AltocumulusAPM: MAC Address filtering not working
Hi all,
I tried to add the following, with the following tutorial:APM PRE DEFINED MAC LIST
On the Iphone as well as a laptop, i can see that there is NO MAC address assigned to variable $mac I checked this with
log local0. "this is the mac-address of device $mac"Then i tried also to add it like this without the MachineINFO first, when i saw that the irule event wasn't getting a MAC again(!), i added the MachineINFO. But it seems that the APM gives there an error when Machine info is used and goes directly to fallback on the Iphone and on a Windows the MachineINFO works like a charm:
When Iphone tries to connect:
Following rule 'fallback' from item 'Machine Info' to ending 'Deny'When Windows tries to connect:
Following rule 'fallback' from item 'iRule Event' to ending 'Deny'Also i cheked if there was any mac captured, but no MAC.
Jan 26 19:06:28 bigip1 info tmm1[19591]: Rule /Common/Access_Policy_irule : IRULE is HIT Jan 26 19:06:28 bigip1 info tmm1[19591]: Rule /Common/Access_Policy_irule : This is the captured MAC-ADDRESSEN : 1: 2: 3:
I still could not connect with the VPN, so I added another branche rule(nr 4 in pic) on the irule event with the following things:
caption "Branch Rule 4"
expression "expr {
[mcget {session.machine_info.last.net_adapter.list.[0].mac_address}] == \"24:77:03:xx:xx:xx\" ||
[mcget {session.machine_info.last.net_adapter.list.[0].mac_address}] == \"70:70:0D:xx:xx:xx\" ||
[mcget {session.machine_info.last.net_adapter.list.[1].mac_address}] == \"70:70:0D:xx:xx:xx\" ||
[mcget {session.machine_info.last.net_adapter.list.[1].mac_address}] == \"24:77:03:xx:xx:xx\" }"
Just to be sure to check mac on first or second interface
caption "Succes MAC"
expression "expr {
[mcget {session.logon.custom.chkmac}] == 1 }"
And this did work to connect with the Windows Machine to F5!!! Also it could capture all the 3 MAC addressen on the DEVICE!!!!!!!!!!
Jan 26 19:19:43 bigip1 info tmm[19591]: Rule /Common/Access_Policy_irule : IRULE is HIT Jan 26 19:19:43 bigip1 info tmm[19591]: Rule /Common/Access_Policy_irule : This is the captured MAC-ADDRESSEN : 1:24:77:03:xx:xx:xx 2:B4:B5:2F:xx:xx:xx 3:B4:B5:2F:xx:xx:xx
I tried to delete the Machine info and tried then with Windows, it doesnt work then. I was guessing that maybe skipping the MachineINFO would help to connect with the iPhone.
Question 1What I can't understand is why the previous with the expression chkmac wasn't working? Why did the irule capture when i had the bracnh rule 4 added to it, and not before???
Question 2Why is the machine info not getting any mac address of the iPhone?
The Virtual server is being assigned to use the iRule, because we can see that it is logging that the iRule is beeing hit.
when ACCESS_POLICY_AGENT_EVENT {
log local0. "IRULE is HIT"
if { [ACCESS::policy agent_id] eq "chkmac" } {
set mac1 [ACCESS::session data get "session.machine_info.last.net_adapter.list.\[0\].mac_address"]
set mac2 [ACCESS::session data get "session.machine_info.last.net_adapter.list.\[1\].mac_address"]
set mac3 [ACCESS::session data get "session.machine_info.last.net_adapter.list.\[2\].mac_address"]
log local0. "This is the captured MAC-ADDRESSEN : 1:$mac1 2:$mac2 3:$mac3"
if { [class match $mac1 equals MAC-ADDRESSEN ]
or [class match $mac2 equals MAC-ADDRESSEN]
or [class match $mac3 equals MAC-ADDRESSEN]
} {
ACCESS::session data set "session.logon.custom.chkmac" 1
} else {
ACCESS::session data set "session.logon.custom.chkmac" 0
}
}
}
This is the data-group with Mac-addresses
ltm data-group internal MAC-ADDRESSEN {
records {
24:77:03:xx:xx:xx, { }
70:70:0D:xx:xx:xx { }
}
type string
}
also at the end i build it like this:
iruleEvent with "chkmac" ID
Mac check with the 'branch rules4' and a 'Succes' for if chkmac is 1