NimbostratusI am looking for an iRule that will be persistent for both RADIUS authentication and RADIUS Accounting using RADIUS Calling Station ID (attribute 31).
Thanks a lot,
CumulonimbusHi jay,
you can write an irule working in CLIENT_ACCEPTED, reading attribute with command [RADIUS::avp 31] and enabling universal persistence with « persist uie » command
Look at this irule as example.
https://devcentral.f5.com/s/articles/radius-server-using-apm-to-authenticate-users-1078
if the code you write doesn’t work, post it here, we will help you to solve issues!
CumulonimbusYou can use this code as example to use native RADIUS::avp commands.
MVPHello Jay,
you can adapt this irule who make persistence and User-name (1) and log Calling-Station-ID (31) and User-name (1)
when RULE_INIT {
array set ::attr_code2name {
1 User-Name
31 Calling-Station-Id
}
}
when CLIENT_ACCEPTED {
binary scan [UDP::payload] ccSH32cc code ident len auth \
attr_code1 attr_len1
set index 22
while { $index < $len } {
set hsize [expr {( $attr_len1 - 2 ) * 2}]
binary scan [UDP::payload] @${index}H${hsize}cc attr_value \
attr_code2 attr_len2
log local0. " $::attr_code2name($attr_code1) = $attr_value"
if { $attr_code1 == 1 } {
persist uie $attr_value 60
return
}
set index [ expr {$index + $attr_len1}]
set attr_len1 $attr_len2
set attr_code1 $attr_code2
}
}
NimbostratusMVPyou're welcome Jay ツ
CirrusHello Jay,
I used the same Irule for my Radius packets to be load balanced, however it did not work :( .
I see packets reaching my virtual server however, packets are not moved towards the pool.
I am using a universal persistant connection, in which i called in the above irule that you have metnioned. Somet how packets "Access-request" is not being sent towards to pool members by the virtual server after the iRule.
I also , tried the below mentioned iRule , any help would be much apprciated.
--------Begining of irule---------------
when RULE_INIT {
array set ::attr_code2name {
1 User-Name
2 User-Password
3 CHAP-Password
4 NAS-IP-Address
5 NAS-Port
6 Service-Type
7 Framed-Protocol
8 Framed-IP-Address
9 Framed-IP-Netmask
10 Framed-Routing
11 Filter-Id
12 Framed-MTU
13 Framed-Compression
14 Login-IP-Host
15 Login-Service
16 Login-TCP-Port
17 (unassigned)
18 Reply-Message
19 Callback-Number
20 Callback-Id
21 (unassigned)
22 Framed-Route
23 Framed-IPX-Network
24 State
25 Class
26 Vendor-Specific
27 Session-Timeout
28 Idle-Timeout
29 Termination-Action
30 Called-Station-Id
31 Calling-Station-Id
32 NAS-Identifier
33 Proxy-State
34 Login-LAT-Service
35 Login-LAT-Node
36 Login-LAT-Group
37 Framed-AppleTalk-Link
38 Framed-AppleTalk-Network
39 Framed-AppleTalk-Zone
60 CHAP-Challenge
61 NAS-Port-Type
62 Port-Limit
63 Login-LAT-Port
}
}
when CLIENT_ACCEPTED {
if { ([UDP::local_port] != 1812) && ([UDP::local_port] != 1813) } {
log local0. "packet on port [UDP::local_port] dropped"
drop
}else {
set CALLID [RADIUS::avp 31 string]
persist uie $CALLID
log local0. "persisted $CALLID"
}
}
when CLIENT_DATA {
if { [UDP::local_port] == 1813 } {
set CALLID [RADIUS::avp 31 string]
set IP [RADIUS::avp 8 ip4]
if { $IP != "" } {
table set $IP [LB::server addr] 900
log local0. "Radius maps $IP to [LB::server addr] for $CALLID"
}
}
}
when LB_SELECTED {
log local0. "Selected [LB::server addr] [LB::server port]"
}
when SERVER_DATA {
persist add uie $CALLID
log local0. "persist added for $CALLID to [LB::server addr]"
}
----------end of irule--------