Forum Discussion

Roberto_GB_2613's avatar
Roberto_GB_2613
Icon for Altostratus rankAltostratus
Oct 26, 2016

Retrieving username from APM iRule

Hi all,

I'm developing a new iRule for APM and I'm constantly getting an error while retrieving the username from the session...

 

when ACCESS_POLICY_AGENT_EVENT {
if { [ACCESS::policy agent_id] eq "ga_user_verify" } {
    log local0. "CUSTOM - ga_user_verify"
     set variables from APM logon page
    set username [ACCESS::session data get session.logon.last.username]
}

 

I can see in the logs the following: Rule /Common/irule_ga_user_check : CUSTOM - ga_user_verify TCL error: /Common/irule_ga_user_check - invalid command name "testusername" while executing "$username"

I checked that the session variable %{session.logon.last.username} exists... The iRule is launched but the last line is getting an error. Any ideas why it's giving an error?

Thanks in advance,

3 Replies

  • Hi,

     

    The irule you posted is not the one generating the tcl error. there is obviously a missing line with $username.

     

  • Hello

    Is that the complete iRule ?

    I used this one before where I set the variables outside the call from the APM module to perform some simple logging.

     

    when ACCESS_POLICY_AGENT_EVENT {
        set loginname [ACCESS::session data get session.logon.last.logonname]
        set emaclientip [ACCESS::session data get session.user.clientip]
        set emasessionid [ACCESS::session data get session.user.sessionid]
        if {[ACCESS::policy agent_id] == "logip"}{
        log "EMA $loginname connected with session ID $emasessionid from ClientIP $emaclientip"
    } else {
    return
    }
    }
    

     

    This bit is throwing me though ...

    "testusername" while executing "$username"

    Where's the reference to testusername coming from ? Is it further down the iRule or from something else ?

  • Hi,

    Thanks for the responses! I chopped the iRule what I thought was relevant... And I miss the important line.... I was using "[$username]" instead of "$username" while logging. Now it's working.

    Here it's the final code:

     

    when ACCESS_POLICY_AGENT_EVENT {
        if { [ACCESS::policy agent_id] eq "ga_user_verify" } {
            log local0. "CUSTOM - iRule_ga_user_verify"
    
             Get userdata
            set username [ACCESS::session data get session.logon.last.username]
            set static::ga_key_dg "google_auth_keys"
            set ga_key ""
            set ga_key [class lookup $username $static::ga_key_dg]
    
             Check reteived token
            if { [string length $ga_key] == 16 } {
                set ga_user_result 1
            } else {
                set ga_user_result 0
            }
             user is in database: ga_user_result = 1
             user is not in database: ga_user_result = 0
             Log result and save data
            ACCESS::session data set session.custom.ga_user_result $ga_user_result
            log local0. "CUSTOM - user $username has token: $ga_user_result"
        }
    }
    

     

    It's going to complement the Google Authenticator as second factor. Some users has not been deployed the token-generator and, for the moment, they should not be asked for this while authenticating. I'm following the guide of George Watkins Two-Factor Authentication With Google Authenticator And APM