$ radtest jsmith test 192.168.1.100 0 secret
Sending Access-Request of id 187 to 192.168.1.100 port 1812
User-Name = "jsmith"
User-Password = "test"
NAS-IP-Address = 192.168.1.100
NAS-Port = 0
rad_recv: Access-Accept packet from host 192.168.1.100 port 1812, id=187, length=112
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Routing = Broadcast-Listen
Filter-Id = "std.ppp"
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
F5-LTM-User-Role = Manager
F5-LTM-User-Info-1 = "mgmt"
F5-LTM-User-Partition = "admin"
F5-LTM-User-Shell = "tmsh"
$ radtest -t mschap dawson wakkawakka 198.82.169.55:1830 234234 testing123
Sending Access-Request of id 48 from 0.0.0.0 port 33814 to 198.82.169.55 port 1830
User-Name = 'dawson'
NAS-IP-Address = 198.82.169.55
NAS-Port = 234234
Message-Authenticator = 0x00
MS-CHAP-Challenge = 0x45c9d617e4bbadea
MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000079a2d20cd58f9af0c5957ede5deaf85b04b2dd9bec6104eb
rad_recv: Access-Accept packet from host 198.82.169.55 port 1830, id=48, length=153
F5-LTM-User-Info-1 = 'F5-LTM-User-Info-1+=\"R&D\"'
F5-LTM-User-Info-1 = 'F5-LTM-User-Partition+=\"RnD\"'
F5-LTM-User-Info-1 = 'F5-LTM-User-Role+=\"100\"'
F5-LTM-User-Info-1 = 'F5-LTM-User-Shell+=\"tmsh\"'
RADIUS debug
rad_recv: Access-Request packet from host 198.82.169.55 port 34716, id=142, length=132
User-Name = 'dawson'
NAS-IP-Address = 198.82.169.55
NAS-Port = 234234
Message-Authenticator = 0xa28852d05f29ba0fac4c4b1046e4178c
MS-CHAP-Challenge = 0x4e9904591878fd82
MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000606a875cc1203e10b37861612644c9e3f4e709f7e56f53b9
(0) # Executing section authorize from file /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) ? if (User-Name != "%{tolower:%{User-Name}}")
(0) expand: "%{tolower:%{User-Name}}" -> 'dawson'
(0) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(0) ? if (User-Name =~ / /)
(0) ? if (User-Name =~ / /) -> FALSE
(0) ? if (User-Name =~ /@.*@/ )
(0) ? if (User-Name =~ /@.*@/ ) -> FALSE
(0) ? if (User-Name =~ /\\.\\./ )
(0) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(0) ? if (User-Name =~ /\\.$/)
(0) ? if (User-Name =~ /\\.$/) -> FALSE
(0) ? if (User-Name =~ /@\\./)
(0) ? if (User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) auth_log : expand: "/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/198.82.169.55/auth-detail-20140521'
(0) auth_log : /apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/198.82.169.55/auth-detail-20140521
(0) auth_log : expand: "%t" -> 'Wed May 21 08:31:51 2014'
(0) [auth_log] = ok
(0) update control {
(0) expand: "uid=%{User-Name},ou=People,ou=NIS,o=vt" -> 'uid=dawson,ou=People,ou=NIS,o=vt'
(0) Ldap-UserDn := "uid=dawson,ou=People,ou=NIS,o=vt"
(0) } # update control = noop
rlm_ldap (ldap): Reserved connection (4)
(0) ldap : expand: "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))" -> '(&(uid=dawson))'
(0) ldap : expand: "ou=People,ou=NIS,o=vt" -> 'ou=People,ou=NIS,o=vt'
(0) ldap : Performing search in 'ou=People,ou=NIS,o=vt' with filter '(&(uid=dawson))'
(0) ldap : Waiting for search result...
(0) ldap : User object found at DN "uid=dawson,ou=People,ou=NIS,o=vt"
(0) ldap : expand: "(&)" -> '(&)'
(0) ldap : Performing search in 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' with filter '(&)'
(0) ldap : Waiting for search result...
(0) ldap : Processing profile attributes
(0) ldap : reply:F5-LTM-User-Info-1 := 'F5-LTM-User-Info-1+=\"R&D\"'
(0) ldap : reply:F5-LTM-User-Info-1 := 'F5-LTM-User-Partition+=\"RnD\"'
(0) ldap : reply:F5-LTM-User-Info-1 := 'F5-LTM-User-Role+=\"100\"'
(0) ldap : reply:F5-LTM-User-Info-1 := 'F5-LTM-User-Shell+=\"tmsh\"'
(0) ldap : Processing user attributes
(0) ldap : control:Password-With-Header += '{nt}D3055AE4C0D68D8BA71C538D1518B5CD'
(0) ldap : control:Password-With-Header += '{SSHA}omkfyFmnMrEq1jWG9T86Gh+XlpR87z11'
(0) ldap : control:Prohibited := FALSE
(0) ldap : control:Radius-Profile-DN := 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt'
rlm_ldap (ldap): Released connection (4)
rlm_ldap (ldap): Closing connection (0): Too many free connections (5 > 3)
(0) [-ldap] = ok
(0) pap : Normalizing NT-Password from hex encoding
(0) pap : Normalizing SSHA1-Password from base64 encoding
(0) pap : No clear-text password in the request. Not performing PAP.
(0) [pap] = noop
(0) mschap : Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(0) [mschap] = ok
(0) ? if (!(control:NT-Password) || control:Prohibited == TRUE)
(0) ? if (!(control:NT-Password) || control:Prohibited == TRUE) -> FALSE
(0) ? if (Ldap-Group != "%{control:Radius-Profile-DN}")
(0) expand: "%{control:Radius-Profile-DN}" -> 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt'
(0) Searching for user in group "cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt"
rlm_ldap (ldap): Reserved connection (4)
(0) Using user DN from request "uid=dawson,ou=People,ou=NIS,o=vt"
(0) Checking for user in group objects
(0) expand: "(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))" -> '(&(objectClass=groupOfNames)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))'
(0) Performing search in 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' with filter '(&(objectClass=groupOfNames)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))'
(0) Waiting for search result...
(0) User found in group object
rlm_ldap (ldap): Released connection (4)
(0) ? if (Ldap-Group != "%{control:Radius-Profile-DN}") -> FALSE
(0) else else {
(0) update control {
(0) Auth-Type := Accept
(0) } # update control = noop
(0) } # else else = noop
(0) } # authorize = ok
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
(0) WARNING: Empty post-auth section. Using default return values.
(0) # Executing section post-auth from file /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default
Sending Access-Accept of id 142 from 198.82.169.55 port 1830 to 198.82.169.55 port 34716
F5-LTM-User-Info-1 = 'F5-LTM-User-Info-1+=\"R&D\"'
F5-LTM-User-Info-1 = 'F5-LTM-User-Partition+=\"RnD\"'
F5-LTM-User-Info-1 = 'F5-LTM-User-Role+=\"100\"'
F5-LTM-User-Info-1 = 'F5-LTM-User-Shell+=\"tmsh\"'
(0) Finished request 0.
Waking up in 0.3 seconds.
Waking up in 4.6 seconds.
(0) Cleaning up request packet ID 142 with timestamp +12
Ready to process requests.
radtest
$ radtest -t mschap dawson wakkawakka 198.82.169.55:1830 234234 testing123
Sending Access-Request of id 48 from 0.0.0.0 port 33814 to 198.82.169.55 port 1830
User-Name = 'dawson'
NAS-IP-Address = 198.82.169.55
NAS-Port = 234234
Message-Authenticator = 0x00
MS-CHAP-Challenge = 0x45c9d617e4bbadea
MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000079a2d20cd58f9af0c5957ede5deaf85b04b2dd9bec6104eb
rad_recv: Access-Accept packet from host 198.82.169.55 port 1830, id=48, length=153
F5-LTM-User-Info-1 = 'F5-LTM-User-Info-1+=\"R&D\"'
F5-LTM-User-Info-1 = 'F5-LTM-User-Partition+=\"RnD\"'
F5-LTM-User-Info-1 = 'F5-LTM-User-Role+=\"100\"'
F5-LTM-User-Info-1 = 'F5-LTM-User-Shell+=\"tmsh\"'
sites-enabled/default
authorize {
filter_username
preprocess
auth_log
update control{
Ldap-UserDn := "uid=%{User-Name},ou=People,ou=NIS,o=vt"
}
-ldap
pap
mschap
if(!(control:NT-Password) || control:Prohibited == TRUE){
update control{
Auth-Type := Reject
}
}
if(Ldap-Group != "%{control:Radius-Profile-DN}"){
update control{
Auth-Type:=Reject
}
}
else{
update control{
Auth-Type:=Accept
}
}
authenticate {
mschap
pap
}
mods-enabled/ldap
update {
control:Password-With-Header += 'userPassword'
control:NT-Password := 'ntPassword'
control:Prohibited := 'prohibited'
control:Radius-Profile-DN := 'radiusProfileDn'
reply:F5-LTM-User-Info-1 := 'radiusReplyItem'
#reply:Reply-Message := 'radiusReplyMessage'
}
user {
base_dn = "ou=People,${..base_dn}"
filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))"
scope = 'sub'
}
group {
base_dn = "ou=Groups,ou=F5,ou=Configuration,${..base_dn}"
filter = "(objectClass=groupOfNames)"
scope = 'base'
name_attribute = cn
membership_filter = "(member=%{control:Ldap-UserDn})"
}
OpenLDAP
# R&D, Groups, F5, Configuration, NIS, vt
dn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt
cn: R&D
description: Entiries for the R&D group user accounts
member: uid=dawson,ou=People,ou=NIS,o=vt
radiusReplyItem: F5-LTM-User-Info-1+="R&D"
radiusReplyItem: F5-LTM-User-Partition+="RnD"
radiusReplyItem: F5-LTM-User-Role+=100
radiusReplyItem: F5-LTM-User-Shell+="tmsh"
objectClass: groupOfNames
objectClass: radiusprofile
# dawson, People, NIS, vt
dn: uid=dawson,ou=People,ou=NIS,o=vt
cn: Jacob M. Dawson
uid: dawson
sn: Dawson
givenName: Jacob
objectClass: inetOrgPerson
objectClass: nisUserAccount
objectClass: radiusprofile
prohibited: FALSE
radiusProfileDn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt
F5 VSAs
VENDOR F5 3375
BEGIN-VENDOR F5
ATTRIBUTE F5-LTM-User-Role 1 integer
ATTRIBUTE F5-LTM-User-Role-Universal 2 integer # enable/disable
ATTRIBUTE F5-LTM-User-Partition 3 string
ATTRIBUTE F5-LTM-User-Console 4 integer # enable/disable
ATTRIBUTE F5-LTM-User-Shell 5 string # supported values are disable, tmsh, and bpsh
ATTRIBUTE F5-LTM-User-Context-1 10 integer
ATTRIBUTE F5-LTM-User-Context-2 11 integer
ATTRIBUTE F5-LTM-User-Info-1 12 string
ATTRIBUTE F5-LTM-User-Info-2 13 string
VALUE F5-LTM-User-Role Administrator 0
VALUE F5-LTM-User-Role Resource-Admin 20
VALUE F5-LTM-User-Role User-Manager 40
VALUE F5-LTM-User-Role Manager 100
VALUE F5-LTM-User-Role App-Editor 300
VALUE F5-LTM-User-Role Operator 400
VALUE F5-LTM-User-Role Guest 700
VALUE F5-LTM-User-Role Policy-Editor 800
VALUE F5-LTM-User-Role No-Access 900
VALUE F5-LTM-User-Role-Universal Disabled 0
VALUE F5-LTM-User-Role-Universal Enabled 1
VALUE F5-LTM-User-Console Disabled 0
VALUE F5-LTM-User-Console Enabled 1
END-VENDOR F5
Attributes are not retrieved for groups. You need to add profiles with the various reply attributes, and add that profile to the user.
On 19 May 2014, at 20:36, Ajinkya Fotedar <ajinkyafotedar@gmail.com> wrote:
> Also, the update section under the ldap modules looks like this.
>
> update {
> control:Password-With-Header += 'userPassword'
> control:NT-Password := 'ntPassword'
> control:Prohibited := 'prohibited'
> control:Group-Membership := 'groupMembership'
> reply:F5-LTM-User-Info-1 := 'userInfo'
> reply:F5-LTM-User-Role := 'userRole'
> reply:F5-LTM-User-Partition := 'userPartition'
> reply:F5-LTM-User-Shell := 'userShell'
> }
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html