Forum Discussion

Nic_J's avatar
Nic_J
Icon for Nimbostratus rankNimbostratus
Mar 26, 2018

Is accessing session variables from per-request subroutine possible?

Is there a way to copy session variables (or reference them) into subroutine subsession in per-request APM policy? I'm trying to set up a MFA challenge when users access a certain path. So far I can get the subroutine to work if I present a logon page for them to enter their username and password again, but I'm trying to avoid this as these details have already been entered in the access policy when they first log into the site.

 

Below is a screenshot of the subroutine and the contents of the radius auth:

 

 

  • Hello Nic,

     

    Did you ever figure out how to get the RADIUS Auth to work without first adding a username and password login to your sub routine? I am having the exact same issue when trying to do a per request policy for step up auth on version 13.1.0.7.

     

    Thanks

     

  • Hi,

    There is a weird configuration in Per request policy subroutines.

    In subroutine logon page help, you can find this:

    Session Variable Name or Subsession Variable Name Specifies the session (or subsession) variable name that the server uses to store the data typed in the text field. For example, the session variable username stores the username input omaas as the session variable string session.logon.last.username=omaas. Similarly, when configuring a per-request policy subroutine, the subsession variable username stores the username input omaas as the subsession variable string subsession.logon.last.username=omaas.)

    It means subroutine session variables are not session.logon.last.* but subsession.logon.last.*

    So even if Radius agent source is %{session.logon.last.username}, it expects %{subsession.logon.last.username}

    If you want to get username from session variable and password from subroutine logon page, add a variable assign before logon page:

    subsession.logon.last.username = Session Variable session.logon.last.username 
    
  • I hope you don't want to authenticate user in subroutine with password entered in per session policy!

    If this is the requirement, authenticate the user in per session policy, but delete successful branch... with this, the variable session.radius.last.result will contain the authentication result.

    then in subroutine, check if the authentication succeeded with a empty box and a branch expression :

    expr { [mcget {session.radius.last.result}] == 1 }
    

    Imagine if the user entered a one time password and browse the website before match subroutine condition, the password may have been expired when subroutine is evaluated.

    Another behavior can be a password changed during this time (AD password, ...)

  • Thank you Nolan.

     

    I will open a new thread. I have been unable to use the password from an access policy in a per-request policy subroutine.

     

    Your solution works. It creates a logon prompt for the OTP as the password. This is still a prompt for a user to enter a "password" although it is an OTP. I can successfully pass the user name but not the originating session.logon.last.password from the access-policy.

     

    I have tried many methods without success (per-request policy; subroutine, subroutine macro, access policy). Either I haven't found the right combination or it doesn't work this way by design.

     

    mcget -secure {session.logon.last.password}

     

    mcget {session.logon.last.password}

     

    subsession.logon.last.password

     

    I am also trying other avenues such as using iRule LX to submit the request to the MFA API. I was just hoping radius would be an easier route.