freeradius 2.1.7-7.el5 - How to get vendor specific attributes from LDAP

Thu Nov 24 12:04:10 CET 2011

Hello,

please can anybody give me a hint how to get vendor specific atributes 
from LDAP and send it to the NAS? My freeradius version is 2.1.7-7.el5.

When I authenticate against the users file, everything works well.

rad_recv: Access-Request packet from host 31.186.188.2 port 60528, 
id=101, length=73
User-Name = "rad-oper"
User-Password = "rad-oper"
NAS-Identifier = "ar-srx100-default"
NAS-IP-Address = 31.186.188.2
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "rad-oper", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry rad-oper at line 53
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "rad-oper"
[pap] Using clear text password "rad-oper"
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 101 to 31.186.188.2 port 60528
Juniper-Local-User-Name := "class2"
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 101 with timestamp +302
Ready to process requests.

As you can see, I need to send Vendor Specific Attribute : 
Juniper-Local-User-Name := "class2" which is associated with group of 
availalble commands on device.

On OpenLDAP I edited the schema and added

attributetype ( 1.3.6.1.1.1.1.28 NAME 'radiusJuniperLocalUserName'
DESC 'Juniper Auth Class'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

objectclass ( 1.3.6.1.1.1.2.13 NAME 'radiusprofile'
DESC 'Abstraction of an account with RADIUS attributes'
SUP top AUXILIARY
MAY radiusJuniperLocalUserName )

Then I've added theese items to my test user "pech".

On freeradius server I've edited:

1. ldap.attrmap
checkItem Juniper-Local-User-Name radiusJuniperLocalUserName
replyItem Juniper-Local-User-Name radiusJuniperLocalUserName

2. modules/ldap
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "10.10.x.y"
identity = "cn=sa,dc=viphone,dc=eu"
password = testtest
basedn = "dc=viphone,dc=eu"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
#base_filter = "(objectclass=radiusprofile)"

Now when I try to authenticate LDAP user "pech" I'll get:

rad_recv: Access-Request packet from host 31.186.188.2 port 60647, 
id=85, length=69
User-Name = "pech"
User-Password = "securepassword"
NAS-Identifier = "ar-srx100-default"
NAS-IP-Address = 31.186.188.2
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "pech", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "securepassword"
[pap] Using CRYPT encryption.
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 85 to 31.186.188.2 port 60647
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 85 with timestamp +17
Ready to process requests.

So the user is authenticated but no Juniper-Local-User-Name attribute 
have been sent.

Thank you very much for your help.

Kind regards,

Jakub Pech
System Developer
------------------
Spinoco Czech Republic, a.s.
Šafránkova 1243/3
155 00 Praha 5

tel +420 257 895 495
jakub.pech at spinoco.com
www.spinoco.com

Spinoco – firemní komunikace