<div dir="ltr">Hi Arran,<div><br></div><div>Thank you so much for the reply. I have made the above changes and I can see the attributes in the reply message (Access-accept packet).</div><div>Although, I am not sure if this is what it should look like. I have not tested it with F5 but just want to make sure that I am heading in the right direction.</div>
<div>Below is the debug and some configurations from FreeRADIUS and OpenLDAP.</div><div><br></div><div>Please let me know your thoughts.</div><div><br></div><div>Thank you.</div><div><br></div><div><br></div><div><br></div>
<div><p style="margin:0px;font-size:14px;font-family:Menlo"><span style="text-decoration:underline"><b>RADIUS debug</b></span></p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo">rad_recv: Access-Request packet from host 198.82.169.55 port 50524, id=211, length=132</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>User-Name = 'dawson'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>NAS-IP-Address = 198.82.169.55</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>NAS-Port = 234234</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>Message-Authenticator = 0x14e775dc18fbbbd91c707988226a3a22</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>MS-CHAP-Challenge = 0xa92999be9652acdb</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000003ef65405da922bbe8b1f37ff9ba63458917d6bc42cf704c3</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) # Executing section authorize from file /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) authorize {</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) filter_username filter_username {</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ? if (User-Name != "%{tolower:%{User-Name}}") </p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) <span class="" style="white-space:pre"> </span>expand: "%{tolower:%{User-Name}}" -> 'dawson'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ? if (User-Name =~ / /) </p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ? if (User-Name =~ / /) -> FALSE</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ? if (User-Name =~ /@.*@/ ) </p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ? if (User-Name =~ /@.*@/ ) -> FALSE</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ? if (User-Name =~ /\\.\\./ ) </p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ? if (User-Name =~ /\\.\\./ ) -> FALSE</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) </p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ? if (User-Name =~ /\\.$/) </p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ? if (User-Name =~ /\\.$/) -> FALSE</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ? if (User-Name =~ /@\\./) </p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ? if (User-Name =~ /@\\./) -> FALSE</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) } # filter_username filter_username = notfound</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) [preprocess] = ok</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) auth_log : <span class="" style="white-space:pre"> </span>expand: "/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/<a href="http://198.82.169.55/auth-detail-20140520">198.82.169.55/auth-detail-20140520</a>'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) auth_log : /apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/<a href="http://198.82.169.55/auth-detail-20140520">198.82.169.55/auth-detail-20140520</a></p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) auth_log : <span class="" style="white-space:pre"> </span>expand: "%t" -> 'Tue May 20 11:37:46 2014'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) [auth_log] = ok</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) update control {</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) <span class="" style="white-space:pre"> </span>expand: "uid=%{User-Name},ou=People,ou=NIS,o=vt" -> 'uid=dawson,ou=People,ou=NIS,o=vt'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) <span class="" style="white-space:pre"> </span>Ldap-UserDn := "uid=dawson,ou=People,ou=NIS,o=vt"</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) } # update control = noop</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">rlm_ldap (ldap): Reserved connection (4)</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ldap : <span class="" style="white-space:pre"> </span>expand: "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))" -> '(&(uid=dawson))'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ldap : <span class="" style="white-space:pre"> </span>expand: "ou=People,ou=NIS,o=vt" -> 'ou=People,ou=NIS,o=vt'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ldap : Performing search in 'ou=People,ou=NIS,o=vt' with filter '(&(uid=dawson))'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ldap : Waiting for search result...</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ldap : User object found at DN "uid=dawson,ou=People,ou=NIS,o=vt"</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ldap : <span class="" style="white-space:pre"> </span>expand: "(&)" -> '(&)'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ldap : Performing search in 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' with filter '(&)'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ldap : Waiting for search result...</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ldap : Processing profile attributes</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ldap : <span class="" style="white-space:pre"> </span>reply:Reply-Message := 'F5-LTM-User-Info-1+=\"R&D\"'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ldap : <span class="" style="white-space:pre"> </span>reply:Reply-Message := 'F5-LTM-User-Partition+=\"RnD\"'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ldap : <span class="" style="white-space:pre"> </span>reply:Reply-Message := 'F5-LTM-User-Role+=100'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ldap : <span class="" style="white-space:pre"> </span>reply:Reply-Message := 'F5-LTM-User-Shell+=\"tmsh\"'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ldap : Processing user attributes</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ldap : <span class="" style="white-space:pre"> </span>control:Password-With-Header += '{nt}D3055AE4C0D68D8BA71C538D1518B5CD'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ldap : <span class="" style="white-space:pre"> </span>control:Password-With-Header += '{SSHA}omkfyFmnMrEq1jWG9T86Gh+XlpR87z11'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ldap : <span class="" style="white-space:pre"> </span>control:Prohibited := FALSE</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ldap : <span class="" style="white-space:pre"> </span>control:Radius-Profile-DN := 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">rlm_ldap (ldap): Released connection (4)</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) [-ldap] = ok</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) pap : Normalizing NT-Password from hex encoding</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) pap : Normalizing SSHA1-Password from base64 encoding</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) pap : No clear-text password in the request. Not performing PAP.</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) [pap] = noop</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) mschap : Found MS-CHAP attributes. Setting 'Auth-Type = mschap'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) [mschap] = ok</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ? if (!(control:NT-Password) || control:Prohibited == TRUE)</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ? if (!(control:NT-Password) || control:Prohibited == TRUE) -> FALSE</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ? if (Ldap-Group != "%{control:Radius-Profile-DN}")</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) <span class="" style="white-space:pre"> </span>expand: "%{control:Radius-Profile-DN}" -> 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) Searching for user in group "cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt"</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">rlm_ldap (ldap): Reserved connection (4)</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) Using user DN from request "uid=dawson,ou=People,ou=NIS,o=vt"</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) Checking for user in group objects</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) <span class="" style="white-space:pre"> </span>expand: "(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))" -> '(&(objectClass=groupOfNames)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) Performing search in 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' with filter '(&(objectClass=groupOfNames)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) Waiting for search result...</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) User found in group object</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">rlm_ldap (ldap): Released connection (4)</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ? if (Ldap-Group != "%{control:Radius-Profile-DN}") -> FALSE</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) else else {</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) update control {</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) <span class="" style="white-space:pre"> </span>Auth-Type := Accept</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) } # update control = noop</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) } # else else = noop</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ? if ("%{reply:F5-LTM-User-Info-1}")</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) <span class="" style="white-space:pre"> </span>expand: "%{reply:F5-LTM-User-Info-1}" -> ''</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) ? if ("%{reply:F5-LTM-User-Info-1}") -> FALSE</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) } # authorize = ok</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) Found Auth-Type = Accept</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) Auth-Type = Accept, accepting the user</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><b>(0) WARNING: Empty post-auth section. Using default return values.</b></p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) # Executing section post-auth from file /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">Sending Access-Accept of id 211 from 198.82.169.55 port 1830 to 198.82.169.55 port 50524</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>Reply-Message = 'F5-LTM-User-Info-1+=\"R&D\"'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>Reply-Message = 'F5-LTM-User-Partition+=\"RnD\"'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>Reply-Message = 'F5-LTM-User-Role+=100'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>Reply-Message = 'F5-LTM-User-Shell+=\"tmsh\"'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) Finished request 0.</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">Waking up in 0.3 seconds.</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">Waking up in 4.6 seconds.</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">(0) Cleaning up request packet ID 211 with timestamp +2</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><b>Ready to process requests.</b></p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><b></b><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><b></b><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><b></b><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span style="text-decoration:underline"><b>radtest</b></span></p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><b></b><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo">$ radtest -t mschap -x dawson wakkawakka <a href="http://198.82.169.55:1830">198.82.169.55:1830</a> 234234 testing123</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">/apps/radius/freeradius-3.0.1/bin/radclient: /usr/local/samba/lib/libtalloc.so.2: no version information available (required by /apps/radius/freeradius-3.0.1/bin/radclient)</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">/apps/radius/freeradius-3.0.1/bin/radclient: /usr/local/samba/lib/libtalloc.so.2: no version information available (required by /apps/radius/freeradius-3.0.1/lib/libfreeradius-radius.so)</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">Sending Access-Request of id 211 from 0.0.0.0 port 50524 to 198.82.169.55 port 1830</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>User-Name = 'dawson'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>NAS-IP-Address = 198.82.169.55</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>NAS-Port = 234234</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>Message-Authenticator = 0x00</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>MS-CHAP-Challenge = 0xa92999be9652acdb</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000003ef65405da922bbe8b1f37ff9ba63458917d6bc42cf704c3</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> Code:<span class="" style="white-space:pre"> </span>1</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> Id:<span class="" style="white-space:pre"> </span>211</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> Length:<span class="" style="white-space:pre"> </span>132</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> Vector:<span class="" style="white-space:pre"> </span>b3c92ab8d0c718d8e265b6301bae7a11</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> Data:<span class="" style="white-space:pre"> </span>01 08 64 61 77 73 6f 6e </p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>04 06 c6 52 a9 37 </p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>05 06 00 03 92 fa </p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>50 12 14 e7 75 dc 18 fb bb d9 1c 70 79 88 22 6a 3a 22 </p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>1a 10 00 00 01 37 0b 0a a9 29 99 be 96 52 ac db </p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>1a 3a 00 00 01 37 01 34 00 01 00 00 00 00 00 00 00 00 </p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 </p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>3e f6 54 05 da 92 2b be 8b 1f 37 ff 9b a6 34 58 </p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>91 7d 6b c4 2c f7 04 c3 </p>
<p style="margin:0px;font-size:14px;font-family:Menlo">rad_recv: Access-Accept packet from host 198.82.169.55 port 1830, id=211, length=127</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> Code:<span class="" style="white-space:pre"> </span>2</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> Id:<span class="" style="white-space:pre"> </span>211</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> Length:<span class="" style="white-space:pre"> </span>127</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> Vector:<span class="" style="white-space:pre"> </span>ff52e972ccb4ee95c7b64719c2ea3986</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> Data:<span class="" style="white-space:pre"> </span>12 1b 46 35 2d 4c 54 4d 2d 55 73 65 72 2d 49 6e 66 6f </p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>2d 31 2b 3d 22 52 26 44 22 </p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>12 1e 46 35 2d 4c 54 4d 2d 55 73 65 72 2d 50 61 72 74 </p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>69 74 69 6f 6e 2b 3d 22 52 6e 44 22 </p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>12 17 46 35 2d 4c 54 4d 2d 55 73 65 72 2d 52 6f 6c 65 </p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>2b 3d 31 30 30 </p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>12 1b 46 35 2d 4c 54 4d 2d 55 73 65 72 2d 53 68 65 6c </p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>6c 2b 3d 22 74 6d 73 68 22 </p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>Reply-Message = 'F5-LTM-User-Info-1+=\"R&D\"'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>Reply-Message = 'F5-LTM-User-Partition+=\"RnD\"'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>Reply-Message = 'F5-LTM-User-Role+=100'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span class="" style="white-space:pre"> </span>Reply-Message = 'F5-LTM-User-Shell+=\"tmsh\"'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span style="text-decoration:underline"><b>sites-enabled/default</b></span></p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><span style="text-decoration:underline"><b></b></span><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo">authorize {</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> filter_username</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> preprocess</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> auth_log</p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"> </p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> update control{</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> Ldap-UserDn := "uid=%{User-Name},ou=People,ou=NIS,o=vt"</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> }</p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"> </p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> -ldap</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> pap</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> mschap</p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> if(!(control:NT-Password) || control:Prohibited == TRUE){</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> update control{</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> Auth-Type := Reject</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> }</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> }</p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> if(Ldap-Group != "%{control:Radius-Profile-DN}"){</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> update control{</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> Auth-Type:=Reject</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> }</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> }</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> else{</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> update control{</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> Auth-Type:=Accept</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> }</p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"> </p>
<p style="margin:0px;font-size:14px;font-family:Menlo">}</p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo">authenticate {</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> mschap</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> pap</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">}</p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span style="text-decoration:underline"><b>mods-enabled/ldap</b></span></p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><span style="text-decoration:underline"><b></b></span><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo">update {</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> control:Password-With-Header += 'userPassword'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> control:NT-Password := 'ntPassword'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> control:Prohibited := 'prohibited'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> control:Radius-Profile-DN := 'radiusProfileDn'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> reply:Reply-Message := 'radiusReplyMessage'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">}</p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo">user {</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> base_dn = "ou=People,${..base_dn}"</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))"</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> scope = 'sub'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">}</p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo">group {</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> base_dn = "ou=Groups,ou=F5,ou=Configuration,${..base_dn}"</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> filter = "(objectClass=groupOfNames)"</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> scope = 'base'</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> name_attribute = cn</p>
<p style="margin:0px;font-size:14px;font-family:Menlo"> membership_filter = "(member=%{control:Ldap-UserDn})"</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">}</p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span style="text-decoration:underline"><b>OpenLDAP</b></span></p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><span style="text-decoration:underline"><b></b></span><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo"># R&D, Groups, F5, Configuration, NIS, vt</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">dn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">cn: R&D</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">description: Entiries for the R&D group user accounts</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">member: uid=dawson,ou=People,ou=NIS,o=vt</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">radiusReplyMessage: F5-LTM-User-Info-1+="R&D"</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">radiusReplyMessage: F5-LTM-User-Partition+="RnD"</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">radiusReplyMessage: F5-LTM-User-Role+=100</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">radiusReplyMessage: F5-LTM-User-Shell+="tmsh"</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">objectClass: groupOfNames</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">objectClass: radiusprofile</p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo"># dawson, People, NIS, vt</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">dn: uid=dawson,ou=People,ou=NIS,o=vt</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">cn: Jacob M. Dawson</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">uid: dawson</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">sn: Dawson</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">givenName: Jacob</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">objectClass: inetOrgPerson</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">objectClass: nisUserAccount</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">objectClass: radiusprofile</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">prohibited: FALSE</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">radiusProfileDn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt</p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo"><span style="text-decoration:underline"><b>F5 VSAs</b></span></p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><span style="text-decoration:underline"><b></b></span><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo">VENDOR F5 3375</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">BEGIN-VENDOR F5</p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo">ATTRIBUTE F5-LTM-User-Role 1 integer</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">ATTRIBUTE F5-LTM-User-Role-Universal 2 integer # enable/disable</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">ATTRIBUTE F5-LTM-User-Partition 3 string</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">ATTRIBUTE F5-LTM-User-Console 4 integer # enable/disable</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">ATTRIBUTE F5-LTM-User-Shell 5 string # supported values are disable, tmsh, and bpsh</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">ATTRIBUTE F5-LTM-User-Context-1 10 integer</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">ATTRIBUTE F5-LTM-User-Context-2 11 integer</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">ATTRIBUTE F5-LTM-User-Info-1 12 string</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">ATTRIBUTE F5-LTM-User-Info-2 13 string</p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo">VALUE F5-LTM-User-Role Administrator 0</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">VALUE F5-LTM-User-Role Resource-Admin 20</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">VALUE F5-LTM-User-Role User-Manager 40</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">VALUE F5-LTM-User-Role Manager 100</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">VALUE F5-LTM-User-Role App-Editor 300</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">VALUE F5-LTM-User-Role Operator 400</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">VALUE F5-LTM-User-Role Guest 700</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">VALUE F5-LTM-User-Role Policy-Editor 800</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">VALUE F5-LTM-User-Role No-Access 900</p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo">VALUE F5-LTM-User-Role-Universal Disabled 0</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">VALUE F5-LTM-User-Role-Universal Enabled 1</p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo">VALUE F5-LTM-User-Console Disabled 0</p>
<p style="margin:0px;font-size:14px;font-family:Menlo">VALUE F5-LTM-User-Console Enabled 1</p>
<p style="margin:0px;font-size:14px;font-family:Menlo;min-height:16px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Menlo">END-VENDOR F5</p></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, May 19, 2014 at 4:26 PM, Arran Cudbard-Bell <span dir="ltr"><<a href="mailto:a.cudbardb@freeradius.org" target="_blank">a.cudbardb@freeradius.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class=""><br>
On 19 May 2014, at 20:36, Ajinkya Fotedar <<a href="mailto:ajinkyafotedar@gmail.com">ajinkyafotedar@gmail.com</a>> wrote:<br>
<br>
> Also, the update section under the ldap modules looks like this.<br>
><br>
> update {<br>
> control:Password-With-Header += 'userPassword'<br>
> control:NT-Password := 'ntPassword'<br>
> control:Prohibited := 'prohibited'<br>
> control:Group-Membership := 'groupMembership'<br>
> reply:F5-LTM-User-Info-1 := 'userInfo'<br>
> reply:F5-LTM-User-Role := 'userRole'<br>
> reply:F5-LTM-User-Partition := 'userPartition'<br>
> reply:F5-LTM-User-Shell := 'userShell'<br>
> }<br>
<br>
</div>Attributes are not retrieved for groups. You need to add profiles with the various reply attributes, and add that profile to the user.<br>
<br>
-Arran<br>
<br>
Arran Cudbard-Bell <<a href="mailto:a.cudbardb@freeradius.org">a.cudbardb@freeradius.org</a>><br>
FreeRADIUS Development Team<br>
<br>
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2<br>
<br>
<br>-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br></blockquote></div><br></div>