Forum Discussion
teknet7_237497
Nimbostratus
Hi Stephan,
OK, i have made several more tests, i have one VS for both Radius Authentication and Accounting. Irule for that:
rule for RADIUS authentication udp/1812
when LB_SELECTED {
log local0. "session table entry added: "
session add uie "persist:[RADIUS::avp 31]" [LB::server addr]
}
rule for RADIUS accounting udp/1813
when CLIENT_DATA {
log local0. "session table lookup result: [session lookup uie "persist:[RADIUS::avp 31]"]"
if {[session lookup uie "persist:[IP::client_addr]"] ne ""} {
log local0. "lookup match: [session lookup uie "persist:[RADIUS::avp 31]"]"
node [session lookup uie "persist:[RADIUS::avp 31]"]
log local0. "session table entry added: "
session add uie "persist:[RADIUS::avp 8]" [IP::remote_addr]
}
}
When i send Radius Authentication packet i got the logs:
session table entry added:
session table lookup result: 172.16.34.100
It looks like session is never created, when trying:
root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos) show sys connection
Really display all connections? (y/n) y
Sys::Connections
172.16.34.102:35200 172.16.34.100:8 172.16.34.102:35200 172.16.34.100:8 icmp 1 (tmm: 0) none
172.16.34.102:32148 172.16.34.100:8 172.16.34.102:32148 172.16.34.100:8 icmp 6 (tmm: 0) none
172.16.34.102:42463 172.16.34.101:8 172.16.34.102:42463 172.16.34.101:8 icmp 5 (tmm: 1) none
172.16.34.102:57314 172.16.34.101:8 172.16.34.102:57314 172.16.34.101:8 icmp 10 (tmm: 0) none
Total records returned: 4
root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos)
I do see only icmp connection which are result of monitoring (probe). My persistence looks like:
root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos) show /ltm persistence persist-records
Sys::Persistent Connections
hash 0 172.16.33.103:any 172.16.34.100:any (tmm: 0)
Total records returned: 1
Why the session is never created ? And how can i display/monitor that ?
Also how can i differentiate accounting from authentication in CLIENT_DATA (i would like to search for framed-ip-addr only for accounting packets).
Thanks, Michal
Dec 20, 2015
Hi Michal,
I dont know a way of dumping the table created by the session command. As far as I know it is separated from the persistence table and the connection table. Thats why the related commands do not return the expected results.
For the first step I would recommend to extend the log statement in context of the RADIUS accounting message to the following:
log local0. "session table lookup result for calling station ID of [RADIUS::avp 31]: [session lookup uie "persist:[RADIUS::avp 31]"]"
This way you can the sure the radius client is using the same calling station ID of 11:11:11:11:11:11 as in your example.
Looking up the "session" table via iRule is the only way I am aware of.
For an analysis of your environment specific traffic patterns I would recommend to run a TCPDUMP while having a single poolmember enabled only ( this way you prevent wrong return values due to failing persistence):
tcpdump -i 0.0:nnnp -s 0 -c 1000 -w /shared/radius-001.cap 'port 1812 or port 1813'
To differentiate between RADIUS authentication and accounting you can use the return value of [RADIUS::code] in your iRule.
1=access request
2=access accept
3=access reject
4=accounting request
5=accounting resonse
Thanks, Stephan