Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

APM-DHCP Access Policy Example and Detailed Instructions

Prepared with Mark Quevedo, F5 Principal Software Engineer May, 2020 Sectional Navigation links Important Version Notes   ||  Installation Guide   ||  What Is Going On Here?   ||  Parameters You ...
Updated Sep 07, 2023
Version 9.0
application delivery
BIG-IP Access Policy Manager (APM)
dhcp
irules
VPN
M_Quevedo's avatar
M_Quevedo
Icon for Nimbostratus rankNimbostratus
Apr 28, 2020

Hi  and  ,

 

THE CORRECT ANSWER IS: You have to set the value of session.dhcp.client_ID to a "Text" value of '' (two-single-quotes). If the type of the value remains "Custom Expression" then two single-quotes standing-alone are ignored (to input a valid "Custom Expression" one would have to put return {''} instead).

 

[EVERYTHING BELOW HERE IS THE ORIGINAL RESPONSE BUT IT IS NOW OUT OF DATE, WRONG, AND YOU SHOULD IGNORE IT EXCEPT FOR HISTORICAL CURIOUSITY]

 

I do not know (yet!) why setting session.dhcp.client_ID to '' (i.e., two single-quotes) fails to prevent sending a client MAC address from the Machine Info Item as "client ID" (DHCP Option 61) on your respective BIG-IP's. That certainly used to work and the iRules code hasn't changed so it ought to still work.

 

Leaving aside the single-quote problem for a moment, it seems that your DHCP servers demand that Option 61 "client ID" be populated in DHCP requests. That is not mandated by the DHCP RFC's, it is just some administrative policy in your respective environments.

 

Anyway, you need Option 61 to be populated but you also need it to be different for every client and every session to prevent duplicate IP leases (for  you need this until I can ship a new version of the solution which handles the User1-login-logout-login_again vs. User2-login race-condition).

 

So please, each of you try this: In your DHCP_Setup Variable Assign Item set session.dhcp.client_ID to the following...

 

expr { "0AF5[string range [mcget {session.user.sessionid}] end-7 end]" }

(Do not add any space(s) around the double-quotes (") or between the "5" and the left-square-bracket "[" inside that expression. The code-snippet line-number "1" that appears on the left is not part of the expression, which starts with "expr".)

 

The meaning of this is to set client_ID to a unique "locally-administered MAC address" for each APM session. The DHCP server will think each session comes from a different client device. Since you are not reserving specific IP's for specific clients based on MAC address, this should not cause any conflicts.

 

Please let me know if this helps!