Hi, I am trying to send F5 vendor-specific attributes in the Access-Accept packet. When freeradius (ldap module) searches and finds a specific user in openldap, It processes the user's attributes and adds them to the control list. One of the attributes specifies the group that user account belongs to. The next step is to find that user in the specified group, which is successful. Only this time, there are some F5 VSAs that are not getting added to the reply list. When I pass those VSAs in the Access-Accept packet, I see them as Attr-26 = 0x00000d2f I have read the rlm_ldap and related documentation on the wiki. I am not sure why I don't see the value of F5 VSAs in the reply as I can definitely process the attributes defined for a user account under the People subtree. Below is the debug output and some configuration. Can anyone point me to the right direction. Thank you. *RADIUS debug* Ready to process requests. rad_recv: Access-Request packet from host 198.82.169.55 port 52634, id=78, length=132 User-Name = 'dawson' NAS-IP-Address = 198.82.169.55 NAS-Port = 234234 Message-Authenticator = 0x9552e405f519c05100b3510ad97bcec0 MS-CHAP-Challenge = 0x9dcbb5409eb06d58 MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000dcc9a916ce5fc5419b592ba3be3e116831d411dc6e454c81 (0) # Executing section authorize from file /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) ? if (User-Name != "%{tolower:%{User-Name}}") (0) expand: "%{tolower:%{User-Name}}" -> 'dawson' (0) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (0) ? if (User-Name =~ / /) (0) ? if (User-Name =~ / /) -> FALSE (0) ? if (User-Name =~ /@.*@/ ) (0) ? if (User-Name =~ /@.*@/ ) -> FALSE (0) ? if (User-Name =~ /\\.\\./ ) (0) ? if (User-Name =~ /\\.\\./ ) -> FALSE (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) ? if (User-Name =~ /\\.$/) (0) ? if (User-Name =~ /\\.$/) -> FALSE (0) ? if (User-Name =~ /@\\./) (0) ? if (User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) auth_log : expand: "/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/ 198.82.169.55/auth-detail-20140519' (0) auth_log : /apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/ 198.82.169.55/auth-detail-20140519 (0) auth_log : expand: "%t" -> 'Mon May 19 14:55:25 2014' (0) [auth_log] = ok (0) update control { (0) expand: "uid=%{User-Name},ou=People,ou=NIS,o=vt" -> 'uid=dawson,ou=People,ou=NIS,o=vt' (0) Ldap-UserDn := "uid=dawson,ou=People,ou=NIS,o=vt" (0) } # update control = noop rlm_ldap (ldap): Reserved connection (4) (0) ldap : expand: "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))" -> '(&(uid=dawson))' (0) ldap : expand: "ou=People,ou=NIS,o=vt" -> 'ou=People,ou=NIS,o=vt' (0) ldap : Performing search in 'ou=People,ou=NIS,o=vt' with filter '(&(uid=dawson))' (0) ldap : Waiting for search result... (0) ldap : User object found at DN "uid=dawson,ou=People,ou=NIS,o=vt" (0) ldap : Processing user attributes (0) ldap : control:Password-With-Header += '{nt}D3055AE4C0D68D8BA71C538D1518B5CD' (0) ldap : control:Password-With-Header += '{SSHA}omkfyFmnMrEq1jWG9T86Gh+XlpR87z11' (0) ldap : control:Prohibited := FALSE (0) ldap : control:Group-Membership := 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' (0) ldap : control:Group-Membership := 'cn=TLOS,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' rlm_ldap (ldap): Released connection (4) (0) [-ldap] = ok (0) pap : Normalizing NT-Password from hex encoding (0) pap : Normalizing SSHA1-Password from base64 encoding (0) pap : No clear-text password in the request. Not performing PAP. (0) [pap] = noop (0) mschap : Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok (0) ? if (!(control:NT-Password) || control:Prohibited == TRUE) (0) ? if (!(control:NT-Password) || control:Prohibited == TRUE) -> FALSE (0) ? if (Ldap-Group != "%{control:Group-Membership}") (0) expand: "%{control:Group-Membership}" -> 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' (0) Searching for user in group "cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt" rlm_ldap (ldap): Reserved connection (4) (0) Using user DN from request "uid=dawson,ou=People,ou=NIS,o=vt" (0) Checking for user in group objects (0) expand: "(&(objectClass=f5Group)(member=%{control:Ldap-UserDn}))" -> '(&(objectClass=f5Group)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))' (0) Performing search in 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' with filter '(&(objectClass=f5Group)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))' (0) Waiting for search result... (0) User found in group object rlm_ldap (ldap): Released connection (4) (0) ? if (Ldap-Group != "%{control:Group-Membership}") -> FALSE (0) else else { (0) update reply { (0) expand: "%{reply:F5-LTM-User-Info-1}" -> '' (0) F5-LTM-User-Info-1 := "" (0) expand: "%{reply:F5-LTM-User-Role}" -> '' (0) F5-LTM-User-Role := Administrator (0) expand: "%{reply:F5-LTM-User-Partition}" -> '' (0) F5-LTM-User-Partition := "" (0) expand: "%{reply:F5-LTM-User-Shell}" -> '' (0) F5-LTM-User-Shell := "" (0) } # update reply = noop (0) } # else else = noop (0) ? if ("%{reply:F5-LTM-User-Info-1}") (0) expand: "%{reply:F5-LTM-User-Info-1}" -> '' (0) ? if ("%{reply:F5-LTM-User-Info-1}") -> FALSE (0) } # authorize = ok (0) Found Auth-Type = MSCHAP (0) # Executing group from file /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default (0) authenticate { (0) mschap : No Cleartext-Password configured. Cannot create LM-Password (0) mschap : Found NT-Password (0) mschap : Client is using MS-CHAPv1 with NT-Password (0) mschap : adding MS-CHAPv1 MPPE keys (0) [mschap] = ok (0) } # authenticate = ok (0) WARNING: Empty post-auth section. Using default return values. (0) # Executing section post-auth from file /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default Sending Access-Accept of id 78 from 198.82.169.55 port 1830 to 198.82.169.55 port 52634 F5-LTM-User-Info-1 = '' F5-LTM-User-Role = Administrator F5-LTM-User-Partition = '' F5-LTM-User-Shell = '' MS-CHAP-MPPE-Keys = 0x0000000000000000122d083be857e0cf1f5c975f5efd01cc0000000000000000 MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (0) Finished request 0. Waking up in 0.3 seconds. Waking up in 4.6 seconds. *radtest* $ radtest -t mschap -x dawson wakkawakka 198.82.169.55:1830 234234 testing123 /apps/radius/freeradius-3.0.1/bin/radclient: /usr/local/samba/lib/libtalloc.so.2: no version information available (required by /apps/radius/freeradius-3.0.1/bin/radclient) /apps/radius/freeradius-3.0.1/bin/radclient: /usr/local/samba/lib/libtalloc.so.2: no version information available (required by /apps/radius/freeradius-3.0.1/lib/libfreeradius-radius.so) Sending Access-Request of id 78 from 0.0.0.0 port 52634 to 198.82.169.55 port 1830 User-Name = 'dawson' NAS-IP-Address = 198.82.169.55 NAS-Port = 234234 Message-Authenticator = 0x00 MS-CHAP-Challenge = 0x9dcbb5409eb06d58 MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000dcc9a916ce5fc5419b592ba3be3e116831d411dc6e454c81 Code: 1 Id: 78 Length: 132 Vector: 1e35220367d4329bdebec2d38afe7fd6 Data: 01 08 64 61 77 73 6f 6e 04 06 c6 52 a9 37 05 06 00 03 92 fa 50 12 95 52 e4 05 f5 19 c0 51 00 b3 51 0a d9 7b ce c0 1a 10 00 00 01 37 0b 0a 9d cb b5 40 9e b0 6d 58 1a 3a 00 00 01 37 01 34 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 dc c9 a9 16 ce 5f c5 41 9b 59 2b a3 be 3e 11 68 31 d4 11 dc 6e 45 4c 81 rad_recv: Access-Accept packet from host 198.82.169.55 port 1830, id=78, length=114 Code: 2 Id: 78 Length: 114 Vector: e1389574bdb00555d937ba3d5fac91d7 Data: 1a 06 00 00 0d 2f 1a 0c 00 00 0d 2f 01 06 00 00 00 00 1a 06 00 00 0d 2f 1a 06 00 00 0d 2f 1a 28 00 00 01 37 0c 22 1d 16 9c ca 93 1c 0f eb 35 cd 73 0b ac 58 5c 61 81 2a d8 a6 81 3e bb 70 4a ce 98 0e d8 d5 d9 d3 1a 0c 00 00 01 37 07 06 00 00 00 01 1a 0c 00 00 01 37 08 06 00 00 00 06 Attr-26 = 0x00000d2f F5-LTM-User-Role = Administrator Attr-26 = 0x00000d2f Attr-26 = 0x00000d2f MS-CHAP-MPPE-Keys = 0x MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed *LDAP module* user { base_dn = "ou=People,${..base_dn}" filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))" scope = 'sub' } group { base_dn = "ou=Groups,ou=F5,ou=Configuration,${..base_dn}" filter = "(objectClass=f5Group)" scope = 'base' name_attribute = cn membership_filter = "(member=%{control:Ldap-UserDn})" } *Default server* authorize { filter_username preprocess auth_log update control{ Ldap-UserDn := "uid=%{User-Name},ou=People,ou=NIS,o=vt" } -ldap pap mschap #Invalid People if(!(control:NT-Password) || control:Prohibited == TRUE){ update control{ Auth-Type := Reject } } #"%{control:Group-Membership}" if(Ldap-Group != "%{control:Group-Membership}"){ update control{ Auth-Type:=Reject } } else{ update reply{ F5-LTM-User-Info-1 := "%{reply:F5-LTM-User-Info-1}" F5-LTM-User-Role := "%{reply:F5-LTM-User-Role}" F5-LTM-User-Partition := "%{reply:F5-LTM-User-Partition}" F5-LTM-User-Shell := "%{reply:F5-LTM-User-Shell}" } } } authenticate { mschap pap } *OpenLDAP Entries* # dawson, People, NIS, vt dn: uid=dawson,ou=People,ou=NIS,o=vt cn: Jacob M. Dawson uid: dawson sn: Dawson givenName: Jacob groupMembership: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt prohibited: FALSE objectClass: inetOrgPerson objectClass: nisUserAccount # R&D, Groups, F5, Configuration, NIS, vt dn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt cn: R&D description: Entiries for the R&D group user accounts userInfo: R&D userPartition: RnD userRole: 100 userShell: tmsh member: uid=dawson,ou=People,ou=NIS,o=vt objectClass: f5Group objectClass: groupOfNames