cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Pulse Integration – F5 iRule AVP Insert

Manoj_T
Nimbostratus
Nimbostratus

Hello F5 world,

 

I have few questions regarding pulse integration with F5. we are trying to integrate pulse seccure and write some Irules which redirect the traffic to ISE from pulse. is there any reference Irules which i can try in our environment.? Please keep me posted. Thanks.

 

Regards,

MT

5 REPLIES 5

PeteWhite
F5 Employee
F5 Employee

Take a look at https://clouddocs.f5.com/api/irules/HTTP__redirect.html which shows you how to use redirect. You may find that LTM policies work better. If you provide more information about what you actually want then we may be able to help out with an iRule

Hi Pete white,

 

Thanks for answering my concer. Here is the detailed version what we are expecting to do. we got pulse secure for all the type of connections out of the network. when user hits pulse secure, it should redirect the traffic to F5 which is connected next to the Puse secure and F5 after receiving that packet it should forward it to ISE where F5 need to act as a RADIUS PROXY. "(radius call from UAC through F5 to ISE ) . (F5 acting as a radius proxy)". Do this information is good or do i need to provide much more.?

 

Regards,

MT

 

 

OK, BIG-IP will act as a radius proxy with a virtual server - you can decode radius messages if you add a radius profile to it and use radius iRule commands such as that RADIUS::avp. If you don’t need to do decoding then you can just use a layer 4 virtual server

Hi Pete,

 

Appreciate your response. As i am pretty new to F5, do you have any procedure steps or reference documents which i can follow.? please share them and that would be really helpful to me. Thanks.

 

MT

Also i have a quick question on this. when it received the radius request from UAC(Pulse), injected the additional attributes with iRule, and forwarded to ISE for processing. The additional attributes which we are looking for is pasted below.

 

Calling-Station-ID (tracks individual client by MAC or IP address) >> Could be made equal to Tunnel-Client-Endpoint Value.

User-Name (tracks remote client by login name) >> Already present.

NAS-Port-Type (helps to determine connection type as VPN) >> Missing.

RADIUS Accounting Start (triggers official start of session)>> This is already present with Framed-ip-address.

 

We are concerned about "NAS-port-Type and Radius Accounting Start- Missing Framed IP-address."