For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Roberto_GB_2613's avatar
Roberto_GB_2613
Icon for Altostratus rankAltostratus
Oct 26, 2016

Retrieving username from APM iRule

Hi all,

I'm developing a new iRule for APM and I'm constantly getting an error while retrieving the username from the session...

 

when ACCESS_POLICY_AGENT_EVENT {
if { [ACCESS::policy agent_id] eq "ga_user_verify" } {
    log local0. "CUSTOM - ga_user_verify"
     set variables from APM logon page
    set username [ACCESS::session data get session.logon.last.username]
}

 

I can see in the logs the following: Rule /Common/irule_ga_user_check : CUSTOM - ga_user_verify TCL error: /Common/irule_ga_user_check - invalid command name "testusername" while executing "$username"

I checked that the session variable %{session.logon.last.username} exists... The iRule is launched but the last line is getting an error. Any ideas why it's giving an error?

Thanks in advance,

BIG-IP Access Policy Manager (APM)
iRules
security

3 Replies

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Oct 26, 2016

    Hi,

     

    The irule you posted is not the one generating the tcl error. there is obviously a missing line with $username.

     

  • David_Stout's avatar
    David_Stout
    Icon for Nimbostratus rankNimbostratus
    Oct 26, 2016

    Hello

    Is that the complete iRule ?

    I used this one before where I set the variables outside the call from the APM module to perform some simple logging.

     

    when ACCESS_POLICY_AGENT_EVENT {
    set loginname [ACCESS::session data get session.logon.last.logonname]
    set emaclientip [ACCESS::session data get session.user.clientip]
    set emasessionid [ACCESS::session data get session.user.sessionid]
    if {[ACCESS::policy agent_id] == "logip"}{
    log "EMA $loginname connected with session ID $emasessionid from ClientIP $emaclientip"
} else {
return
}
}

     

    This bit is throwing me though ...

    "testusername" while executing "$username"

    Where's the reference to testusername coming from ? Is it further down the iRule or from something else ?

  • Roberto_GB_2613's avatar
    Roberto_GB_2613
    Icon for Altostratus rankAltostratus
    Oct 26, 2016

    Hi,

    Thanks for the responses! I chopped the iRule what I thought was relevant... And I miss the important line.... I was using "[$username]" instead of "$username" while logging. Now it's working.

    Here it's the final code:

     

    when ACCESS_POLICY_AGENT_EVENT {
    if { [ACCESS::policy agent_id] eq "ga_user_verify" } {
        log local0. "CUSTOM - iRule_ga_user_verify"

         Get userdata
        set username [ACCESS::session data get session.logon.last.username]
        set static::ga_key_dg "google_auth_keys"
        set ga_key ""
        set ga_key [class lookup $username $static::ga_key_dg]

         Check reteived token
        if { [string length $ga_key] == 16 } {
            set ga_user_result 1
        } else {
            set ga_user_result 0
        }
         user is in database: ga_user_result = 1
         user is not in database: ga_user_result = 0
         Log result and save data
        ACCESS::session data set session.custom.ga_user_result $ga_user_result
        log local0. "CUSTOM - user $username has token: $ga_user_result"
    }
}

     

    It's going to complement the Google Authenticator as second factor. Some users has not been deployed the token-generator and, for the moment, they should not be asked for this while authenticating. I'm following the guide of George Watkins Two-Factor Authentication With Google Authenticator And APM