trying to call external web service to determine VPN access

Bob,

First, your observation is correct - you cannot call out from the iRules using tcl http routines. We do have other ways of being able to do it - sideband connections - https://devcentral.f5.com/articles/v11-irules-intro-to-sideband-connections - but I don't think you will need to go that deep into the weeds.

Instead, I suggest you try to leverate APMs GUI-based HTTP AAA server capability. In essence, when you create it, you are going to be sending anything you want to an HTTP server and getting a response back - and making a decision based upon that response. That should be quite elegant and require no iRules. You would most likely need to do a custom POST action for your HTTP Auth AAA server that will validate your MAC address, and that should be sufficient.

thanks. I think I'm pretty much there. The only thing I don't know how to do is to grab the mac address from the client and put it as part of the form action string. can anyone shed any light on that?

Hi Bob,

You will use the machine info check in the VPE...

https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-config-11-4-0/apm_config_client_checks.html205703

Seth

Bob,

Also, are your clients directly attached to the same VLAN as the virtual server of APM? If not, Seth's suggestion is the only way to go.

thanks for your help guys and apologies for the delay in replying (I've been away).

I have changed my web server to email me when it receives a request and although it seems to be going through the AAA server step, the website is not being contacted -

2014-10-20 09:26:54    Following rule 'Android' from item 'Client OS' to item 'Check MAC address'
2014-10-20 09:26:54    HTTP agent: ENTER Function executeInstance
2014-10-20 09:26:54    HTTP module: setHttpServerCfg(): server: /Common/check_MAC_address
2014-10-20 09:26:54    HTTP agent: LEAVE Function executeInstance
2014-10-20 09:26:54    Executed agent '/Common/nbi_policy_act_http_auth_ag', return value 0
2014-10-20 09:26:54    Following rule 'fallback' from item 'Check MAC address' to ending 'Deny'

is there a way of turning on a more detailed log level or something to find out what's going on? I've already removed the mac addresss element to turn the http request into something that should just work.

I'm using a custom post. I've set -

start URI=http://website.fq.dn (although I believe this field can be blank? tried both)

form action=http://website.fq.dn/infoserv/cgi-bin/computing/database/hardware/vpn/MacValid.asp?MacAddress=testing

Login detection=specific string in response Match value=TRUE (the text my website returns) Number of redirects=0 (although tried 10) Content type=URL encoded UTF-8

and nothing for the rest.

any ideas? thanks again.

this is getting ridiculous.

I've finally managed to set up an AAA server with an http get that works when I specify an absolute value. the url I use is

http://server.full.name/infoserv/cgi-bin/computing/database/hardware/vpn/MacValid.asp?MacAddress=00:00:00:00:00:00

but when I change it to

http://server.full.name/infoserv/cgi-bin/computing/database/hardware/vpn/MacValid.asp?MacAddress=%{session.machine_info.net_adapter.list.[0].mac_address}

the session variable is NOT substituted but passed to our web server as-is

AAAARGH!

any ideas anyone?

I'll answer this for anyone else that comes across it in the future.

It seems session variables cannot be put anywhere. To make this work, I had to edit the web form to create a hidden field and then insert the mac address as a hidden form parameter using

%{session.client.mac_address}

Hi Bob,

I was able to get this to work but had to make some changes to the way you are doing it.

First I created a simple php page to verify a MAC Address and give output.

working on getting php code uploaded as I am getting an error...  this shouldn't stop you from getting your stuff working. 

This page is looking for "MacAddress" in the querystring as your example shows.

Now to the HTTP AAA config...

Authentication Type: Form Based
Form Method: GET
Form Action: http://full.server.name/mac_valid.php
Hidden Form Parameters/Values: MacAddress %{session.custom.mac_addr}
Successful Logon Detection Match Type: By Specific String In Response
Successful Logon Detection Match Value: the mac address is

I also made one other change... in the VPE after the "Machine Info" and before the "HTTP Auth" I added a variable assign for the following...

session.custom.mac_addr = expr { [mcget {session.machine_info.last.net_adapter.list.[0].mac_address}] }

I have seen issues with using the array list in certain instances so I forced it into a custom session variable.

In a GET request the form values are passed as query string objects instead of POST values. So this effectively does the same thing but allows the session variable to be passed in. I agree that the session variable should work on the "Form Action" line like you had it but unfortunately it doesn't appear to work that way.

Hope this helps!

Seth

";
} else {
  echo "no mac addr
";
}
?>

thanks Seth. I too found that session.machine_info.last.net_adapter.list.[0].mac_address didn't seem to work.