Forum Discussion
Hi Gilles,
the following config and code may be used for your further developments...
Virtual Server:
ltm virtual VS_RADIUS_211 {
destination X.X.X.211%1:radius
ip-protocol udp
mask 255.255.255.255
profiles {
radiusLB { }
udp { }
}
rules {
iRule_Radius_NAS_Injection
}
source 0.0.0.0%1/0
translate-address enabled
translate-port enabled
}
iRule_Radius_NAS_Injection
when CLIENT_DATA {
if { [RADIUS::avp 1] contains "||" } then {
log local0.debug "Incomming Radius Request > Username: [RADIUS::avp 1] | NAS: [RADIUS::avp 32]"
RADIUS::avp replace 32 [getfield [RADIUS::avp 1] "||" 1]
RADIUS::avp replace 1 [getfield [RADIUS::avp 1] "||" 2]
log local0.debug "Outgoing Radius Request > Username: [RADIUS::avp 1] | NAS: [RADIUS::avp 32]"
}
Selecting radius server and SNAT IP (aka. new Radius Client IP)
node X.X.X.200%1 1812
snat [IP::local_addr]
}
Note: After you've implemented the Virtual Server, iRule and your RADIUS Client configuration, simply change the APM RADIUS configuration object to use the just created Virtual Server and keep every other setting as is. After verifying "normal" operation, you could start to prefix your usernames in a scheme of nas-attr||username. When the RADIUS requests passes the iRule it will look for usernames containing a || seperator and if found it will use the provided prefix as the new NAS-Identifier attribute and then remove the prefix from the username. After that the iRule would finally forward the request to the backend RADIUS server.
Cheers, Kai