Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

APM with F5 2000S

Hi Guys,

I have created an access policy that invokes radius authentication for any user coming from internet. I have also added in that policy that it should not invoke any authentication when users are coming from subnet let's say 192.168.x.x.

The part which is not working is when users are coming from 192.168.x.x. In the logs I see "Rule evaluation with error" and it prompts for Radius authentication.

The policy for excluding the subnet is: expr { [IP::addr [mcget {session.user.clientip}] equals "192.168.0.0/16"] }

Any suggestions on where I am going wrong

Saurav

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

where did you use your code? could you show the policy?

you could try the ip with the quotes. beyond that nothing stands out a lot, i usually just try part by part until it works :)

1
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

try using an rule,

when ACCESS_SESSION_STARTED {
    if { [IP::addr [ACCESS::session data get session.user.clientip] equals 192.168.0.0/16] } {
        ACCESS::session data set session.user.radiusbypass 1
    }
}

then in VPE

expr { [mcget {session.user.radiusbypass}] == 1 }
0
Comments on this Answer
Comment made 14-Dec-2017 by brad 376

why complicate this with an iRule? Can't this all be checked in VPE? APM already has the clientIP in the session variables as session.user.clientip. Seems there should be ability to match the subnet within VPE.. I'll be trying to work it that way..

I found I could do this just fine without an iRule to evaluate ... in VPE:

expr {!( [IP::addr [mcget {session.user.clientip}] equals 192.168.0.0/16] )}

this matches if your IP is not in that subnet... can work either way.. and seems that you can put quotes around the subnet and it works too... not sure what the best syntax is-- with or without the quotes.

0