APM Data List for username validation

You should check for the agent id since you may call the agent from multiple places/branches within the VPE. The only way the iRule knows where the agent was called from is by inspecting the agent_id.

when ACCESS_POLICY_AGENT_EVENT { 
     if { [ACCESS::policy agent_id] eq "time_to_inspect_username" } {
         set user [ACCESS::session data get session.logon.last.username]
         if { [class match $user equals DataGroupList_A] } { 
            ACCESS::session data set session.logon.last.username_found_in_list 1
         } else {
            ACCESS::session data set session.logon.last.username_found_in_list 0
         }
      }
}

After the Agent is called, you can use an Empty Agent to istpect the new variable session.logon.last.username_found_in_list and branch accordingly.

To troubleshoot view the session variable for an Active session under Reports/sessions. Then drill down to the variable session.logon.last.username_found_in_list and see if it is being set properly.

You can also add log commands to the irule to send messages to the /var/log/ltm.

You can also add message popup to the policy to view the variable ${session.logon.last.username_found_in_list}.

HTH

John and Bash, thanks for the input. However, I'm not getting a value assigned to the session.logon.last.username_found_in_list variable list yet. I created the message box (Note: use % instead of $ in front of the variable to show the value), but neither the 1 or 0 are returned.

 

All additional suggestions are welcome.

 

Thanks for catching the mistake with displaying the variable, "%" instead or "$".

Start by looking at the /var/log/ltm to make sure you don't have a syntax error in the iRule.

The check agent_id. Does the agent_id you specified in the VPE for the IRULE_AGENT match the iRule "if" condition:

if { [ACCESS::policy agent_id] eq "time_to_inspect_username" } {

There are a couple of options for troubleshooting. You can define the variable before you scan the datagroup like this:

when ACCESS_POLICY_AGENT_EVENT { 
     ACCESS::session data set session.logon.last.username_found_in_list [ACCESS::policy agent_id]
     if { [ACCESS::policy agent_id] eq "time_to_inspect_username" } {
         set user [ACCESS::session data get session.logon.last.username]
         if { [class match $user equals DataGroupList_A] } { 
            ACCESS::session data set session.logon.last.username_found_in_list 1
         } else {
            ACCESS::session data set session.logon.last.username_found_in_list 0
         }
      }
}  

Now, check the variable in the message box again. If it is equal to the agent_id, you know that the first "if" is not matching and the agent_id is not recognized.

Another option is to add log commands to the iRule and view the traces in the /var/log/ltm file.

when ACCESS_POLICY_AGENT_EVENT { 
     log local0. "Agent ID: [ACCESS::policy agent_id], Username: [ACCESS::session data get session.logon.last.username]"
     if { [ACCESS::policy agent_id] eq "time_to_inspect_username" } {
         set user [ACCESS::session data get session.logon.last.username]
         if { [class match $user equals DataGroupList_A] } { 
            ACCESS::session data set session.logon.last.username_found_in_list 1
            log local0. "Found username in datagroup, [ACCESS::session data get session.logon.last.username_found_in_list]"
         } else {
            ACCESS::session data set session.logon.last.username_found_in_list 0
            log local0. "Did NOT Find username in datagroup, [ACCESS::session data get session.logon.last.username_found_in_list]"
         }
      }
}  

Remember to remove, or comment out, the log commands when you are done troubleshooting.

HTH

I feel compelled to post a step I missed for all of the iRule noobs out there like me. I was so focused on the iRule syntax and the APM VPE iRule Event Agent that I forgot to associate my new iRule with the VIP. Once I associated the iRule with the VIP everything started working.

 

Thanks John Alam for the follow-up troubleshooting options.