In AppExpert
In Citrix ADC 13.0
In Citrix ADC
In All products
Product documentation
In AppExpert
In Citrix ADC 13.0
In Citrix ADC
In All products
Citrix ADC
Current Release 12.1 12.0 11.1 10.5
View PDF

RADIUS support for the rewrite feature

September 21, 2020
Contributed by: 
S

The Citrix ADC expressions language includes expressions that can extract information from and manipulate RADIUS messages in requests and responses. These expressions enable you to use the rewrite feature to modify portions of a RADIUS message before sending it to its destination. Your rewrite policies and actions can use any expression that is appropriate or relevant to a RADIUS message. The available expressions enable you to identify the RADIUS message type, extract any attribute-value pair (AVP) from the connection, and modify RADIUS AVPs. You can also create policy labels for RADIUS connections.

You can use the new RADIUS expressions in Rewrite rules for a number of purposes. For example, you could:

  • Remove the domain\ portion of the RADIUS user-name AVP to simplify single sign-on (SSO).
  • Insert a vendor-specific AVP, such as the MSISDN field used in telephone company operations to contain subscriber information.

You can also create policy labels to route specific types of RADIUS requests through a series of policies that are appropriate to those requests.

Note:

RADIUS for Rewrite has the following limitations:

  • The Citrix ADC does not re-sign rewritten RADIUS requests or responses. If the RADIUS authentication server requires signed RADIUS messages, authentication will fail.
  • The currently available RADIUS expressions do not work with RADIUS IPv6 attributes.

The Citrix ADC documentation for expressions that support RADIUS assumes familiarity with the basic structure and purpose of RADIUS communications. If you need more information about RADIUS, see your RADIUS server documentation or search online for an introduction to the RADIUS protocol.

Configuring Rewrite Policies for RADIUS

The following procedure uses the Citrix ADC command line to configure a rewrite action and policy and bind the policy to a rewrite-specific global bind point.

To configure a Rewrite action and policy, and bind the policy:

At the command prompt, type the following commands:

  • add rewrite action <actName> <actType>
  • add rewrite policy <polName> <rule> <actName>
  • bind rewrite policy <polName> <priority> <nextExpr> -type <bindPoint> where <bindPoint> represents one of the rewrite-specific global bind points.

RADIUS Expressions for Rewrite

In a rewrite configuration, you can use the following Citrix ADC expressions to refer to various portions of a RADIUS request or response.

Identifying the Type of Connection:

  • RADIUS.IS_CLIENT

    Returns TRUE if the connection is a RADIUS client (request) message.

  • RADIUS.IS_SERVER

    Returns TRUE if the connection is a RADIUS server (response) message.

Request Expressions:

  • RADIUS.REQ.CODE

    Returns the number that corresponds to the RADIUS request type. A derivative of the num_at class. For example, a RADIUS access request would return 1 (one). A RADIUS accounting request would return 4.

  • RADIUS.REQ.LENGTH

    Returns the length of the RADIUS request, including the header. A derivative of the num_at class.

  • RADIUS.REQ.IDENTIFIER

    Returns the RADIUS request identifier, a number assigned to each request that allows the request to be matched to the corresponding response. A derivative of the num_at class.

  • RADIUS.REQ.AVP(<AVP Code No>).VALUE

    Returns the value of first occurrence of this AVP as a string of type text_t.

  • RADIUS.REQ.AVP(<AVP code no>).INSTANCE(instance number)

    Returns the specified instance of the AVP as a string of type RAVP_t. A specific RADIUS AVP can occur multiple times in a RADIUS message. INSTANCE (0) returns the first instance, INSTANCE (1) returns second instance, and so on, up to sixteen instances.

  • RADIUS.REQ.AVP(<AVP code no>).VALUE(instance number)

    Returns the value of specified instance of the AVP as a string of type text_t.

  • RADIUS.REQ.AVP(<AVP code no>).COUNT

    Returns the number of instances of a specific AVP in a RADIUS connection, as an integer.

  • RADIUS.REQ.AVP(<AVP code no>).EXISTS

    Returns TRUE if the specified type of AVP exists in the message, or FALSE if it does not.

Response Expressions:

RADIUS response expressions are identical to RADIUS request expressions, except that RES replaces REQ.

Typecasts of AVP Values:

The ADC supports expressions to typecast RADIUS AVP values to the text, integer, unsigned integer, long, unsigned long, ipv4 address, ipv6 address, ipv6 prefix and time data types. The syntax is the same as for other Citrix ADC typecast expressions.

Example:

The ADC supports expressions to typecast RADIUS AVP values to the text, integer, unsigned integer, long, unsigned long, ipv4 address, ipv6 address, ipv6 prefix and time data types. The syntax is the same as for other Citrix ADC typecast expressions.

RADIUS.REQ.AVP(8).VALUE(0).typecast_ip_address_at

AVP Type Expressions:

The Citrix ADC supports expressions to extract RADIUS AVP values by using the assigned integer codes described in RFC2865 and RFC2866. You can also use text aliases to accomplish the same task. Some examples follow.

  • RADIUS.REQ.AVP (1).VALUE or RADIUS.REQ.USERNAME.value

    Extracts the RADIUS user-name value.

  • RADIUS.REQ.AVP (4). VALUE or RADIUS.REQ. ACCT\_SESSION\_ID.value

    Extracts the Acct-Session-ID AVP (code 44) from the message.

  • RADIUS.REQ.AVP (26). VALUE or RADIUS.REQ.VENDOR\_SPECIFIC.VALUE

    Extracts the vendor-specific value.

The values of most commonly-used RADIUS AVPs can be extracted in the same manner.

RADIUS Bind Points:

Four global bind points are available for policies that contain RADIUS expressions.

  • RADIUS_REQ_OVERRIDE

    Priority/override request policy queue.

  • RADIUS_REQ_DEFAULT

    Standard request policy queue.

  • RADIUS_RES_OVERRIDE

    Priority/override response policy queue.

  • RADIUS_RES_DEFAULT

    Standard response policy queue.

RADIUS Rewrite-Specific Expressions:

  • RADIUS.NEW_AVP

    Returns the specified RADIUS AVP as a string.

  • RADIUS.NEW_AVP_INTEGER32

    Returns the specified RADIUS AVP as an integer.

  • RADIUS.NEW_AVP_UNSIGNED32

    Returns the specified RADIUS AVP as an unsigned integer.

  • RADIUS.NEW_VENDOR_SPEC_AVP(<ID>, <definition>)

    Adds the specified extended vendor specific AVPs to the connection. For <ID>, substitute a long number. For <definition>, substitute a string that contains the data for the AVP.

  • RADIUS.REQ.AVP_START

    Returns the location between the end of the RADIUS header and the start of the AVPs. Used in rewrite actions.

    Example:

    add rewrite action insert1 insert_after radius.req.avp_start radius.new_avp(33, "NEW AVP")

  • RADIUS.REQ.AVP_END

    Returns the location at the end of radius message (or in other words end of all AVPs) in radius message. Used when performing rewrite actions.

    Example:

    add rewrite action insert2 insert_before radius.req.avp_end "radius.new_avp(33, \"NEW AVP\")"

  • RADIUS.REQ.AVP_LIST

    Returns the location at the start of the AVPs in a RADIUS message, and the length of the RADIUS message, excluding the header. In other words, returns all AVPs in a RADIUS message. Used to perform Rewrite actions.

    Example:

    add rewrite action insert3 insert_before_all radius.req.avp_list "radius.new_avp(33, \"NEW AVP\")" -search "avp(33)"

Valid Rewrite-Action Types for RADIUS:

The Rewrite action types that can be used with RADIUS expressions are:

  • INSERT_AFTER
  • INSERT_BEFORE
  • INSERT_AFTER_ALL
  • INSERT_BEFORE_ALL
  • DELETE
  • DELETE_ALL
  • REPLACE
  • REPLACE_ALL

All INSERT_ actions can be used to insert a RADIUS AVP into a RADIUS connection.

Use Cases

Following are use cases for RADIUS with rewrite.

Rewriting the User-Name AVP

To configure the rewrite feature to remove the Domain\ string from the RADIUS user-name AVP, begin by creating a rewrite REPLACE action as shown in the example below. Use the action in a Rewrite policy that selects all RADIUS requests. Bind the policy to a global bind point. When you do so, set the priority the appropriate level to allow any block or reject policies to take effect first, but ensure that all requests that are not blocked or rejected are rewritten. Set the Goto Expression (gotoPriorityExpr) to NEXT to continue policy evaluation, and attach the policy to the RADIUS_REQ_DEFAULT queue.

Example:

add rewrite action rwActRadiusDomainDel replace radius.req.user_name q/RADIUS.NEW_AVP(1,RADIUS.REQ.USER_NAME.VALUE.AFTER_STR(" "))/
add rewrite policy RadiusRemoveDomainPol true rwActRadiusDomainDel

Note:

The rewrite policy for RADIUS is not applicable to a gateway virtual server. If a gateway virtual server is used a load balancing then RADIUS needs to be configured and the rewrite policy needs to be bound to a RADIUS load balancing virtual server.

Inserting a Vendor-Specific AVP

To configure Rewrite action to insert a Vendor-Specific AVP containing the contents of the MSISDN field, begin by creating a rewrite INSERT action that inserts the MSISDN field into the request. Use the action in a Rewrite policy that selects all RADIUS requests. bind the policy to global, setting the priority to an appropriate level and the other parameters as shown in the following example.

Example:

add rewrite action rwActRadiusInsMSISDN insert_after radius.req.avp_start RADIUS.NEW_VENDOR_SPEC_AVP(<VENDOR ID>, "RADIUS.NEW_AVP(<Attribute Code>, <MSISDN>)")
add rewrite policy rwPolRadiusInsMSISDN true rwActRadiusInsMSISDN
bind rewrite global rwPolRadiusInsMSISDN 100 NEXT -type RADIUS_REQ_DEFAULT

RADIUS support for the rewrite feature

September 21, 2020
Contributed by: 
S
September 21, 2020
Contributed by: 
S

In this article