ACCESS_POLICY_AGENT_EVENT¶
Description¶
This event provides glue between iRule execution and access policy
execution. Admin can insert an iRule event agent in its access policy
at some point in the access policy. During the access policy
execution, iRule event agent is executed and ACCESS_POLICY_AGENT_EVENT
is raised in iRules inside TMM. Admin can get the current agent ID
(using an iRule command ACCESS::policy agent_id ) to know which iRule
agent (in case there are multiple of them) raised the event and do
some custom logic execution. This event allows admin to execute an
iRule logic (inside TMM) at a desired point in the access policy
execution. For example, if admin wants to do concurrent session checks
for a particular AD group, admin can insert this agent after AD query,
and once user’s group has been retrieved from AD query, admin can
check to see how many concurrent sessions exist for that user group in
an iRule inside TMM.
Examples¶
when ACCESS_POLICY_AGENT_EVENT {
if { [ACCESS::policy agent_id] eq "lastLogon" } {
# our limit in seconds
set 2weeks 1209600
# diff in 100 nanosecond increments between MS time attribute (year 1601) and start of epoch
set offset 11644473600000
set adtime "[ACCESS::session data get session.ad.last.attr.lastLogon]"
# convert adtime to milliseconds
set millisecs [expr {$adtime / 10000}]
# subtract offset
set lastlogintime [expr {$millisecs - $offset}]
# convert to seconds because milliseconds for 'now' were negative (maybe vmware issue)
set secs [expr {$lastlogintime / 1000}]
set now [clock seconds]
# finally calculate the difference
set diff [expr {$now - $secs}]
log local0. "lastLogon: $diff seconds from current time"
if { $diff > $2weeks } {
ACCESS::session data set session.custom.lastLogonWithin2Weeks 0
} else {
ACCESS::session data set session.custom.lastLogonWithin2Weeks 1
}
}
}