Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

iRule for RADIUS "calling station ID" attribute 31 (persistence)

Jay_Cedrone
Nimbostratus
Nimbostratus

I am looking for an iRule that will be persistent for both RADIUS authentication and RADIUS Accounting using RADIUS Calling Station ID (attribute 31).

 

Thanks a lot,

 

  • Jay
6 REPLIES 6

Stanislas_Piro2
Cumulonimbus
Cumulonimbus

Hi jay,

 

you can write an irule working in CLIENT_ACCEPTED, reading attribute with command [RADIUS::avp 31] and enabling universal persistence with « persist uie » command

 

Look at this irule as example.

https://devcentral.f5.com/s/articles/radius-server-using-apm-to-authenticate-users-1078

 

if the code you write doesn’t work, post it here, we will help you to solve issues!

 

You can use this code as example to use native RADIUS::avp commands.

Lidev
MVP
MVP

Hello Jay,

you can adapt this irule who make persistence and User-name (1) and log Calling-Station-ID (31) and User-name (1)

when RULE_INIT {
  array set ::attr_code2name { 
          1      User-Name
         31      Calling-Station-Id
    }
}    
when CLIENT_ACCEPTED {
    binary scan [UDP::payload] ccSH32cc code ident len auth \
        attr_code1 attr_len1
    set index 22
    while { $index < $len } {
        set hsize [expr {( $attr_len1 - 2 ) * 2}]
        binary scan [UDP::payload] @${index}H${hsize}cc attr_value \
            attr_code2 attr_len2
            log local0. " $::attr_code2name($attr_code1) = $attr_value"
        if { $attr_code1 == 1 } {
            persist uie $attr_value 60
            return
        }
        set index [ expr {$index + $attr_len1}] 
        set attr_len1 $attr_len2    
        set attr_code1 $attr_code2
    }
}

 

Thanks a lot Lidev, Very much appreciated. * Jay

you're welcome Jay ツ

ZANOOB
Nimbostratus
Nimbostratus

Hello Jay,

I used the same Irule for my Radius packets to be load balanced, however it did not work 😞 .

I see packets reaching my virtual server however, packets are not moved towards the pool.

 

I am using a universal persistant connection, in which i called in the above irule that you have metnioned. Somet how packets "Access-request" is not being sent towards to pool members by the virtual server after the iRule.

 

I also , tried the below mentioned iRule , any help would be much apprciated.

 

--------Begining of irule---------------

when RULE_INIT {

 array set ::attr_code2name {

         1     User-Name

         2     User-Password

         3     CHAP-Password

         4     NAS-IP-Address

         5     NAS-Port

         6     Service-Type

         7     Framed-Protocol

         8     Framed-IP-Address

         9     Framed-IP-Netmask

        10     Framed-Routing

        11     Filter-Id

        12     Framed-MTU

        13     Framed-Compression

        14     Login-IP-Host

        15     Login-Service

        16     Login-TCP-Port

        17     (unassigned)

        18     Reply-Message

        19     Callback-Number

        20     Callback-Id

        21     (unassigned)

        22     Framed-Route

        23     Framed-IPX-Network

        24     State

        25     Class

        26     Vendor-Specific

        27     Session-Timeout

        28     Idle-Timeout

        29     Termination-Action

        30     Called-Station-Id

        31     Calling-Station-Id

        32     NAS-Identifier

        33     Proxy-State

        34     Login-LAT-Service

        35     Login-LAT-Node

        36     Login-LAT-Group

        37     Framed-AppleTalk-Link

        38     Framed-AppleTalk-Network

        39     Framed-AppleTalk-Zone

        60     CHAP-Challenge

        61     NAS-Port-Type

        62     Port-Limit

        63     Login-LAT-Port

   }

}

when CLIENT_ACCEPTED {

  if { ([UDP::local_port] != 1812) && ([UDP::local_port] != 1813) } {

   log local0. "packet on port [UDP::local_port] dropped"

   drop

  }else {

      set CALLID [RADIUS::avp 31 string]

      persist uie $CALLID

      log local0. "persisted $CALLID"

  }

}

when CLIENT_DATA {

   if { [UDP::local_port] == 1813 } {

   set CALLID [RADIUS::avp 31 string]

   set IP [RADIUS::avp 8 ip4]

   if { $IP != "" } {

       table set $IP [LB::server addr] 900

       log local0. "Radius maps $IP to [LB::server addr] for $CALLID"

       }

   }

}

when LB_SELECTED {

   log local0. "Selected [LB::server addr] [LB::server port]"

}

when SERVER_DATA {

   persist add uie $CALLID

   log local0. "persist added for $CALLID to [LB::server addr]"

}

 

 

----------end of irule--------