Forum Discussion

jnantel's avatar
jnantel
Icon for Nimbostratus rankNimbostratus
Apr 12, 2010

RADIUS iRule swam ps my RADIUS server

Seems like I am not getting any kind authentication caching with my iRULE. Each http object is generating a separate request to my radius server. My radius server in turn thinks it is under attack unless I disable most of the DoS protection.

 

 

RADIUS server is IIS

 

The purpose of my iRULE is to strip username out of the authenticated session and pass it to the webserver.

 

 

SSO RADIUS v02.3

 

simple radius auth using HTTP Authentication

 

 

 

when CLIENT_ACCEPTED {

 

log "CLIENT_ACCEPTED start"

 

set auth_sid [AUTH::start pam agent_source_radius_profile]

 

log "CLIENT_ACCEPTED end"

 

}

 

 

when HTTP_REQUEST {

 

log "HTTP_REQUEST start"

 

set user_name [session lookup uie UN]

 

log "HTTP_REQUEST adding header"

 

HTTP::header replace RADIUS_USER_NAME [HTTP::username]

 

if {$user_name != [HTTP::username]} {

 

log "HTTP_REQUEST do auth"

 

session add uie UN [HTTP::username]

 

AUTH::username_credential $auth_sid [HTTP::username]

 

AUTH::password_credential $auth_sid [HTTP::password]

 

AUTH::authenticate $auth_sid

 

HTTP::collect

 

}

 

}

 

 

 

when AUTH_SUCCESS {

 

log "AUTH_SUCCESS start"

 

if {$auth_sid eq [AUTH::last_event_session_id]} {

 

HTTP::release

 

}

 

}

 

 

when AUTH_FAILURE {

 

log "AUTH_FAILURE start"

 

if {$auth_sid eq [AUTH::last_event_session_id]} {

 

HTTP::respond 401

 

}

 

}

 

 

when AUTH_WANTCREDENTIAL {

 

log "AUTH_WANTCREDENTIAL start"

 

if {$auth_sid eq [AUTH::last_event_session_id]} {

 

HTTP::respond 401

 

}

 

}

 

 

when AUTH_ERROR {

 

log "AUTH_ERROR start"

 

if {$auth_sid eq [AUTH::last_event_session_id]} {

 

HTTP::respond 401

 

}

 

}

 

 

 

Any help would be appreciated.

 

 

jnantel

 

application delivery
dev
devops
iRules

7 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Apr 12, 2010
    Hi,

     

     

    Which LTM version are you running? I think one issue is that you're overwriting the same session table entry all of the time. Can you replace the HTTP_REQUEST and AUTH_SUCCESS code with this and retest?

     

     

    when HTTP_REQUEST {

    Check if a basic auth username and password were sent by client
   if {[HTTP::username] ne "" and [HTTP::password] ne ""} {

       Check if username/password are already in the session table
      if {[session lookup uie [HTTP::username]] eq [HTTP::password]}{

          Auth was already successful on previous request

          log "HTTP_REQUEST adding header"
         HTTP::header replace RADIUS_USER_NAME [HTTP::username]

      } else {

          Save the username and password for reference in the AUTH_ events
 set user [HTTP::username]
 set pass [HTTP::password]

           log "HTTP_REQUEST do auth"
         AUTH::username_credential $auth_sid [HTTP::username]
         AUTH::password_credential $auth_sid [HTTP::password]
         AUTH::authenticate $auth_sid
         HTTP::collect
      }
   } else {
      HTTP::respond 401
   }
}
when AUTH_SUCCESS {

    log "AUTH_SUCCESS start"
   if {$auth_sid eq [AUTH::last_event_session_id]} {

       Add the username and password to the session table for one hour
      session add uie $user $pass 3600

      HTTP::release
   }
}

     

     

    If you see any problems with that, can you uncomment/add log statements, reproduce the issue and then reply with the log output?

     

     

    Thanks,

     

    Aaron
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Apr 12, 2010
    If HTTP::username and HTTP::password don't work in AUTH_SUCCESS, you could save them in HTTP_REQUEST as user and pass, and then change the AUTH_SUCCESS line to:

     

     

    session add uie $user $pass 3600

     

     

    Aaron
  • jnantel's avatar
    jnantel
    Icon for Nimbostratus rankNimbostratus
    Apr 19, 2010
    Thanks for the quick reply guys.

     

     

    I see where you are going with your changes. I'm getting the following context error:

     

     

    01070151:3: Rule [irule_v5_session_caching] error:

     

    line 42: [command is not valid in current event context (AUTH_SUCCESS)] [HTTP::username]

     

    line 42: [command is not valid in current event context (AUTH_SUCCESS)] [HTTP::password]

     

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Apr 19, 2010
    Hi jnantel,

     

     

    See my last post for a suggestion on that.

     

     

    Aaron
  • jnantel's avatar
    jnantel
    Icon for Nimbostratus rankNimbostratus
    Apr 19, 2010
    Ah, I did miss the second post. I do have a small problem in that I am editing someone else's code. The developer we assigned to this has since left the company. Back to the code: I've done some work with HTTP:username and HTTP:password , I'm not sure how to save credentials as anything else without breaking the whole rule.

     

     

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Apr 19, 2010
    No worries, I've updated the code example in the first reply. Can you try incorporating that with the rest of your rule (just replace your HTTP_REQUEST and AUTH_SUCCESS events with mine)?

     

     

    Aaron
  • jnantel's avatar
    jnantel
    Icon for Nimbostratus rankNimbostratus
    Apr 19, 2010
    I'm stuck atm, my staging RADIUS server is acting up. I really appreciate the help. The rule was accepted by my LTM 1500. It looks like it is running normally in the log. The Auth server is just rejecting atm. I've reverted to an older rule and it isn't working as well.

     

     

    I will let you know if this is a success or fail when I get things working.