Forum Discussion

ZANOOB's avatar
ZANOOB
Icon for Cirrus rankCirrus
Jul 23, 2021

iRule not working to have a RADIUS presistant load balancing.

Hello All,

 

I having trouble with an iRule that I created to load balance the RADIUS traffic on F5. I have a virtual server created that is listening on "all ports" and I have created an iRule in which it will only accept packets with ports 1812 & 1813.

This iRule is called in a Persistent profile I created (where parent profile is Universal). This Persistent profile was called under the Virtual server --resources--> Default Persistent profile.

 

Somehow this is it is not working for me. I see that the packets are reaching the F5 , but "Access-Request" packets are not being sent out to the pool members. iRule for reference is shown below :

 

when RULE_INIT {

 array set ::attr_code2name {

         1     User-Name

         2     User-Password

         3     CHAP-Password

         4     NAS-IP-Address

         5     NAS-Port

         6     Service-Type

         7     Framed-Protocol

         8     Framed-IP-Address

         9     Framed-IP-Netmask

        10     Framed-Routing

        11     Filter-Id

        12     Framed-MTU

        13     Framed-Compression

        14     Login-IP-Host

        15     Login-Service

        16     Login-TCP-Port

        17     (unassigned)

        18     Reply-Message

        19     Callback-Number

        20     Callback-Id

        21     (unassigned)

        22     Framed-Route

        23     Framed-IPX-Network

        24     State

        25     Class

        26     Vendor-Specific

        27     Session-Timeout

        28     Idle-Timeout

        29     Termination-Action

        30     Called-Station-Id

        31     Calling-Station-Id

        32     NAS-Identifier

        33     Proxy-State

        34     Login-LAT-Service

        35     Login-LAT-Node

        36     Login-LAT-Group

        37     Framed-AppleTalk-Link

        38     Framed-AppleTalk-Network

        39     Framed-AppleTalk-Zone

        60     CHAP-Challenge

        61     NAS-Port-Type

        62     Port-Limit

        63     Login-LAT-Port

   }

}

when CLIENT_ACCEPTED {

  if { ([UDP::local_port] != 1812) && ([UDP::local_port] != 1813) } {

   log local0. "packet on port [UDP::local_port] dropped"

   drop

  }else {

      set CALLID [RADIUS::avp 31 string]

      persist uie $CALLID

      log local0. "persisted $CALLID"

  }

}

when CLIENT_DATA {

   if { [UDP::local_port] == 1813 } {

   set CALLID [RADIUS::avp 31 string]

   set IP [RADIUS::avp 8 ip4]

   if { $IP != "" } {

       table set $IP [LB::server addr] 900

       log local0. "Radius maps $IP to [LB::server addr] for $CALLID"

       }

   }

}

when LB_SELECTED {

   log local0. "Selected [LB::server addr] [LB::server port]"

}

when SERVER_DATA {

   persist add uie $CALLID

   log local0. "persist added for $CALLID to [LB::server addr]"

}

 

 

 

application delivery
BIG-IP
iRules
security

2 Replies

Sort By
  • Enes_Afsin_Al's avatar
    Enes_Afsin_Al
    Icon for MVP rankMVP
    Jul 24, 2021

    Hi ZANOOB,

    [RADIUS::avp 31 string] may be returning empty string. If empty, iRule will throw an error.

    Can you investigate the ltm logs and try this iRule?

    when CLIENT_DATA {
	if { [UDP::local_port] == 1813 } {
		set CALLID [RADIUS::avp 31 string]
		set IP [RADIUS::avp 8 ip4]
		if { $IP != "" } {
			table set $IP [LB::server addr] 900
			log local0. "Radius maps $IP to [LB::server addr] for $CALLID"
		}
	}
}
 
when CLIENT_ACCEPTED {
	if { ([UDP::local_port] != 1812) && ([UDP::local_port] != 1813) } {
		log local0. "packet on port [UDP::local_port] dropped"
		drop
	}
	elseif {
		set CALLID [RADIUS::avp 31 string]
		log local0. "persisted $CALLID"
		
		if { $CALLID ne "" } {
			persist uie $CALLID
		}
	}
}
 
when CLIENT_DATA {
	if { [UDP::local_port] == 1813 } {
		set CALLID [RADIUS::avp 31 string]
		set IP [RADIUS::avp 8 ip4]
		if { $IP ne "" && $CALLID ne "" } {
			table set $IP [LB::server addr] 900
			log local0. "Radius maps $IP to [LB::server addr] for $CALLID"
		}
	}
}
 
when LB_SELECTED {
	log local0. "Selected [LB::server addr] [LB::server port]"
}
 
when SERVER_DATA {
	if { $CALLID ne "" } {
		persist add uie $CALLID
		log local0. "persist added for $CALLID to [LB::server addr]"
	}
}
  • ZANOOB's avatar
    ZANOOB
    Icon for Cirrus rankCirrus
    Jul 26, 2021

    Hello Enes Afsin Al,

     

    Thank you for your reply. Much appreciated.

    The above iRule, I was not able to save it since it shows some syntax errors. Not an expert in scripts, so couldn't find what is wrong with the syntax of it.

    -------------------------------

    01070151:3: Rule [/Common/CallIDUIE2] error: /Common/CallIDUIE2:17: error: [parse error: PARSE syntax 501 {syntax error in expression "

    set CALLID [RADIUS::avp 31 string]

    log local0. ...": variable references require preceding $}][{

    set CALLID [RADIUS::avp 31 string]

    log local0. "persisted $CALLID"

     

    if { $CALLID ne "" } {

    persist uie $CALLID

    }

    }]

    /Common/CallIDUIE2:24: error: [missing a script after "elseif"][]

    /Common/CallIDUIE2:27: error: ["Duplicate event"][when CLIENT_DATA {

    if { [UDP::local_port] == 1813 } {

    set CALLID [RADIUS::avp 31 string]

    set IP [RADIUS::avp 8 ip4]

    if { $IP ne "" && $CALLID ne "" } {

    table set $IP [LB::server addr] 900

    log local0. "Radius maps $IP to [LB::server addr] for $CALLID"

    }

    }

    }]

     

     

    --------------------------------

     

    The packet capture shows the AVP 31 attribute ( Calling-Station-Id) in it. So the issue is not the attribute value missing, however, something that F5 is not able to understand is the packet not processing it forwards.

     

     

    Frame 2: 317 bytes on wire (2536 bits), 317 bytes captured (2536 bits)

    Ethernet II, Src: Fortinet_09:00:12 (00:09:0f:09:00:12), Dst: VMware_f5:03:01 (00:50:56:f5:03:01)

    802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 4091

    Internet Protocol Version 4, Src: 172.17.70.60, Dst: 10.1.6.100

    User Datagram Protocol, Src Port: 54892, Dst Port: 1812

    RADIUS Protocol

       Code: Access-Request (1)

       Packet identifier: 0x5e (94)

       Length: 164

       Authenticator: e0a10849518a2fc1f0827505db9f8a5c

       Attribute Value Pairs

           AVP: t=NAS-IP-Address(4) l=6 val=172.17.70.60

           AVP: t=NAS-Port(5) l=6 val=0

           AVP: t=NAS-Port-Type(61) l=6 val=Virtual(5)

           AVP: t=User-Name(1) l=15 val=mgalantowicza

           AVP: t=User-Password(2) l=18 val=Encrypted

           AVP: t=Service-Type(6) l=6 val=Shell-User(6)

           AVP: t=Calling-Station-Id(31) l=14 val=b0b867cd68ee

               Type: 31

               Length: 14

               Calling-Station-Id: b0b867cd68ee

           AVP: t=Called-Station-Id(30) l=14 val=b0b867cd68ee

           AVP: t=Vendor-Specific(26) l=23 vnd=Aruba, a Hewlett Packard Enterprise company(14823)

           AVP: t=Vendor-Specific(26) l=18 vnd=Aruba, a Hewlett Packard Enterprise company(14823)

           AVP: t=Message-Authenticator(80) l=18 val=a0d082620a1137f9110e2a5975c7d6a8

    F5 Ethernet Trailer Protocol

     

     

    However, I will check the LTM logs. But last time I checked it really didn't give any error for the virtual server. It simply is not forwarding the traffic, to the load-balanced Radius servers.