Forum Discussion

Will_33786's avatar
Will_33786
Icon for Nimbostratus rankNimbostratus
Apr 16, 2015
Solved

How do I record the IP assigned to a client after login?

Hello,

I need to record clients' IP address assigned by network access. I searched on Ask f5 it looks like that the variable "session.assigned.clientip" is what I need. So I tried to use an irule to get it but failed.

Here is my irule:

when ACCESS_SESSION_STARTED  {
  set user   [ACCESS::session data get "session.logon.last.username"]
  set client [IP::client_addr]
  set assignip [ACCESS::session data get "session.assigned.clientip"]

  log local0. "LOGON:$user login successful from $client, assigned $assignip"
}

I have tried other events like ACCESS_POLICY_AGENT_EVENT, ACCESS_POLICY_COMPLETED but haven't worked either. Does anyone know how can I log the clients' IP address assigned by network access. I will appreciate it!

application delivery
BIG-IP Access Policy Manager (APM)
devops
iRules
management
security
  • John_Alam_45640's avatar
    John_Alam_45640
    Apr 16, 2015

    The VPN address is assigned after the APM policy is completed. Use an iRule to detect the VPN startup URI and then wait a few seconds before querying session.assigned.clientip. 

    when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
    if { [HTTP::uri] starts_with "/myvpn?sess=" } {
        after 5000 { log local0. "VPN started for [ACCESS::session data get session.logon.last.username] from IP [IP::client_addr] assigned client IP [ACCESS::session data get session.assigned.clientip]"}
    }
}

13 Replies

Sort By
    • Will_33786's avatar
      Will_33786
      Icon for Nimbostratus rankNimbostratus
      Apr 16, 2015
      Thank you kunjan. I saw this article. But it just applies to the version previous 10.2.2. And according to the article "IG-IP APM does not populate the session.assigned.clientip session variable until access policy processing is completed", I tried event ACCESS_POLICY_COMPLETED, it's supposed to works.
    • Will_33786's avatar
      Will_33786
      Icon for Nimbostratus rankNimbostratus
      Apr 16, 2015
      Thank you kunjan. I saw this article. But it just applies to the version previous 10.2.2. And according to the article "IG-IP APM does not populate the session.assigned.clientip session variable until access policy processing is completed", I tried event ACCESS_POLICY_COMPLETED, it's supposed to works.
  • kunjan_118660's avatar
    kunjan_118660
    Icon for Cumulonimbus rankCumulonimbus
    Apr 16, 2015

    I think the soln still applicable as there is no change to the process, PPP tunnel to be up for this which happens after ACCESS_POLICY_COMPLETED .

     

    • Will_33786's avatar
      Will_33786
      Icon for Nimbostratus rankNimbostratus
      Apr 20, 2015
      John's answer have solved this question perfectly. Thanks nonetheless!
  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    Apr 16, 2015

    I think the soln still applicable as there is no change to the process, PPP tunnel to be up for this which happens after ACCESS_POLICY_COMPLETED .

     

    • Will_33786's avatar
      Will_33786
      Icon for Nimbostratus rankNimbostratus
      Apr 20, 2015
      John's answer have solved this question perfectly. Thanks nonetheless!
  • John_Alam_45640's avatar
    John_Alam_45640
    Historic F5 Account
    Apr 16, 2015

    The VPN address is assigned after the APM policy is completed. Use an iRule to detect the VPN startup URI and then wait a few seconds before querying session.assigned.clientip. 

    when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
    if { [HTTP::uri] starts_with "/myvpn?sess=" } {
        after 5000 { log local0. "VPN started for [ACCESS::session data get session.logon.last.username] from IP [IP::client_addr] assigned client IP [ACCESS::session data get session.assigned.clientip]"}
    }
}
    • Will_33786's avatar
      Will_33786
      Icon for Nimbostratus rankNimbostratus
      Apr 20, 2015
      Hi John. Your solution works! It's exactly what I want. You just gave me a big help. Thank you!
    • DevBabu's avatar
      DevBabu
      Icon for Cirrus rankCirrus
      Jul 23, 2018

      Has the URI changed in version 12.1.3.4. I am running 12.1.3.4 and couldn't catch that URI /myvpn?sess=.

      When i did URI logging and saw URI /isession?sess= and I could get the session.assigned.clientip.

      So, my rule looks like:

      when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
    if { [HTTP::uri] starts_with "/isession?sess=" } {
        after 5000 { log local0. "VPN started for [ACCESS::session data get session.logon.last.username] from IP [IP::client_addr] assigned client IP [ACCESS::session data get session.assigned.clientip]"}
    }
}