ACCESS_POLICY_AGENT_EVENT

Description

This event provides glue between iRule execution and access policy execution. Admin can insert an iRule event agent in its access policy at some point in the access policy. During the access policy execution, iRule event agent is executed and ACCESS_POLICY_AGENT_EVENT is raised in iRules inside TMM. Admin can get the current agent ID (using an iRule command ACCESS::policy agent_id ) to know which iRule agent (in case there are multiple of them) raised the event and do some custom logic execution. This event allows admin to execute an iRule logic (inside TMM) at a desired point in the access policy execution. For example, if admin wants to do concurrent session checks for a particular AD group, admin can insert this agent after AD query, and once user’s group has been retrieved from AD query, admin can check to see how many concurrent sessions exist for that user group in an iRule inside TMM.

Examples

when ACCESS_POLICY_AGENT_EVENT {
            if { [ACCESS::policy agent_id] eq "lastLogon" } {
                        # our limit in seconds
                        set 2weeks 1209600
                        # diff in 100 nanosecond increments between MS time attribute (year 1601) and start of epoch
                        set offset 11644473600000
                        set adtime "[ACCESS::session data get session.ad.last.attr.lastLogon]"
                        # convert adtime to milliseconds
                        set millisecs [expr {$adtime / 10000}]
                        # subtract offset
                        set lastlogintime [expr {$millisecs - $offset}]
                        # convert to seconds because milliseconds for 'now' were negative (maybe vmware issue)
                        set secs [expr {$lastlogintime / 1000}]
                        set now [clock seconds]
                        # finally calculate the difference
                        set diff [expr {$now - $secs}]
                        log local0. "lastLogon: $diff seconds from current time"
                        if { $diff > $2weeks } {
                                    ACCESS::session data set session.custom.lastLogonWithin2Weeks 0
                        } else {
                                    ACCESS::session data set session.custom.lastLogonWithin2Weeks 1
                        }
            }
}