Forum Discussion

Evan_Champion_1's avatar
Jan 08, 2016

APM customised RADIUS accounting

Hi,

 

Is there a way to customise the RADIUS accounting generated via APM VPE RADIUS Accounting block to add attributes that are not sent by default?

 

I would like to add these attributes:

 

  • Calling-Station-ID = client's IP address
  • Called-Station-ID = virtual server name
  • Tunnel-Pvt-Group-ID = Advanced Resource Assignment (assigned VPN pool)

Thanks,

 

Evan

 

4 Replies

  • I had tried setting the RADIUS session variables, prior to the RADIUS Accounting block in VPE, e.g.:

     

    session.radius.last.attr.calling-station-id session.radius.last.acct-called-station-id

     

    but this did not result in setting those attributes. Is this something that is not possible so I should put in an enhancement request?

     

    If one is not able to add additional attributes from APM VPE, I was thinking about a workaround, to hack the RADIUS request going out to add the data.

     

    • create a virtual server for RADIUS with the RADIUS profile
    • create an iRule on the RADIUS virtual server for when CLIENT_DATA that calls:
      • RADIUS::avp to read out the session number
      • ACCESS::session to read the session variables for the RADIUS attributes I want to add
      • RADIUS::avp to add the missing attributes

    Would this work? I will give it a try when I have a spare moment and report back.

     

    Evan

     

    • Evan_Champion_1's avatar
      Evan_Champion_1
      Icon for Cirrus rankCirrus
      This does not work because the RADIUS Acct-Session-ID only contains the last 8 characters of the session ID, where ACCESS::session sid requires the full sessionID. I will submit an enhancement request.
  • John's avatar
    John
    Icon for Altostratus rankAltostratus

    This is a much needed feature! We get around it right now using the method you mention (layered radius vip). To get more detailed info, like the session ID, we append it to the session.logon.last.username before the call to radius in VPE. Then in the irule we have on the radius virtual, we parse the username attribute, then set the appropriate attributes with RADIUS::avp. Note, there is a length limit to the username for radius. I know we hit it, but don't recall what it was.

     

    So, in VPE have variable assign:

     

    session.logon.last.username = return "[mcget {session.logon.last.username}]|[mcget {session.key}]"

     

    then in irule for radius vip:

     

    Code
    when CLIENT_DATA {
      set username {}
      set key {}
      scan [RADIUS::avp 1 "string"] {%[^|]|%s} username key
    
      if {$key ne {}} {
        log local0.err "found key, setting attribute 22 with $key"
        RADIUS::avp insert 22 $key string
        RADIUS::avp replace 1 $username string
      }
    }
    
  • Hi Evan,

     

    As for C2010628, RFE id570331 was filed. As of today, the schedule is not yet decided.

     

    Hi John,

     

    Like Evan suggested, if you have similar RFE needs, open a support case so that it can be used to upvote that RFE which will increase the priority.

     

    Thanks. Saravanan