For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Bob_24115's avatar
Bob_24115
Icon for Nimbostratus rankNimbostratus
Oct 14, 2014

trying to call external web service to determine VPN access

hi there I know very little about the F5 APM as I've not yet attended training, so please forgive potential naivety of this question. I would like to check with one of our webservers if the MAC address of the connecting device is known to us. I have an asp page that will return true or false when called with the mac address.

I created this irule

package require http;
when ACCESS_POLICY_AGENT_EVENT {
  switch [ACCESS::policy agent_id] { 
   "our_policy" {
     set clientMAC "[ACCESS::session data get session.client.mac_address]";
     ACCESS::session data set session.custom.mac_from_lan 0;
     ACCESS::session data set session.custom.TEMPclientmac $clientMAC; Just used to test this is firing
     set result [http::geturl http://my.web.server/MacValid.asp?MacAddress=$clientMAC]
     if { [http::data $result] == "TRUE" } { ACCESS::session data set session.custom.mac_from_lan 1 } 
     }
   } 
}

but it errors on the "package require" line

I was hoping to call this irule from my access policy.

I suspect I can't use the tcl http routines? Is there a way I can do what I want? Basically I want to grant restricted access to machines we don't know about and full access to those we do.

thanks in advance

application delivery
BIG-IP Access Policy Manager (APM)
devops
iRules
security

12 Replies

Show More
  • Bob_24115's avatar
    Bob_24115
    Icon for Nimbostratus rankNimbostratus
    Oct 27, 2014

    Hi Seth

    sorry, but this seems to be rumbling on - 1 step forwards & 2 steps back!

    It seems that android does not support "machine info" and therefore does not populate 

    session.machine_info.last.net_adapter.list.[0].mac_address
    . BTW the help documentation says it is 
    session.machine_info.net_adapter.list.[0].mac_address
    which is wrong (sigh). Not a big problem, I've created a macro that saves off 
    session.client.mac_address
    instead if we're on Android, which seems to work.

    What has completely floored me is that iOS doesn't seem to populate 

    session.client.mac_address
    OR support "machine info", so it looks like I can't get it's MAC address at all? this seems quite an omission to me. Or perhaps I misunderstand?

    I haven't even looked at Linux yet. I'm not hopeful 😞

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    Oct 27, 2014

    iOS7 onwards mac address is query is restricted. Instead can use session.client.unique_id

     

    430575The session variable session.client.mac_address has been removed from the client info in this release.

     

    https://support.f5.com/kb/en-us/products/big-ip_apm/releasenotes/related/relnote-edgeclientios-1-0-6.print.html