Auth_Status and Persist

The AUTH::status command is only used for Advanced Client Authentication feature functions, which would have been OCSP, CRLDP, LDAP, TACACS, RADIUS, and Kerberos in the old ACA module, and now just OCSP and CRLDP. There is some very basic auth stuff in the HTTP profile (no pun intended), but that's not addressed with AUTH:: commands. There are at least TWO solutions to your requirement, however:

 

 

1. The Access Policy Manager (APM) module - has built-in support for various HTTP auth methods, as well as all of the old ACA auth functions. This module would make your implementation fairly easy.

 

 

2. A fairly elaborate iRule - we'd need more information to work from if this is your only option.

 

Thanks for your inputs..APM requires more Cost Benefit Analysis in our env. I see some hope with uie persistence.

There are two pools in picture here PoolF and PoolK. Here is what i am currently happening VIP is configured with default pool as PoolF, cookie persistence enabled at vip and the following irule:

 when HTTP_REQUEST { 
   if { &91;HTTP::uri&93; contains "/nad" } { 
     pool PoolK 
    } 
  } 
 when HTTP_RESPONSE { 
 if { &91;HTTP::status&93; == 401 and &91;HTTP::cookie exists "PD-S-SESSION-ID-PROD2"&93;} { 
   HTTP::respond 302 Location "https://portal1.net/" "Set-Cookie" "F5-redirect-nad" 
   } 
 } 

User opens IE, types https://portal1.net/nad, PoolK is selected and cookie - PD-S-SESSION-ID-PROD2 sent to the client with 401, the HTTP_response sees it and redirect & replace uri from /nad to /.

At this point, i want the next or any future HTTP_REQUEST to persist on poolK from this client (because i am already authorized), but instead it is falling back to default PoolF and breaking my page because /nad is not in the uri?

Would persist add uie help along with cookie persistance or do i really need cookie persistence, will uie do the work? I have been looking into sol7392 but don't know yet how to utilize it to keep persist going for poolK.

_ _** **

At this point, i want the next or any future HTTP_REQUEST to persist on poolK from this client (because i am already authorized), but instead it is falling back to default PoolF and breaking my page because /nad is not in the uri? in HTTP_REQUEST, may we check if bigip cookie exists? if yes, we just direct request to PoolK. anyway, since you modify response using HTTP::respond, you may have to include bigip cookie in the response.

e.g.

[root@ve10:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool PoolF
   destination 172.28.19.252:80
   ip protocol 6
   rules myrule
   persist cookie
   profiles {
      http {}
      tcp {}
   }
}
[root@ve10:Active] config  b pool PoolF list
pool PoolF {
   members 200.200.200.101:80 {}
}
[root@ve10:Active] config  b pool PoolK list
pool PoolK {
   members {
      200.200.200.101:80 {}
      200.200.200.111:80 {}
   }
}
[root@ve10:Active] config  b rule myrule list
rule myrule {
   when HTTP_REQUEST {
  set host [HTTP::host]
  set uri [HTTP::uri]
  set ckkval [HTTP::cookie value BIGipServerPoolK]
  set ckfval [HTTP::cookie value BIGipServerPoolF]
  if { $uri contains "/nad" or [HTTP::cookie exists BIGipServerPoolK] } {
    pool PoolK
  }
}
when HTTP_RESPONSE {
  log local0. "host: $host uri: $uri cookie: BIGipServerPoolK=$ckkval BIGipServerPoolF=$ckfval pool: [LB::server pool] node: [LB::server addr] status: [HTTP::status]"
  if { [HTTP::status] == 404 and [LB::server pool] equals "PoolK" } {
    HTTP::respond 302 noserver Location "http://$host" "Set-Cookie" "BIGipServer[LB::server pool]=[HTTP::cookie BIGipServer[LB::server pool]]; path=/"
  }
}
}

 test

[root@ve10:Active] config  tail -f /var/log/ltm

----- browse http://172.28.19.252/ -----

Aug 10 11:06:39 local/tmm info tmm[4873]: Rule myrule : host: 172.28.19.252 uri: / cookie: BIGipServerPoolK= BIGipServerPoolF= pool: PoolF node: 200.200.200.101 status: 200
Aug 10 11:06:39 local/tmm info tmm[4873]: Rule myrule : host: 172.28.19.252 uri: /f5.gif cookie: BIGipServerPoolK= BIGipServerPoolF=1707657416.20480.0000 pool: PoolF node: 200.200.200.101 status: 200
Aug 10 11:06:39 local/tmm info tmm[4873]: Rule myrule : host: 172.28.19.252 uri: /favicon.ico cookie: BIGipServerPoolK= BIGipServerPoolF=1707657416.20480.0000 pool: PoolF node: 200.200.200.101 status: 404

----- browse http://172.28.19.252/nad -----

Aug 10 11:07:08 local/tmm info tmm[4873]: Rule myrule : host: 172.28.19.252 uri: /nad cookie: BIGipServerPoolK= BIGipServerPoolF= pool: PoolK node: 200.200.200.101 status: 404
Aug 10 11:07:08 local/tmm info tmm[4873]: Rule myrule : host: 172.28.19.252 uri: / cookie: BIGipServerPoolK=1707657416.20480.0000 BIGipServerPoolF= pool: PoolK node: 200.200.200.101 status: 200
Aug 10 11:07:08 local/tmm info tmm[4873]: Rule myrule : host: 172.28.19.252 uri: /f5.gif cookie: BIGipServerPoolK=1707657416.20480.0000 BIGipServerPoolF= pool: PoolK node: 200.200.200.101 status: 200
Aug 10 11:07:08 local/tmm info tmm[4873]: Rule myrule : host: 172.28.19.252 uri: /favicon.ico cookie: BIGipServerPoolK=1707657416.20480.0000 BIGipServerPoolF= pool: PoolK node: 200.200.200.101 status: 404
Aug 10 11:07:08 local/tmm info tmm[4873]: Rule myrule : host: 172.28.19.252 uri: / cookie: BIGipServerPoolK= BIGipServerPoolF= pool: PoolK node: 200.200.200.101 status: 304

I used the code provided but the page never loads and with Fiddler i checkedit is stuck on this code line and never goes forward.

 

>>>> HTTP::respond 302 Location "http://portal.net" "Set-Cookie" "BIGipServer[LB::server pool]=[HTTP::cookie BIGipServer[LB::server pool]]" <<<<<

 

 

It looks like it cannot make a determination on the redirect 302 request which pool to send the request to???

 

 

 

 

Here is the code based on your sample:

 

PoolK = TAM_WEBSEAL_POOLKERB_PR443

 

 

when HTTP_REQUEST {

 

set host [HTTP::host]

 

set uri [HTTP::uri]

 

set ckkval [HTTP::cookie value BIGipServerTAM_WEBSEAL_POOLKERB_PR443]

 

set ckfval [HTTP::cookie value BIGipServerTAM_WEBSEAL_POOLFORM_PR443]

 

if { $uri contains "/nad" or [HTTP::cookie exists BIGipServerTAM_WEBSEAL_POOLKERB_PR443] } {

 

log local0. "SSO5: Sending req to Kerb pool"

 

pool TAM_WEBSEAL_POOLKERB_PR443

 

}

 

}

 

 

when HTTP_RESPONSE {

 

log local0. "host: $host uri: $uri cookie: BIGipServerTAM_WEBSEAL_POOLKERB_PR443=$ckkval BIGipServerTAM_WEBSEAL_POOLFORM_PR443=$ckfval pool: [LB::server pool] node: [LB::server addr] status: [HTTP::status]"

 

if { [HTTP::status] == 401 and [LB::server pool] equals "TAM_WEBSEAL_POOLKERB_PR443" } {

 

log local0. "SSO5: Redirecting and replacing url"

 

log local0. "BIGipServer[LB::server pool]=[HTTP::cookie BIGipServer[LB::server pool]]"

 

HTTP::respond 302 Location "http://portal.net" "Set-Cookie" "BIGipServer[LB::server pool]=[HTTP::cookie BIGipServer[LB::server pool]]"

 

 

}

 

}

 

 

 

FROM LOGS:

 

Sat Aug 10 01:11:30 EDT 2013 debug local/tmm1 tmm1[5055] 01220003 Virtual JENIE_WEBSEAL_ADTEST__https_virtual_server - Updated rule SSO5 when priority 32768000

 

Sat Aug 10 01:12:28 EDT 2013 info local/tmm1 tmm1[5055] Rule SSO5 : SSO5: Sending req to Kerb pool

 

Sat Aug 10 01:12:28 EDT 2013 info local/tmm1 tmm1[5055] Rule SSO5 : host: jenie.ao.dcn uri: /nad cookie: BIGipServerTAM_WEBSEAL_POOLKERB_PR443= BIGipServerTAM_WEBSEAL_POOLFORM_PR443= pool: TAM_WEBSEAL_POOLKERB_PR443 node: 156.119.71.187 status: 401

 

Sat Aug 10 01:12:28 EDT 2013 info local/tmm1 tmm1[5055] Rule SSO5 : SSO5: Redirecting and replacing url

 

Sat Aug 10 01:12:28 EDT 2013 info local/tmm1 tmm1[5055] Rule SSO5 : BIGipServerTAM_WEBSEAL_POOLKERB_PR443=3142023068.47873.0000

 

---------- last line in the log -------

 

Regarding your question:

 

in HTTP_REQUEST, may we check if bigip cookie exists? if yes, we just direct request to PoolK. anyway, since you modify response using HTTP::respond, you may have to include bigip cookie in the response.

 

Answer: I think it is the only way to make sure the following requests goes to PoolK. Also it looks like it is able to modify the HTTP:respond but not forwarding the page there.. it seem like it stuck and after some time it gives page error.

Answer: I think it is the only way to make sure the following requests goes to PoolK. Also it looks like it is able to modify the HTTP:respond but not forwarding the page there.. it seem like it stuck and after some time it gives page error.did the browser not follow the redirection (i.e. sending a new request to http://portal.net)? or did it send but bigip did not process it properly? have you run tcpdump on bigip to see whether bigip receives the redirection?

I think the bigger issues are this:

1. When the server sends back a 401, presumably to request authentication, you're immediate changing that to a 302 redirect. I don't suspect you're getting prompted for authentication??

2. If you let the 401 through to the client (don't do the redirect), then you should only need to check for the existence of the "PD-S-SESSION-ID-PROD2" cookie (sent in the 401) on each future request to send traffic back to poolK. So perhaps something like this:

when HTTP_REQUEST {
    if { ( [string tolower [HTTP::uri]] starts_with "/nad" ) or ( [HTTP::cookie exists PD-S-SESSION-ID-PROD2] ) } {
        pool poolK
    }
}

You would also want to enable a OneConnect profile and (simple) cookie persistence.

when HTTP_REQUEST { 
     if { ( &91;string tolower &91;HTTP::uri&93;&93; starts_with "/nad" ) or ( &91;HTTP::cookie exists PD-S-SESSION-ID-PROD2&93; ) } { 
         pool poolK 
     } 
 } 

This cookie PD-S-SESSION-ID-PROD2 is common between PoolK and PoolF... therefore if i have OR between two conditions then, it would take me to PoolK when it should go to PoolF.

It looks like the browser did follow the redirection but f5 didnot process the request properly bc it doesn't know what to do. Can i upload the fiddler data?

Please do. The goal of catching the PD-S-SESSION-ID-PROD2 cookie was based on the assumption that it was being set in the 401 from the PoolK member.

 

 

 

if { [HTTP::status] == 401 and [HTTP::cookie exists "PD-S-SESSION-ID-PROD2"]} {

 

 

 

A cookie would only exist in a response message if it was a Set-Cookie. Given that, I think you now need something other than the presence of this cookie in the request to indicate that auth is happening or has happened. Is there something else that the poolK server sets or sends to indicate that auth is happening/successful?

 

I know once the client is authenticated to PoolK, it has an Authorization header and the value of it starts with "Negotiate YII"

 

See fiddler data when it authenticates successfully but as i mentioned after this irule that stopped working.