RADIUS debug
rad_recv: Access-Request packet from host 198.82.169.55 port 50524, id=211, length=132
User-Name = 'dawson'
NAS-IP-Address = 198.82.169.55
NAS-Port = 234234
Message-Authenticator = 0x14e775dc18fbbbd91c707988226a3a22
MS-CHAP-Challenge = 0xa92999be9652acdb
MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000003ef65405da922bbe8b1f37ff9ba63458917d6bc42cf704c3
(0) # Executing section authorize from file /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) ? if (User-Name != "%{tolower:%{User-Name}}")
(0) expand: "%{tolower:%{User-Name}}" -> 'dawson'
(0) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(0) ? if (User-Name =~ / /)
(0) ? if (User-Name =~ / /) -> FALSE
(0) ? if (User-Name =~ /@.*@/ )
(0) ? if (User-Name =~ /@.*@/ ) -> FALSE
(0) ? if (User-Name =~ /\\.\\./ )
(0) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(0) ? if (User-Name =~ /\\.$/)
(0) ? if (User-Name =~ /\\.$/) -> FALSE
(0) ? if (User-Name =~ /@\\./)
(0) ? if (User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) auth_log : expand: "/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/198.82.169.55/auth-detail-20140520'
(0) auth_log : /apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/198.82.169.55/auth-detail-20140520
(0) auth_log : expand: "%t" -> 'Tue May 20 11:37:46 2014'
(0) [auth_log] = ok
(0) update control {
(0) expand: "uid=%{User-Name},ou=People,ou=NIS,o=vt" -> 'uid=dawson,ou=People,ou=NIS,o=vt'
(0) Ldap-UserDn := "uid=dawson,ou=People,ou=NIS,o=vt"
(0) } # update control = noop
rlm_ldap (ldap): Reserved connection (4)
(0) ldap : expand: "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))" -> '(&(uid=dawson))'
(0) ldap : expand: "ou=People,ou=NIS,o=vt" -> 'ou=People,ou=NIS,o=vt'
(0) ldap : Performing search in 'ou=People,ou=NIS,o=vt' with filter '(&(uid=dawson))'
(0) ldap : Waiting for search result...
(0) ldap : User object found at DN "uid=dawson,ou=People,ou=NIS,o=vt"
(0) ldap : expand: "(&)" -> '(&)'
(0) ldap : Performing search in 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' with filter '(&)'
(0) ldap : Waiting for search result...
(0) ldap : Processing profile attributes
(0) ldap : reply:Reply-Message := 'F5-LTM-User-Info-1+=\"R&D\"'
(0) ldap : reply:Reply-Message := 'F5-LTM-User-Partition+=\"RnD\"'
(0) ldap : reply:Reply-Message := 'F5-LTM-User-Role+=100'
(0) ldap : reply:Reply-Message := 'F5-LTM-User-Shell+=\"tmsh\"'
(0) ldap : Processing user attributes
(0) ldap : control:Password-With-Header += '{nt}D3055AE4C0D68D8BA71C538D1518B5CD'
(0) ldap : control:Password-With-Header += '{SSHA}omkfyFmnMrEq1jWG9T86Gh+XlpR87z11'
(0) ldap : control:Prohibited := FALSE
(0) ldap : control:Radius-Profile-DN := 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt'
rlm_ldap (ldap): Released connection (4)
(0) [-ldap] = ok
(0) pap : Normalizing NT-Password from hex encoding
(0) pap : Normalizing SSHA1-Password from base64 encoding
(0) pap : No clear-text password in the request. Not performing PAP.
(0) [pap] = noop
(0) mschap : Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(0) [mschap] = ok
(0) ? if (!(control:NT-Password) || control:Prohibited == TRUE)
(0) ? if (!(control:NT-Password) || control:Prohibited == TRUE) -> FALSE
(0) ? if (Ldap-Group != "%{control:Radius-Profile-DN}")
(0) expand: "%{control:Radius-Profile-DN}" -> 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt'
(0) Searching for user in group "cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt"
rlm_ldap (ldap): Reserved connection (4)
(0) Using user DN from request "uid=dawson,ou=People,ou=NIS,o=vt"
(0) Checking for user in group objects
(0) expand: "(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))" -> '(&(objectClass=groupOfNames)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))'
(0) Performing search in 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' with filter '(&(objectClass=groupOfNames)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))'
(0) Waiting for search result...
(0) User found in group object
rlm_ldap (ldap): Released connection (4)
(0) ? if (Ldap-Group != "%{control:Radius-Profile-DN}") -> FALSE
(0) else else {
(0) update control {
(0) Auth-Type := Accept
(0) } # update control = noop
(0) } # else else = noop
(0) ? if ("%{reply:F5-LTM-User-Info-1}")
(0) expand: "%{reply:F5-LTM-User-Info-1}" -> ''
(0) ? if ("%{reply:F5-LTM-User-Info-1}") -> FALSE
(0) } # authorize = ok
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
(0) WARNING: Empty post-auth section. Using default return values.
(0) # Executing section post-auth from file /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default
Sending Access-Accept of id 211 from 198.82.169.55 port 1830 to 198.82.169.55 port 50524
Reply-Message = 'F5-LTM-User-Info-1+=\"R&D\"'
Reply-Message = 'F5-LTM-User-Partition+=\"RnD\"'
Reply-Message = 'F5-LTM-User-Role+=100'
Reply-Message = 'F5-LTM-User-Shell+=\"tmsh\"'
(0) Finished request 0.
Waking up in 0.3 seconds.
Waking up in 4.6 seconds.
(0) Cleaning up request packet ID 211 with timestamp +2
Ready to process requests.
radtest
$ radtest -t mschap -x dawson wakkawakka 198.82.169.55:1830 234234 testing123
/apps/radius/freeradius-3.0.1/bin/radclient: /usr/local/samba/lib/libtalloc.so.2: no version information available (required by /apps/radius/freeradius-3.0.1/bin/radclient)
/apps/radius/freeradius-3.0.1/bin/radclient: /usr/local/samba/lib/libtalloc.so.2: no version information available (required by /apps/radius/freeradius-3.0.1/lib/libfreeradius-radius.so)
Sending Access-Request of id 211 from 0.0.0.0 port 50524 to 198.82.169.55 port 1830
User-Name = 'dawson'
NAS-IP-Address = 198.82.169.55
NAS-Port = 234234
Message-Authenticator = 0x00
MS-CHAP-Challenge = 0xa92999be9652acdb
MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000003ef65405da922bbe8b1f37ff9ba63458917d6bc42cf704c3
Code: 1
Id: 211
Length: 132
Vector: b3c92ab8d0c718d8e265b6301bae7a11
Data: 01 08 64 61 77 73 6f 6e
04 06 c6 52 a9 37
05 06 00 03 92 fa
50 12 14 e7 75 dc 18 fb bb d9 1c 70 79 88 22 6a 3a 22
1a 10 00 00 01 37 0b 0a a9 29 99 be 96 52 ac db
1a 3a 00 00 01 37 01 34 00 01 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
3e f6 54 05 da 92 2b be 8b 1f 37 ff 9b a6 34 58
91 7d 6b c4 2c f7 04 c3
rad_recv: Access-Accept packet from host 198.82.169.55 port 1830, id=211, length=127
Code: 2
Id: 211
Length: 127
Vector: ff52e972ccb4ee95c7b64719c2ea3986
Data: 12 1b 46 35 2d 4c 54 4d 2d 55 73 65 72 2d 49 6e 66 6f
2d 31 2b 3d 22 52 26 44 22
12 1e 46 35 2d 4c 54 4d 2d 55 73 65 72 2d 50 61 72 74
69 74 69 6f 6e 2b 3d 22 52 6e 44 22
12 17 46 35 2d 4c 54 4d 2d 55 73 65 72 2d 52 6f 6c 65
2b 3d 31 30 30
12 1b 46 35 2d 4c 54 4d 2d 55 73 65 72 2d 53 68 65 6c
6c 2b 3d 22 74 6d 73 68 22
Reply-Message = 'F5-LTM-User-Info-1+=\"R&D\"'
Reply-Message = 'F5-LTM-User-Partition+=\"RnD\"'
Reply-Message = 'F5-LTM-User-Role+=100'
Reply-Message = 'F5-LTM-User-Shell+=\"tmsh\"'
sites-enabled/default
authorize {
filter_username
preprocess
auth_log
update control{
Ldap-UserDn := "uid=%{User-Name},ou=People,ou=NIS,o=vt"
}
-ldap
pap
mschap
if(!(control:NT-Password) || control:Prohibited == TRUE){
update control{
Auth-Type := Reject
}
}
if(Ldap-Group != "%{control:Radius-Profile-DN}"){
update control{
Auth-Type:=Reject
}
}
else{
update control{
Auth-Type:=Accept
}
}
authenticate {
mschap
pap
}
mods-enabled/ldap
update {
control:Password-With-Header += 'userPassword'
control:NT-Password := 'ntPassword'
control:Prohibited := 'prohibited'
control:Radius-Profile-DN := 'radiusProfileDn'
reply:Reply-Message := 'radiusReplyMessage'
}
user {
base_dn = "ou=People,${..base_dn}"
filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))"
scope = 'sub'
}
group {
base_dn = "ou=Groups,ou=F5,ou=Configuration,${..base_dn}"
filter = "(objectClass=groupOfNames)"
scope = 'base'
name_attribute = cn
membership_filter = "(member=%{control:Ldap-UserDn})"
}
OpenLDAP
# R&D, Groups, F5, Configuration, NIS, vt
dn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt
cn: R&D
description: Entiries for the R&D group user accounts
member: uid=dawson,ou=People,ou=NIS,o=vt
radiusReplyMessage: F5-LTM-User-Info-1+="R&D"
radiusReplyMessage: F5-LTM-User-Partition+="RnD"
radiusReplyMessage: F5-LTM-User-Role+=100
radiusReplyMessage: F5-LTM-User-Shell+="tmsh"
objectClass: groupOfNames
objectClass: radiusprofile
# dawson, People, NIS, vt
dn: uid=dawson,ou=People,ou=NIS,o=vt
cn: Jacob M. Dawson
uid: dawson
sn: Dawson
givenName: Jacob
objectClass: inetOrgPerson
objectClass: nisUserAccount
objectClass: radiusprofile
prohibited: FALSE
radiusProfileDn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt
F5 VSAs
VENDOR F5 3375
BEGIN-VENDOR F5
ATTRIBUTE F5-LTM-User-Role 1 integer
ATTRIBUTE F5-LTM-User-Role-Universal 2 integer # enable/disable
ATTRIBUTE F5-LTM-User-Partition 3 string
ATTRIBUTE F5-LTM-User-Console 4 integer # enable/disable
ATTRIBUTE F5-LTM-User-Shell 5 string # supported values are disable, tmsh, and bpsh
ATTRIBUTE F5-LTM-User-Context-1 10 integer
ATTRIBUTE F5-LTM-User-Context-2 11 integer
ATTRIBUTE F5-LTM-User-Info-1 12 string
ATTRIBUTE F5-LTM-User-Info-2 13 string
VALUE F5-LTM-User-Role Administrator 0
VALUE F5-LTM-User-Role Resource-Admin 20
VALUE F5-LTM-User-Role User-Manager 40
VALUE F5-LTM-User-Role Manager 100
VALUE F5-LTM-User-Role App-Editor 300
VALUE F5-LTM-User-Role Operator 400
VALUE F5-LTM-User-Role Guest 700
VALUE F5-LTM-User-Role Policy-Editor 800
VALUE F5-LTM-User-Role No-Access 900
VALUE F5-LTM-User-Role-Universal Disabled 0
VALUE F5-LTM-User-Role-Universal Enabled 1
VALUE F5-LTM-User-Console Disabled 0
VALUE F5-LTM-User-Console Enabled 1
END-VENDOR F5
Attributes are not retrieved for groups. You need to add profiles with the various reply attributes, and add that profile to the user.
On 19 May 2014, at 20:36, Ajinkya Fotedar <ajinkyafotedar@gmail.com> wrote:
> Also, the update section under the ldap modules looks like this.
>
> update {
> control:Password-With-Header += 'userPassword'
> control:NT-Password := 'ntPassword'
> control:Prohibited := 'prohibited'
> control:Group-Membership := 'groupMembership'
> reply:F5-LTM-User-Info-1 := 'userInfo'
> reply:F5-LTM-User-Role := 'userRole'
> reply:F5-LTM-User-Partition := 'userPartition'
> reply:F5-LTM-User-Shell := 'userShell'
> }
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html