FreeRADIUS, OpenLDAP and F5 VSAs

Ajinkya Fotedar ajinkyafotedar at gmail.com
Tue May 20 17:59:43 CEST 2014


Hi Arran,

Thank you so much for the reply. I have made the above changes and I can
see the attributes in the reply message (Access-accept packet).
Although, I am not sure if this is what it should look like. I have not
tested it with F5 but just want to make sure that I am heading in the right
direction.
Below is the debug and some configurations from FreeRADIUS and OpenLDAP.

Please let me know your thoughts.

Thank you.



*RADIUS debug*


rad_recv: Access-Request packet from host 198.82.169.55 port 50524, id=211,
length=132

User-Name = 'dawson'

NAS-IP-Address = 198.82.169.55

NAS-Port = 234234

Message-Authenticator = 0x14e775dc18fbbbd91c707988226a3a22

MS-CHAP-Challenge = 0xa92999be9652acdb

MS-CHAP-Response =
0x00010000000000000000000000000000000000000000000000003ef65405da922bbe8b1f37ff9ba63458917d6bc42cf704c3

(0) # Executing section authorize from file
/apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default

(0)   authorize {

(0)   filter_username filter_username {

(0)    ? if (User-Name != "%{tolower:%{User-Name}}")

(0) expand: "%{tolower:%{User-Name}}" -> 'dawson'

(0)    ? if (User-Name != "%{tolower:%{User-Name}}")  -> FALSE

(0)    ? if (User-Name =~ / /)

(0)    ? if (User-Name =~ / /)  -> FALSE

(0)    ? if (User-Name =~ /@.*@/ )

(0)    ? if (User-Name =~ /@.*@/ )  -> FALSE

(0)    ? if (User-Name =~ /\\.\\./ )

(0)    ? if (User-Name =~ /\\.\\./ )  -> FALSE

(0)    ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))

(0)    ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   ->
FALSE

(0)    ? if (User-Name =~ /\\.$/)

(0)    ? if (User-Name =~ /\\.$/)   -> FALSE

(0)    ? if (User-Name =~ /@\\./)

(0)    ? if (User-Name =~ /@\\./)   -> FALSE

(0)   } # filter_username filter_username = notfound

(0)   [preprocess] = ok

(0) auth_log : expand:
"/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
-> '/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/
198.82.169.55/auth-detail-20140520'

(0) auth_log :
/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to
/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/
198.82.169.55/auth-detail-20140520

(0) auth_log : expand: "%t" -> 'Tue May 20 11:37:46 2014'

(0)   [auth_log] = ok

(0)   update control {

(0) expand: "uid=%{User-Name},ou=People,ou=NIS,o=vt" ->
'uid=dawson,ou=People,ou=NIS,o=vt'

(0) Ldap-UserDn := "uid=dawson,ou=People,ou=NIS,o=vt"

(0)   } # update control = noop

rlm_ldap (ldap): Reserved connection (4)

(0) ldap : expand: "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))" ->
'(&(uid=dawson))'

(0) ldap : expand: "ou=People,ou=NIS,o=vt" -> 'ou=People,ou=NIS,o=vt'

(0) ldap : Performing search in 'ou=People,ou=NIS,o=vt' with filter
'(&(uid=dawson))'

(0) ldap : Waiting for search result...

(0) ldap : User object found at DN "uid=dawson,ou=People,ou=NIS,o=vt"

(0) ldap : expand: "(&)" -> '(&)'

(0) ldap : Performing search in
'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' with filter '(&)'

(0) ldap : Waiting for search result...

(0) ldap : Processing profile attributes

(0) ldap : reply:Reply-Message := 'F5-LTM-User-Info-1+=\"R&D\"'

(0) ldap : reply:Reply-Message := 'F5-LTM-User-Partition+=\"RnD\"'

(0) ldap : reply:Reply-Message := 'F5-LTM-User-Role+=100'

(0) ldap : reply:Reply-Message := 'F5-LTM-User-Shell+=\"tmsh\"'

(0) ldap : Processing user attributes

(0) ldap : control:Password-With-Header +=
'{nt}D3055AE4C0D68D8BA71C538D1518B5CD'

(0) ldap : control:Password-With-Header +=
'{SSHA}omkfyFmnMrEq1jWG9T86Gh+XlpR87z11'

(0) ldap : control:Prohibited := FALSE

(0) ldap : control:Radius-Profile-DN :=
'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt'

rlm_ldap (ldap): Released connection (4)

(0)   [-ldap] = ok

(0) pap : Normalizing NT-Password from hex encoding

(0) pap : Normalizing SSHA1-Password from base64 encoding

(0) pap : No clear-text password in the request.  Not performing PAP.

(0)   [pap] = noop

(0) mschap : Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'

(0)   [mschap] = ok

(0)   ? if (!(control:NT-Password) || control:Prohibited == TRUE)

(0)   ? if (!(control:NT-Password) || control:Prohibited == TRUE) -> FALSE

(0)   ? if (Ldap-Group != "%{control:Radius-Profile-DN}")

(0) expand: "%{control:Radius-Profile-DN}" ->
'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt'

(0) Searching for user in group
"cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt"

rlm_ldap (ldap): Reserved connection (4)

(0) Using user DN from request "uid=dawson,ou=People,ou=NIS,o=vt"

(0) Checking for user in group objects

(0) expand: "(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))"
->
'(&(objectClass=groupOfNames)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))'

(0) Performing search in
'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' with filter
'(&(objectClass=groupOfNames)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))'

(0) Waiting for search result...

(0) User found in group object

rlm_ldap (ldap): Released connection (4)

(0)   ? if (Ldap-Group != "%{control:Radius-Profile-DN}") -> FALSE

(0)   else else {

(0)    update control {

(0) Auth-Type := Accept

(0)    } # update control = noop

(0)   } # else else = noop

(0)   ? if ("%{reply:F5-LTM-User-Info-1}")

(0) expand: "%{reply:F5-LTM-User-Info-1}" -> ''

(0)   ? if ("%{reply:F5-LTM-User-Info-1}") -> FALSE

(0)  } #  authorize = ok

(0) Found Auth-Type = Accept

(0) Auth-Type = Accept, accepting the user

*(0) WARNING: Empty post-auth section.  Using default return values.*

(0) # Executing section post-auth from file
/apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default

Sending Access-Accept of id 211 from 198.82.169.55 port 1830 to
198.82.169.55 port 50524

Reply-Message = 'F5-LTM-User-Info-1+=\"R&D\"'

Reply-Message = 'F5-LTM-User-Partition+=\"RnD\"'

Reply-Message = 'F5-LTM-User-Role+=100'

Reply-Message = 'F5-LTM-User-Shell+=\"tmsh\"'

(0) Finished request 0.

Waking up in 0.3 seconds.

Waking up in 4.6 seconds.

(0) Cleaning up request packet ID 211 with timestamp +2

*Ready to process requests.*




*radtest*


$ radtest -t mschap -x dawson wakkawakka 198.82.169.55:1830 234234
testing123

/apps/radius/freeradius-3.0.1/bin/radclient:
/usr/local/samba/lib/libtalloc.so.2: no version information available
(required by /apps/radius/freeradius-3.0.1/bin/radclient)

/apps/radius/freeradius-3.0.1/bin/radclient:
/usr/local/samba/lib/libtalloc.so.2: no version information available
(required by /apps/radius/freeradius-3.0.1/lib/libfreeradius-radius.so)

Sending Access-Request of id 211 from 0.0.0.0 port 50524 to 198.82.169.55
port 1830

User-Name = 'dawson'

NAS-IP-Address = 198.82.169.55

NAS-Port = 234234

Message-Authenticator = 0x00

MS-CHAP-Challenge = 0xa92999be9652acdb

MS-CHAP-Response =
0x00010000000000000000000000000000000000000000000000003ef65405da922bbe8b1f37ff9ba63458917d6bc42cf704c3

  Code: 1

  Id: 211

  Length: 132

  Vector: b3c92ab8d0c718d8e265b6301bae7a11

  Data: 01  08  64 61 77 73 6f 6e

04  06  c6 52 a9 37

05  06  00 03 92 fa

50  12  14 e7 75 dc 18 fb bb d9 1c 70 79 88 22 6a 3a 22

1a  10  00 00 01 37 0b 0a a9 29 99 be 96 52 ac db

1a  3a  00 00 01 37 01 34 00 01 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

3e f6 54 05 da 92 2b be 8b 1f 37 ff 9b a6 34 58

91 7d 6b c4 2c f7 04 c3

rad_recv: Access-Accept packet from host 198.82.169.55 port 1830, id=211,
length=127

  Code: 2

  Id: 211

  Length: 127

  Vector: ff52e972ccb4ee95c7b64719c2ea3986

  Data: 12  1b  46 35 2d 4c 54 4d 2d 55 73 65 72 2d 49 6e 66 6f

2d 31 2b 3d 22 52 26 44 22

12  1e  46 35 2d 4c 54 4d 2d 55 73 65 72 2d 50 61 72 74

69 74 69 6f 6e 2b 3d 22 52 6e 44 22

12  17  46 35 2d 4c 54 4d 2d 55 73 65 72 2d 52 6f 6c 65

2b 3d 31 30 30

12  1b  46 35 2d 4c 54 4d 2d 55 73 65 72 2d 53 68 65 6c

6c 2b 3d 22 74 6d 73 68 22

Reply-Message = 'F5-LTM-User-Info-1+=\"R&D\"'

Reply-Message = 'F5-LTM-User-Partition+=\"RnD\"'

Reply-Message = 'F5-LTM-User-Role+=100'

Reply-Message = 'F5-LTM-User-Shell+=\"tmsh\"'




*sites-enabled/default*


authorize {

    filter_username

    preprocess

    auth_log



    update control{

        Ldap-UserDn := "uid=%{User-Name},ou=People,ou=NIS,o=vt"

    }



    -ldap

    pap

    mschap


    if(!(control:NT-Password) || control:Prohibited == TRUE){

    update control{

        Auth-Type := Reject

        }

    }


    if(Ldap-Group != "%{control:Radius-Profile-DN}"){

      update control{

          Auth-Type:=Reject

        }

    }

    else{

      update control{

          Auth-Type:=Accept

        }



}


authenticate {

        mschap

        pap

}




*mods-enabled/ldap*


update {

        control:Password-With-Header    += 'userPassword'

        control:NT-Password     := 'ntPassword'

        control:Prohibited      := 'prohibited'

        control:Radius-Profile-DN       :=  'radiusProfileDn'

        reply:Reply-Message     := 'radiusReplyMessage'

}



user  {

        base_dn = "ou=People,${..base_dn}"

        filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))"

        scope = 'sub'

}



group {

        base_dn = "ou=Groups,ou=F5,ou=Configuration,${..base_dn}"

        filter = "(objectClass=groupOfNames)"

        scope = 'base'

        name_attribute = cn

        membership_filter = "(member=%{control:Ldap-UserDn})"

}




*OpenLDAP*


# R&D, Groups, F5, Configuration, NIS, vt

dn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt

cn: R&D

description: Entiries for the R&D group user accounts

member: uid=dawson,ou=People,ou=NIS,o=vt

radiusReplyMessage: F5-LTM-User-Info-1+="R&D"

radiusReplyMessage: F5-LTM-User-Partition+="RnD"

radiusReplyMessage: F5-LTM-User-Role+=100

radiusReplyMessage: F5-LTM-User-Shell+="tmsh"

objectClass: groupOfNames

objectClass: radiusprofile


# dawson, People, NIS, vt

dn: uid=dawson,ou=People,ou=NIS,o=vt

cn: Jacob M. Dawson

uid: dawson

sn: Dawson

givenName: Jacob

objectClass: inetOrgPerson

objectClass: nisUserAccount

objectClass: radiusprofile

prohibited: FALSE

radiusProfileDn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt




*F5 VSAs*


VENDOR      F5              3375

BEGIN-VENDOR    F5


ATTRIBUTE   F5-LTM-User-Role            1   integer

ATTRIBUTE   F5-LTM-User-Role-Universal      2   integer    # enable/disable

ATTRIBUTE   F5-LTM-User-Partition           3   string

ATTRIBUTE   F5-LTM-User-Console         4   integer    # enable/disable

ATTRIBUTE   F5-LTM-User-Shell           5   string     # supported values
are disable, tmsh, and bpsh

ATTRIBUTE   F5-LTM-User-Context-1           10  integer

ATTRIBUTE   F5-LTM-User-Context-2           11  integer

ATTRIBUTE   F5-LTM-User-Info-1          12  string

ATTRIBUTE   F5-LTM-User-Info-2          13  string


VALUE   F5-LTM-User-Role        Administrator       0

VALUE   F5-LTM-User-Role        Resource-Admin      20

VALUE   F5-LTM-User-Role        User-Manager        40

VALUE   F5-LTM-User-Role        Manager         100

VALUE   F5-LTM-User-Role        App-Editor      300

VALUE   F5-LTM-User-Role        Operator        400

VALUE   F5-LTM-User-Role        Guest           700

VALUE   F5-LTM-User-Role        Policy-Editor       800

VALUE   F5-LTM-User-Role        No-Access       900


VALUE   F5-LTM-User-Role-Universal  Disabled        0

VALUE   F5-LTM-User-Role-Universal  Enabled         1


VALUE   F5-LTM-User-Console     Disabled        0

VALUE   F5-LTM-User-Console     Enabled         1


END-VENDOR   F5



On Mon, May 19, 2014 at 4:26 PM, Arran Cudbard-Bell <
a.cudbardb at freeradius.org> wrote:

>
> On 19 May 2014, at 20:36, Ajinkya Fotedar <ajinkyafotedar at gmail.com>
> wrote:
>
> > Also, the update section under the ldap modules looks like this.
> >
> > update {
> >         control:Password-With-Header    += 'userPassword'
> >         control:NT-Password     := 'ntPassword'
> >         control:Prohibited      := 'prohibited'
> >         control:Group-Membership    :=  'groupMembership'
> >         reply:F5-LTM-User-Info-1    := 'userInfo'
> >         reply:F5-LTM-User-Role      := 'userRole'
> >         reply:F5-LTM-User-Partition := 'userPartition'
> >         reply:F5-LTM-User-Shell     := 'userShell'
> > }
>
> Attributes are not retrieved for groups. You need to add profiles with the
> various reply attributes, and add that profile to the user.
>
> -Arran
>
> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> FreeRADIUS Development Team
>
> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140520/b7fd856d/attachment-0001.html>


More information about the Freeradius-Users mailing list