Forum Discussion
NimbostratusiRule: persist uie "$var1:$var2"
Hello Team,
I have just found i can create persistence entry using two variables example:
persist uie "$var1:$var2"But not sure how can later use it.
Is it possible to hit it if matching $var1 OR $var2 ? Or maybe i have to match both $var1 AND $var2 ?
How it works ? Do i have any control over that ?
I need to have "OR" logic because subsequent flows/protocols might not contain both - but just one matching attribute/variable.
Thanks, Michal
19 Replies
cjuniorNacreous
Hi Michal, considering that you need an UIE persistence, I think that you need to create two persistence records separately and after that, test if exists persistence for those keys with "persist lookup uie". But you need to ensure that during the first, you have both $var keys, otherwise you may persist in two places. Am I wrong? What do you think about it? [ ]
teknet7_237497Hi Cjunior,
Thank you for the answer. Indeed i have the same conclusions - i need two persistence records. But how to create two persistence records ? I have my data only in client request (not server response). When i have tried to create two persistence records in CLIENT_ACCEPTED or SERVER_DATA using "persist uie" or "persist add uie" always only the last one was created.
What are the limitation for creation of 2 persistence records ?
I would like to achieve:
- on client request: check if there is persistence for $var1 - if yes follow - on client request: check if there is persistence for $var2 - if yes follow - on client request: create/update persistence record for $var1 - on client request: create/update persistence record for $var2Possible ?
Thanks, Michal
StephanMantheyHi Michal,
if you want to persist on a combination of parameters it will be required to match exactly.when HTTP_REQUEST { log local0. "[IP::client_addr]:[URI::query [HTTP::uri] param1]" persist uie "[IP::client_addr]:[URI::query [HTTP::uri] param1]" }I.e. you try to persist on combined client IP and a query parameter. Now watch your persistence table (specify
and themode
server to limit output; thevirtual
parameter just dispays some more details i.e. record age):all-propertieswatch -d 'tmsh show ltm persist persist-records mode universal virtual vs_51 all-properties' Sys::Persistent Connections universal - 10.131.131.51:80 - 10.131.131.64:80 ------------------------------------------------- TMM 1 Mode universal Value 10.131.131.176:abc Age (sec.) 36 Virtual Name /Common/vs_51 Virtual Addr 10.131.131.51:80 Node Addr 10.131.131.64:80 Pool Name /Common/pool_distribution_service Client Addr 10.131.131.176 Owner entry universal - 10.131.131.51:80 - 10.131.131.63:80 ------------------------------------------------- TMM 1 Mode universal Value 10.131.131.176:hij Age (sec.) 24 Virtual Name /Common/vs_51 Virtual Addr 10.131.131.51:80 Node Addr 10.131.131.63:80 Pool Name /Common/pool_distribution_service Client Addr 10.131.131.176 Owner entry Total records returned: 2Whenever the value ist matched, the associated poolmember will be reselected.
Use i.e. cURL to play with query parameters:curl -v http://10.131.131.51/path?param1=hijThanks, Stephan
- teknet7_237497
Hi Stephan,
Thank you for that example. But i do not want AND ("combination of parameters") but OR logic. Real example:
- Incoming Radius Access-Request with Calling-Station-ID create persistence for Calling-Station-Id - Incoming Radius Accounting-Request with Calling-Station-ID should be redirected to the same node (as per persistence) but at the same time i would like to create a new persistence record based on Framed-IP-Address attribute - Incoming HTTP traffic: take source ip and match with persistence entry for Framed-IP-AddressRadius (Authentication + Accounting) is one virtual server, HTTP is the other. How would you prepare iRules for both ?
Thanks, Michal
- StephanMantheySorry, I still don´t get it. I guess the virtual server for HTTP is mapped to a pool of webservers. These servers are not identical with your AAA servers,right? Where is the information in RADIUS about the pool member to select for your web application?
- teknet7_237497
Hi Stephan,
Radius and HTTP are identical - same servers - just different tcp/udp ports.
I need to bind Radius Authentication with Radius Accounting using Calling-Station-id (always the same for both). Then i need to bind Radius with HTTP (Radius Framed-ip-addr in Accounting the same as HTTP ip source). How to achieve that ?
Thanks,
- StephanMantheyI.e. rad-web-srv-1 returns a framed IP upon request. Later a client with this source IP requests the web service and should be forwarded to rad-web-srv1. The clients asking for AAA and HTTP are not identical, right?
- teknet7_237497Hi Stephan, My radius server does not return Framed-ip, it's deliver by AAA client in Radius Interim Accounting messages. The AAA client is Network Device (switch, router, firewall), HTTP client is endpoint (PC, mobile device) connected to Network Device. So - the IP for AAA and HTTP traffic will never be the same - but still i need to correlate it (based on Radius Attributes). Thanks,
- StephanManthey
You can use the
command to build and lookup a separated table. Depending on which party provides the framed IP one of the following rules will be applied to your RADIUS virtual:sessionClient provides framed IP:
rule for radius in case client provides the framed IP when LB_SELECTED { log local0. "session table entry added: " session add uie "persist:[RADIUS::avp 8]" [LB::server addr] }Server provides framed IP:
rule for radius in case server provides the framed IP when SERVER_DATA { log local0. "session table entry added: " session add uie "persist:[RADIUS::avp 8]" [IP::remote_addr] }The following one will be bound to your virtual server for HTTP (may be used in context of CLIENT_ACCEPTED as well):
rule for webservice when HTTP_REQUEST { log local0. "session table lookup result: [session lookup uie "persist:[IP::client_addr]"]" if {[session lookup uie "persist:[IP::client_addr]"] ne ""} { log local0. "lookup match: [session lookup uie "persist:[IP::client_addr]"]" node [session lookup uie "persist:[IP::client_addr]"] } }I don´t have a RADIUS up and running for testing but replicated it with another service in v11.5.1.
Perhaps you need to adjust the RADIUS part. Thanks, Stephan - teknet7_237497
Thanks Stephan,
I guess the solution is near :)
You have shown how to correlate Radius-Accounting with HTTP via IP address. But i also need to correlate Radius-Authentication (udp/1812) with Radius-Accounting (udp/1813) via Calling-station-id.
And this it the challenge - to correlate 3 different protocols using 2 different attributes - all of those need to land on the same node for successful correlation.
Are you able to expand this example ?
Thanks a lot !
- StephanManthey
Hi,
in case the accounting server would return the framed IP it would look as follows (assuming AVP31 represents the calling station ID):rule for RADIUS authentication udp/1812 when LB_SELECTED { log local0. "session table entry added: " session add uie "persist:[RADIUS::avp 31]" [LB::server addr] } rule for RADIUS accounting udp/1813 when CLIENT_DATA { log local0. "session table lookup result: [session lookup uie "persist:[RADIUS::avp 31]"]" if {[session lookup uie "persist:[IP::client_addr]"] ne ""} { log local0. "lookup match: [session lookup uie "persist:[RADIUS::avp 31]"]" node [session lookup uie "persist:[RADIUS::avp 31]"] } } when SERVER_DATA { log local0. "session table entry added: " session add uie "persist:[RADIUS::avp 8]" [IP::remote_addr] }As initially proposed by cjunior we are using two table entries (keys) pointing to the same real server IP. Thanks, Stephan
- teknet7_237497
Great, for me it's aaa client sending framed-ip, so i would need to add session entry inside CLIENT_DATA, like this:
when CLIENT_DATA { log local0. "session table lookup result: [session lookup uie "persist:[RADIUS::avp 31]"]" if {[session lookup uie "persist:[IP::client_addr]"] ne ""} { log local0. "lookup match: [session lookup uie "persist:[RADIUS::avp 31]"]" node [session lookup uie "persist:[RADIUS::avp 31]"] session add uie "persist:[RADIUS::avp 8]" [IP::remote_addr] } }Can it work ? I have tried to do the same using persistence only (no sessions) and found out that it can not work together (thread: https://devcentral.f5.com/questions/irule-two-persist-commands)
Thanks, Michal
- StephanMantheyHi Michal, the session table is independent from the persistence table and starting with v10.x(?) you can use it for key/value pairs to build your own "persistence" method. Please just watch the logs to verify the RADIUS::avp returns the expected data to be used in combination with i.e. "persist:" as key. Thanks, Stephan
- teknet7_237497
Hi Stephan,
OK, i have made several more tests, i have one VS for both Radius Authentication and Accounting. Irule for that:
rule for RADIUS authentication udp/1812 when LB_SELECTED { log local0. "session table entry added: " session add uie "persist:[RADIUS::avp 31]" [LB::server addr] } rule for RADIUS accounting udp/1813 when CLIENT_DATA { log local0. "session table lookup result: [session lookup uie "persist:[RADIUS::avp 31]"]" if {[session lookup uie "persist:[IP::client_addr]"] ne ""} { log local0. "lookup match: [session lookup uie "persist:[RADIUS::avp 31]"]" node [session lookup uie "persist:[RADIUS::avp 31]"] log local0. "session table entry added: " session add uie "persist:[RADIUS::avp 8]" [IP::remote_addr] } }When i send Radius Authentication packet i got the logs:
session table entry added: session table lookup result: 172.16.34.100It looks like session is never created, when trying:
root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos) show sys connection Really display all connections? (y/n) y Sys::Connections 172.16.34.102:35200 172.16.34.100:8 172.16.34.102:35200 172.16.34.100:8 icmp 1 (tmm: 0) none 172.16.34.102:32148 172.16.34.100:8 172.16.34.102:32148 172.16.34.100:8 icmp 6 (tmm: 0) none 172.16.34.102:42463 172.16.34.101:8 172.16.34.102:42463 172.16.34.101:8 icmp 5 (tmm: 1) none 172.16.34.102:57314 172.16.34.101:8 172.16.34.102:57314 172.16.34.101:8 icmp 10 (tmm: 0) none Total records returned: 4 root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos)I do see only icmp connection which are result of monitoring (probe). My persistence looks like:
root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos) show /ltm persistence persist-records Sys::Persistent Connections hash 0 172.16.33.103:any 172.16.34.100:any (tmm: 0) Total records returned: 1Why the session is never created ? And how can i display/monitor that ?
Also how can i differentiate accounting from authentication in CLIENT_DATA (i would like to search for framed-ip-addr only for accounting packets).
Thanks, Michal
- StephanMantheyHi Michal, I dont know a way of dumping the table created by the session command. As far as I know it is separated from the persistence table and the connection table. Thats why the related commands do not return the expected results. For the first step I would recommend to extend the log statement in context of the RADIUS accounting message to the following: log local0. "session table lookup result for calling station ID of [RADIUS::avp 31]: [session lookup uie "persist:[RADIUS::avp 31]"]" This way you can the sure the radius client is using the same calling station ID of 11:11:11:11:11:11 as in your example. Looking up the "session" table via iRule is the only way I am aware of. For an analysis of your environment specific traffic patterns I would recommend to run a TCPDUMP while having a single poolmember enabled only ( this way you prevent wrong return values due to failing persistence): tcpdump -i 0.0:nnnp -s 0 -c 1000 -w /shared/radius-001.cap 'port 1812 or port 1813' To differentiate between RADIUS authentication and accounting you can use the return value of [RADIUS::code] in your iRule. 1=access request 2=access accept 3=access reject 4=accounting request 5=accounting resonse Thanks, Stephan
