Forum Discussion
Nimbostratusset APM variable from irule LB_SELECTED
I'm using the APM v11.3 and I need to set an APM variable from an iRule which is bound to the radius VS (not the Access Policy VS). The goal is to log in the APM session, which Radius pool member has been selected. Everything works fine except the APM logging. Any idea why it's not working (APM session variable not set, why the LTM logging is working perfectly)? irule:
when RULE_INIT {
}
when CLIENT_DATA {
set radius_rootname "radius-server"
set temp [RADIUS::avp 1 "string"]
set username [getfield $temp "|" 1]
set nasid [getfield $temp "|" 2]
set radius_port [class lookup $nasid radiusport-table]
if { $radius_port ne "" } {
pool ${radius_rootname}_${radius_port}
log local0. "radius server pool=${radius_rootname}_${radius_port}"
} else {
log local0. "Error selecting Radius server (${radius_rootname}_${radius_port})"
}
RADIUS::avp replace USER-NAME $username "string"
RADIUS::avp replace NAS-Identifier $nasid "string"
}
when LB_SELECTED {
ACCESS::session data set "session.custom.radservermsg" "[LB::server addr]"
log local0. "Radius Auth server [LB::server addr]:[LB::server port]"
}
LTM log output: Dec 12 16:34:23 slot1/vip-guest3-test info tmm1[8274]: Rule /Common/dev-radius_nasid : Radius Auth server a.b.c.d:1819
Here the APM variable Thanks!
5 Replies
Hello.
I don't think that you are setting the APM session variable correctly which is why it is showing in the LTM logs but not in the APM logs. You can probably check this by having a look at the session variables for an existing APM session to see if this variable exists at all (regardless of the content of the variable to start with).
Please try updating the following section of your iRule
when LB_SELECTED { ACCESS::session data set session.custom.radservermsg "[LB::server addr]" log local0. "Radius Auth server [LB::server addr]:[LB::server port]" }I can't remember if the last part "[LB::server addr]" should be in quotes or not, so give it a try with and without the quotation marks if what I provided didn't work.
- Kevin_Stewart
Employee
You can surround the new session variable in double quotes, or not, and you should definitely be able to set an access session variable from the LB_SELECTED event. What puzzles me is this statement:
I need to set an APM variable from an iRule which is bound to the radius VS (not the Access Policy VS)
Are you in fact talking about two different VIPs?
amolariCirrostratus
yes Kevin. To workaround the lack of variable support in APM AAA Radius, I need to "jump" to an internal VS (radius) to perform the authentication. I suppose it doesn't know APM session context and thus I cannot set that variable in APM. I've tried to write to apm logs (local1.) from the irule.. unsuccessfuly. We have many radius servers and in the APM session logs, I only see the IP of the VS and I would need to add the "real" radius server...
- Kevin_Stewart
First question would be how do you "jump" to the internal VS? Depending on the response to that, you could either:
-
Report the necessary data back to the external VIP and let it add the session variable, or
-
Send the APM session ID to the internal VIP so that it could add the session value directly.
-
- amolari
I have the internal VS configured as a direct server in the external VS-APM Radius AAA. How to do point 2? If I have the session ID, how can I write the session variable for that specific sessionID? >> how to "bind" the session variable to a specific session ID?
