Radius Accounting Interim Update
Problem this snippet solves:
This iRule generates a Radius Accounting logging event with the status-type of Interim-Update when a user establishes a VPN Tunnel with APM.
How to use this snippet:
Apply this iRule to the HTTPS virtual that has the APM Profile applied to it that you want to generate Radius Accounting events for.
Code :
###################################################################### ## ## See the RFC page for additional information on Accounting-Request ## http://tools.ietf.org/html/rfc2866#section-4 ## ###################################################################### when HTTP_REQUEST { ## Check to see if the user is currently authenticated ## If the HTTP path starts with /isession than most of the time ## the user is trying to initiate a Network Access tunnel if { [ACCESS::policy result] eq "allow" && [HTTP::path] eq "/isession"} { ## Wait a little bit so the variable can be populated after 1000 -periodic { ## If the variable was populated than generate the Radius message if {[ACCESS::session data get session.assigned.clientip] ne ""}{ after cancel -current ## Since the iRule doesn't have access to the AAA radius section ## the variables need to be populated with the correct information set __secret"123" set __destination"1.1.1.1" set __port"1813" ## set __code[format %02x 4] set __id[format %02x [expr { int(255 * rand()) }]] ## Accounting Session ID set NA_SessionID[ACCESS::session data get session.user.sessionid] binary scan $NA_SessionID H* __sid set __asiLENGTH[expr {[string length $__sid] /2 + 2}] set __asi[format %02x 44][format %02x $__asiLENGTH]$__sid ## Accounting Status Type set __ast[format %02x 40][format %02x 6][format %08x 3] ## Accounting Authentication set __aa[format %02x 45][format %02x 6][format %08x 1] ## Service Type set __st[format %02x 06][format %02x 6][format %08x 8] ## NAS Port set __np[format %02x 05][format %02x 6][format %08x 0] ## Tunnel Client Endpoint binary scan [IP::client_addr] H* __cip set __tceLENGTH[expr {[string length $__cip] /2 + 2}] set __tce[format %02x 66][format %02x $__tceLENGTH]$__cip ## User-Name set NA_UserName[ACCESS::session data get session.logon.last.username] binary scan $NA_UserName H* __username set __unLENGTH[expr {[string length $__username] /2 + 2}] set __un[format %02x 1][format %02x $__unLENGTH]$__username ## Framed-IP-Address set NA_ClientIP[ACCESS::session data get session.assigned.clientip] scan $NA_ClientIP %d.%d.%d.%d t__ip1 t__ip2 t__ip3 t__ip4 set __vpn[format %02x $t__ip1][format %02x $t__ip2][format %02x $t__ip3][format %02x $t__ip4] set __fiaLENGTH[expr {[string length $__vpn] /2 + 2}] set __fia[format %02x 8][format %02x $__fiaLENGTH]$__vpn ## Combine the attributes above into a single string set __attributes${__asi}${__ast}${__aa}${__st}${__np}${__tce}${__un}${__fia} ## Calculate the lenght of the attribute string and then device by 2 to get octet count set __attributesL[expr {[string length $__attributes]/2}] ## Combine the attributes length with the radius header length set __length[expr {$__attributesL + 20}] ## The length value needs to be stored in HEX when the MD5 attribute is calculated set __length_HEX[format %04x $__length] ## The Request Authenticator field contatins 16 zero octets set __zero [format %032x 0] ## Generate the Request Authenticator value set __md5_auth [md5 [binary format H* ${__code}${__id}${__length_HEX}${__zero}${__attributes}]${__secret}] ## Convert the MD5 value into binary binary scan $__md5_auth H* __auth ## Populate the Radius Information set __radiusPayload[binary format cH2SH32H* $__code $__id $__length $__auth $__attributes] ## Create the sideband connection and send the data set sb_conn[connect -protocol UDP -timeout 100 -idle 30 -status conn_status $__destination:$__port] set sb_send[send -timeout 100 -status send_status $sb_conn $__radiusPayload] set sb_recv [recv -peek -status peek_status -timeout 1000 $sb_conn] ## After the data is sent close the connection close $sb_conn } } } }
Published Oct 06, 2015
Version 1.0