Hi Arran, Thank you so much for the reply. I have made the above changes and I can see the attributes in the reply message (Access-accept packet). Although, I am not sure if this is what it should look like. I have not tested it with F5 but just want to make sure that I am heading in the right direction. Below is the debug and some configurations from FreeRADIUS and OpenLDAP. Please let me know your thoughts. Thank you. *RADIUS debug* rad_recv: Access-Request packet from host 198.82.169.55 port 50524, id=211, length=132 User-Name = 'dawson' NAS-IP-Address = 198.82.169.55 NAS-Port = 234234 Message-Authenticator = 0x14e775dc18fbbbd91c707988226a3a22 MS-CHAP-Challenge = 0xa92999be9652acdb MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000003ef65405da922bbe8b1f37ff9ba63458917d6bc42cf704c3 (0) # Executing section authorize from file /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) ? if (User-Name != "%{tolower:%{User-Name}}") (0) expand: "%{tolower:%{User-Name}}" -> 'dawson' (0) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (0) ? if (User-Name =~ / /) (0) ? if (User-Name =~ / /) -> FALSE (0) ? if (User-Name =~ /@.*@/ ) (0) ? if (User-Name =~ /@.*@/ ) -> FALSE (0) ? if (User-Name =~ /\\.\\./ ) (0) ? if (User-Name =~ /\\.\\./ ) -> FALSE (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) ? if (User-Name =~ /\\.$/) (0) ? if (User-Name =~ /\\.$/) -> FALSE (0) ? if (User-Name =~ /@\\./) (0) ? if (User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) auth_log : expand: "/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/ 198.82.169.55/auth-detail-20140520' (0) auth_log : /apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/ 198.82.169.55/auth-detail-20140520 (0) auth_log : expand: "%t" -> 'Tue May 20 11:37:46 2014' (0) [auth_log] = ok (0) update control { (0) expand: "uid=%{User-Name},ou=People,ou=NIS,o=vt" -> 'uid=dawson,ou=People,ou=NIS,o=vt' (0) Ldap-UserDn := "uid=dawson,ou=People,ou=NIS,o=vt" (0) } # update control = noop rlm_ldap (ldap): Reserved connection (4) (0) ldap : expand: "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))" -> '(&(uid=dawson))' (0) ldap : expand: "ou=People,ou=NIS,o=vt" -> 'ou=People,ou=NIS,o=vt' (0) ldap : Performing search in 'ou=People,ou=NIS,o=vt' with filter '(&(uid=dawson))' (0) ldap : Waiting for search result... (0) ldap : User object found at DN "uid=dawson,ou=People,ou=NIS,o=vt" (0) ldap : expand: "(&)" -> '(&)' (0) ldap : Performing search in 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' with filter '(&)' (0) ldap : Waiting for search result... (0) ldap : Processing profile attributes (0) ldap : reply:Reply-Message := 'F5-LTM-User-Info-1+=\"R&D\"' (0) ldap : reply:Reply-Message := 'F5-LTM-User-Partition+=\"RnD\"' (0) ldap : reply:Reply-Message := 'F5-LTM-User-Role+=100' (0) ldap : reply:Reply-Message := 'F5-LTM-User-Shell+=\"tmsh\"' (0) ldap : Processing user attributes (0) ldap : control:Password-With-Header += '{nt}D3055AE4C0D68D8BA71C538D1518B5CD' (0) ldap : control:Password-With-Header += '{SSHA}omkfyFmnMrEq1jWG9T86Gh+XlpR87z11' (0) ldap : control:Prohibited := FALSE (0) ldap : control:Radius-Profile-DN := 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' rlm_ldap (ldap): Released connection (4) (0) [-ldap] = ok (0) pap : Normalizing NT-Password from hex encoding (0) pap : Normalizing SSHA1-Password from base64 encoding (0) pap : No clear-text password in the request. Not performing PAP. (0) [pap] = noop (0) mschap : Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok (0) ? if (!(control:NT-Password) || control:Prohibited == TRUE) (0) ? if (!(control:NT-Password) || control:Prohibited == TRUE) -> FALSE (0) ? if (Ldap-Group != "%{control:Radius-Profile-DN}") (0) expand: "%{control:Radius-Profile-DN}" -> 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' (0) Searching for user in group "cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt" rlm_ldap (ldap): Reserved connection (4) (0) Using user DN from request "uid=dawson,ou=People,ou=NIS,o=vt" (0) Checking for user in group objects (0) expand: "(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))" -> '(&(objectClass=groupOfNames)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))' (0) Performing search in 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' with filter '(&(objectClass=groupOfNames)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))' (0) Waiting for search result... (0) User found in group object rlm_ldap (ldap): Released connection (4) (0) ? if (Ldap-Group != "%{control:Radius-Profile-DN}") -> FALSE (0) else else { (0) update control { (0) Auth-Type := Accept (0) } # update control = noop (0) } # else else = noop (0) ? if ("%{reply:F5-LTM-User-Info-1}") (0) expand: "%{reply:F5-LTM-User-Info-1}" -> '' (0) ? if ("%{reply:F5-LTM-User-Info-1}") -> FALSE (0) } # authorize = ok (0) Found Auth-Type = Accept (0) Auth-Type = Accept, accepting the user *(0) WARNING: Empty post-auth section. Using default return values.* (0) # Executing section post-auth from file /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default Sending Access-Accept of id 211 from 198.82.169.55 port 1830 to 198.82.169.55 port 50524 Reply-Message = 'F5-LTM-User-Info-1+=\"R&D\"' Reply-Message = 'F5-LTM-User-Partition+=\"RnD\"' Reply-Message = 'F5-LTM-User-Role+=100' Reply-Message = 'F5-LTM-User-Shell+=\"tmsh\"' (0) Finished request 0. Waking up in 0.3 seconds. Waking up in 4.6 seconds. (0) Cleaning up request packet ID 211 with timestamp +2 *Ready to process requests.* *radtest* $ radtest -t mschap -x dawson wakkawakka 198.82.169.55:1830 234234 testing123 /apps/radius/freeradius-3.0.1/bin/radclient: /usr/local/samba/lib/libtalloc.so.2: no version information available (required by /apps/radius/freeradius-3.0.1/bin/radclient) /apps/radius/freeradius-3.0.1/bin/radclient: /usr/local/samba/lib/libtalloc.so.2: no version information available (required by /apps/radius/freeradius-3.0.1/lib/libfreeradius-radius.so) Sending Access-Request of id 211 from 0.0.0.0 port 50524 to 198.82.169.55 port 1830 User-Name = 'dawson' NAS-IP-Address = 198.82.169.55 NAS-Port = 234234 Message-Authenticator = 0x00 MS-CHAP-Challenge = 0xa92999be9652acdb MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000003ef65405da922bbe8b1f37ff9ba63458917d6bc42cf704c3 Code: 1 Id: 211 Length: 132 Vector: b3c92ab8d0c718d8e265b6301bae7a11 Data: 01 08 64 61 77 73 6f 6e 04 06 c6 52 a9 37 05 06 00 03 92 fa 50 12 14 e7 75 dc 18 fb bb d9 1c 70 79 88 22 6a 3a 22 1a 10 00 00 01 37 0b 0a a9 29 99 be 96 52 ac db 1a 3a 00 00 01 37 01 34 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3e f6 54 05 da 92 2b be 8b 1f 37 ff 9b a6 34 58 91 7d 6b c4 2c f7 04 c3 rad_recv: Access-Accept packet from host 198.82.169.55 port 1830, id=211, length=127 Code: 2 Id: 211 Length: 127 Vector: ff52e972ccb4ee95c7b64719c2ea3986 Data: 12 1b 46 35 2d 4c 54 4d 2d 55 73 65 72 2d 49 6e 66 6f 2d 31 2b 3d 22 52 26 44 22 12 1e 46 35 2d 4c 54 4d 2d 55 73 65 72 2d 50 61 72 74 69 74 69 6f 6e 2b 3d 22 52 6e 44 22 12 17 46 35 2d 4c 54 4d 2d 55 73 65 72 2d 52 6f 6c 65 2b 3d 31 30 30 12 1b 46 35 2d 4c 54 4d 2d 55 73 65 72 2d 53 68 65 6c 6c 2b 3d 22 74 6d 73 68 22 Reply-Message = 'F5-LTM-User-Info-1+=\"R&D\"' Reply-Message = 'F5-LTM-User-Partition+=\"RnD\"' Reply-Message = 'F5-LTM-User-Role+=100' Reply-Message = 'F5-LTM-User-Shell+=\"tmsh\"' *sites-enabled/default* authorize { filter_username preprocess auth_log update control{ Ldap-UserDn := "uid=%{User-Name},ou=People,ou=NIS,o=vt" } -ldap pap mschap if(!(control:NT-Password) || control:Prohibited == TRUE){ update control{ Auth-Type := Reject } } if(Ldap-Group != "%{control:Radius-Profile-DN}"){ update control{ Auth-Type:=Reject } } else{ update control{ Auth-Type:=Accept } } authenticate { mschap pap } *mods-enabled/ldap* update { control:Password-With-Header += 'userPassword' control:NT-Password := 'ntPassword' control:Prohibited := 'prohibited' control:Radius-Profile-DN := 'radiusProfileDn' reply:Reply-Message := 'radiusReplyMessage' } user { base_dn = "ou=People,${..base_dn}" filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))" scope = 'sub' } group { base_dn = "ou=Groups,ou=F5,ou=Configuration,${..base_dn}" filter = "(objectClass=groupOfNames)" scope = 'base' name_attribute = cn membership_filter = "(member=%{control:Ldap-UserDn})" } *OpenLDAP* # R&D, Groups, F5, Configuration, NIS, vt dn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt cn: R&D description: Entiries for the R&D group user accounts member: uid=dawson,ou=People,ou=NIS,o=vt radiusReplyMessage: F5-LTM-User-Info-1+="R&D" radiusReplyMessage: F5-LTM-User-Partition+="RnD" radiusReplyMessage: F5-LTM-User-Role+=100 radiusReplyMessage: F5-LTM-User-Shell+="tmsh" objectClass: groupOfNames objectClass: radiusprofile # dawson, People, NIS, vt dn: uid=dawson,ou=People,ou=NIS,o=vt cn: Jacob M. Dawson uid: dawson sn: Dawson givenName: Jacob objectClass: inetOrgPerson objectClass: nisUserAccount objectClass: radiusprofile prohibited: FALSE radiusProfileDn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt *F5 VSAs* VENDOR F5 3375 BEGIN-VENDOR F5 ATTRIBUTE F5-LTM-User-Role 1 integer ATTRIBUTE F5-LTM-User-Role-Universal 2 integer # enable/disable ATTRIBUTE F5-LTM-User-Partition 3 string ATTRIBUTE F5-LTM-User-Console 4 integer # enable/disable ATTRIBUTE F5-LTM-User-Shell 5 string # supported values are disable, tmsh, and bpsh ATTRIBUTE F5-LTM-User-Context-1 10 integer ATTRIBUTE F5-LTM-User-Context-2 11 integer ATTRIBUTE F5-LTM-User-Info-1 12 string ATTRIBUTE F5-LTM-User-Info-2 13 string VALUE F5-LTM-User-Role Administrator 0 VALUE F5-LTM-User-Role Resource-Admin 20 VALUE F5-LTM-User-Role User-Manager 40 VALUE F5-LTM-User-Role Manager 100 VALUE F5-LTM-User-Role App-Editor 300 VALUE F5-LTM-User-Role Operator 400 VALUE F5-LTM-User-Role Guest 700 VALUE F5-LTM-User-Role Policy-Editor 800 VALUE F5-LTM-User-Role No-Access 900 VALUE F5-LTM-User-Role-Universal Disabled 0 VALUE F5-LTM-User-Role-Universal Enabled 1 VALUE F5-LTM-User-Console Disabled 0 VALUE F5-LTM-User-Console Enabled 1 END-VENDOR F5 On Mon, May 19, 2014 at 4:26 PM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
On 19 May 2014, at 20:36, Ajinkya Fotedar <ajinkyafotedar@gmail.com> wrote:
Also, the update section under the ldap modules looks like this.
update { control:Password-With-Header += 'userPassword' control:NT-Password := 'ntPassword' control:Prohibited := 'prohibited' control:Group-Membership := 'groupMembership' reply:F5-LTM-User-Info-1 := 'userInfo' reply:F5-LTM-User-Role := 'userRole' reply:F5-LTM-User-Partition := 'userPartition' reply:F5-LTM-User-Shell := 'userShell' }
Attributes are not retrieved for groups. You need to add profiles with the various reply attributes, and add that profile to the user.
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html