Forum Discussion

jstaf's avatar
jstaf
Icon for Nimbostratus rankNimbostratus
Jun 05, 2013

can't get APM secure session variable value in iRule

Hello,

 

The above code does not work: the password value is empty.

 

when ACCESS_ACL_ALLOWED {
   set user [ACCESS::session data get "session.logon.last.username"]
   set password [ACCESS::session data get -secure "session.logon.last.password"]
   HTTP::header insert "X-USERNAME" $user
 for debugging purpose only
   HTTP::header insert "X-PWD" $password
}

 

I found a workaround which is to use VPE to assign the password variable value to a non-secure custom variable, and use it in iRule.

 

But is it a know feature, did I miss something?

 

I am using 11.3 HF3

 

 

Kind regards

 

 

 

 

 

3 Replies

  • I am running into similar and on 11.4 HF3. This is a VDI setup and need both the AD username/password and a SafeWord (RADIUS) token. Since VDI doesn't support anything other than RSA SecurID (for whatever strange reason), I'm looking at a workaround.

     

    The thought was to have the user enter both the RADIUS token and the AD password all in the password field and parse it in the iRule.

     

    However he session.logon.last.password comes back blank. Both with and without using the '-secure' option on the data get.

     

    how can this information be obtained. I might use the username field if this becomes an obsticle, but that just doesn't seem too clean (well none of this is clean).

     

    So how can one not only obtain the value that was entered for he password in the iRule, but also set the new value for it to be passed on.

     

    thank you.....

     

  • As jstaf discovered, the password collected in the APM logon form is not directly accessible via iRules. I can't say if this is intentional, but probably not a bad idea nonetheless. You can still get to the password by creating a custom session variable in a VPE variable assignment agent:

    session.custom.pass = return [mcget -secure {session.logon.last.password}]
    

    Generally though, the AAA objects and SSO profiles do have access to the password variable, so you could do something like the following:

    Present three fields in the logon form (username, password, and token ID). When you're doing AAA, most of the agents expect the password in the session.logon.last.password variable, so simply 1) assign the user password to a temporary variable, 2) assign the token ID to the session.logon.last.password variable just before the SecurID AAA, and then 3) put the user password back into that variable for an AD/LDAP AAA or form/ntlm SSO.

  • thanks. I agree with your form based approach for those that begin with a web form. I'm working on VDI where the client logs on directly. the standard method for RSA and AD is a two step process where the user is asked for the username and RSA token then asked for the username and AD password. The preference here is to have one form for both and so I was investigating combining the passwords and parsing them in an iRule. Thanks for the information it is greatly appreciated!!

     

    Best regards.