=Vendor-Specific(26) l=23 vnd=Aruba, a Hewlett Packard Enterprise company(14823)
AVP: t=Vendor-Specific(26) l=18 vnd=Aruba, a Hewlett Packard Enterprise company(14823)
AVP: t=Message-Authenticator(80) l=18 val=a0d082620a1137f9110e2a5975c7d6a8
F5 Ethernet Trailer Protocol
However, I will check the LTM logs. But last time I checked it really didn't give any error for the virtual server. It simply is not forwarding the traffic, to the load-balanced Radius servers.
