For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

sundogbrew's avatar
sundogbrew
Icon for Altocumulus rankAltocumulus
Oct 20, 2022

radius irule for IPV6

Greetings, I am looking for some help here.  There are a few past posts about using an irule in your radius vip, I am wondering if anyone has used it for V6.  

I was using 

 

 

when RULE_INIT {
 array set ::attr_code2name {
         1     User-Name
         2     User-Password
         3     CHAP-Password
         4     NAS-IP-Address
         5     NAS-Port
         6     Service-Type
         7     Framed-Protocol
         8     Framed-IP-Address
         9     Framed-IP-Netmask
        10     Framed-Routing
        11     Filter-Id
        12     Framed-MTU
        13     Framed-Compression
        14     Login-IP-Host
        15     Login-Service
        16     Login-TCP-Port
        17     (unassigned)
        18     Reply-Message
        19     Callback-Number
        20     Callback-Id
        21     (unassigned)
        22     Framed-Route
        23     Framed-IPX-Network
        24     State
        25     Class
        26     Vendor-Specific
        27     Session-Timeout
        28     Idle-Timeout
        29     Termination-Action
        30     Called-Station-Id
        31     Calling-Station-Id
        32     NAS-Identifier
        33     Proxy-State
        34     Login-LAT-Service
        35     Login-LAT-Node
        36     Login-LAT-Group
        37     Framed-AppleTalk-Link
        38     Framed-AppleTalk-Network
        39     Framed-AppleTalk-Zone
        60     CHAP-Challenge
        61     NAS-Port-Type
        62     Port-Limit
        63     Login-LAT-Port
   }
}
when CLIENT_ACCEPTED {
  if { ([UDP::local_port] != 1812) && ([UDP::local_port] != 1813) } {
   log local0. "packet on port [UDP::local_port] dropped"
   drop
  }else {
      set CALLID [RADIUS::avp 31 string]
      persist uie $CALLID
      log local0. "persisted $CALLID"
  }
}
when CLIENT_DATA {
   if { [UDP::local_port] == 1813 } {
   set CALLID [RADIUS::avp 31 string]
   set IP [RADIUS::avp 8 ip4]
   if { $IP != "" } {
       table set $IP [LB::server addr] 900
       log local0. "Radius maps $IP to [LB::server addr] for $CALLID"
       }
   }
}
when LB_SELECTED {
   log local0. "Selected [LB::server addr] [LB::server port]"
}
when SERVER_DATA {
   persist add uie $CALLID
   log local0. "persist added for $CALLID to [LB::server addr]"
}

 

 

So for V6, most of those attributes aren't in the packet, but I was figuring I could do persistance on NAS-IPv6-Address which shows up in the radius packet as 95.  AVP: t=NAS-IPv6-Address(95) l=18 val=xx:x:x:x::x:x 

But if I add 95 NAS-IPv6-Address to the set command and try to call it, I get garbage in my output 

<CLIENT_ACCEPTED>: persisted &ôp��������������Pp

It allows me to login but the persistance doesn't work.  

Any help would be greatly appreciated!

Thanks

Joe

 

application delivery

1 Reply

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Oct 20, 2022

    it looks like whatever is being returned is binary and not a string. Two tangential recommendations as well:

    1. Don't use global variables, they demote all connections on that virtual server from CMP. Instead, convert ::attr_code2name to a static namespace variable: static::attr_code2name.
    2. Check to make sure the avp is present before acting on it like so:
    set CALLID [RADIUS::avp 31 string]
if { not ($CALLID equals "") } {
    persist uie $CALLID 900
    }
}