RADIUS debug
Ready to process requests.
rad_recv: Access-Request packet from host 198.82.169.55 port 52634, id=78, length=132
User-Name = 'dawson'
NAS-IP-Address = 198.82.169.55
NAS-Port = 234234
Message-Authenticator = 0x9552e405f519c05100b3510ad97bcec0
MS-CHAP-Challenge = 0x9dcbb5409eb06d58
MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000dcc9a916ce5fc5419b592ba3be3e116831d411dc6e454c81
(0) # Executing section authorize from file /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) ? if (User-Name != "%{tolower:%{User-Name}}")
(0) expand: "%{tolower:%{User-Name}}" -> 'dawson'
(0) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(0) ? if (User-Name =~ / /)
(0) ? if (User-Name =~ / /) -> FALSE
(0) ? if (User-Name =~ /@.*@/ )
(0) ? if (User-Name =~ /@.*@/ ) -> FALSE
(0) ? if (User-Name =~ /\\.\\./ )
(0) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(0) ? if (User-Name =~ /\\.$/)
(0) ? if (User-Name =~ /\\.$/) -> FALSE
(0) ? if (User-Name =~ /@\\./)
(0) ? if (User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) auth_log : expand: "/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/198.82.169.55/auth-detail-20140519'
(0) auth_log : /apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/198.82.169.55/auth-detail-20140519
(0) auth_log : expand: "%t" -> 'Mon May 19 14:55:25 2014'
(0) [auth_log] = ok
(0) update control {
(0) expand: "uid=%{User-Name},ou=People,ou=NIS,o=vt" -> 'uid=dawson,ou=People,ou=NIS,o=vt'
(0) Ldap-UserDn := "uid=dawson,ou=People,ou=NIS,o=vt"
(0) } # update control = noop
rlm_ldap (ldap): Reserved connection (4)
(0) ldap : expand: "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))" -> '(&(uid=dawson))'
(0) ldap : expand: "ou=People,ou=NIS,o=vt" -> 'ou=People,ou=NIS,o=vt'
(0) ldap : Performing search in 'ou=People,ou=NIS,o=vt' with filter '(&(uid=dawson))'
(0) ldap : Waiting for search result...
(0) ldap : User object found at DN "uid=dawson,ou=People,ou=NIS,o=vt"
(0) ldap : Processing user attributes
(0) ldap : control:Password-With-Header += '{nt}D3055AE4C0D68D8BA71C538D1518B5CD'
(0) ldap : control:Password-With-Header += '{SSHA}omkfyFmnMrEq1jWG9T86Gh+XlpR87z11'
(0) ldap : control:Prohibited := FALSE
(0) ldap : control:Group-Membership := 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt'
(0) ldap : control:Group-Membership := 'cn=TLOS,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt'
rlm_ldap (ldap): Released connection (4)
(0) [-ldap] = ok
(0) pap : Normalizing NT-Password from hex encoding
(0) pap : Normalizing SSHA1-Password from base64 encoding
(0) pap : No clear-text password in the request. Not performing PAP.
(0) [pap] = noop
(0) mschap : Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(0) [mschap] = ok
(0) ? if (!(control:NT-Password) || control:Prohibited == TRUE)
(0) ? if (!(control:NT-Password) || control:Prohibited == TRUE) -> FALSE
(0) ? if (Ldap-Group != "%{control:Group-Membership}")
(0) expand: "%{control:Group-Membership}" -> 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt'
(0) Searching for user in group "cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt"
rlm_ldap (ldap): Reserved connection (4)
(0) Using user DN from request "uid=dawson,ou=People,ou=NIS,o=vt"
(0) Checking for user in group objects
(0) expand: "(&(objectClass=f5Group)(member=%{control:Ldap-UserDn}))" -> '(&(objectClass=f5Group)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))'
(0) Performing search in 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' with filter '(&(objectClass=f5Group)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))'
(0) Waiting for search result...
(0) User found in group object
rlm_ldap (ldap): Released connection (4)
(0) ? if (Ldap-Group != "%{control:Group-Membership}") -> FALSE
(0) else else {
(0) update reply {
(0) expand: "%{reply:F5-LTM-User-Info-1}" -> ''
(0) F5-LTM-User-Info-1 := ""
(0) expand: "%{reply:F5-LTM-User-Role}" -> ''
(0) F5-LTM-User-Role := Administrator
(0) expand: "%{reply:F5-LTM-User-Partition}" -> ''
(0) F5-LTM-User-Partition := ""
(0) expand: "%{reply:F5-LTM-User-Shell}" -> ''
(0) F5-LTM-User-Shell := ""
(0) } # update reply = noop
(0) } # else else = noop
(0) ? if ("%{reply:F5-LTM-User-Info-1}")
(0) expand: "%{reply:F5-LTM-User-Info-1}" -> ''
(0) ? if ("%{reply:F5-LTM-User-Info-1}") -> FALSE
(0) } # authorize = ok
(0) Found Auth-Type = MSCHAP
(0) # Executing group from file /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default
(0) authenticate {
(0) mschap : No Cleartext-Password configured. Cannot create LM-Password
(0) mschap : Found NT-Password
(0) mschap : Client is using MS-CHAPv1 with NT-Password
(0) mschap : adding MS-CHAPv1 MPPE keys
(0) [mschap] = ok
(0) } # authenticate = ok
(0) WARNING: Empty post-auth section. Using default return values.
(0) # Executing section post-auth from file /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default
Sending Access-Accept of id 78 from 198.82.169.55 port 1830 to 198.82.169.55 port 52634
F5-LTM-User-Info-1 = ''
F5-LTM-User-Role = Administrator
F5-LTM-User-Partition = ''
F5-LTM-User-Shell = ''
MS-CHAP-MPPE-Keys = 0x0000000000000000122d083be857e0cf1f5c975f5efd01cc0000000000000000
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(0) Finished request 0.
Waking up in 0.3 seconds.
Waking up in 4.6 seconds.
radtest
$ radtest -t mschap -x dawson wakkawakka 198.82.169.55:1830 234234 testing123
/apps/radius/freeradius-3.0.1/bin/radclient: /usr/local/samba/lib/libtalloc.so.2: no version information available (required by /apps/radius/freeradius-3.0.1/bin/radclient)
/apps/radius/freeradius-3.0.1/bin/radclient: /usr/local/samba/lib/libtalloc.so.2: no version information available (required by /apps/radius/freeradius-3.0.1/lib/libfreeradius-radius.so)
Sending Access-Request of id 78 from 0.0.0.0 port 52634 to 198.82.169.55 port 1830
User-Name = 'dawson'
NAS-IP-Address = 198.82.169.55
NAS-Port = 234234
Message-Authenticator = 0x00
MS-CHAP-Challenge = 0x9dcbb5409eb06d58
MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000dcc9a916ce5fc5419b592ba3be3e116831d411dc6e454c81
Code: 1
Id: 78
Length: 132
Vector: 1e35220367d4329bdebec2d38afe7fd6
Data: 01 08 64 61 77 73 6f 6e
04 06 c6 52 a9 37
05 06 00 03 92 fa
50 12 95 52 e4 05 f5 19 c0 51 00 b3 51 0a d9 7b ce c0
1a 10 00 00 01 37 0b 0a 9d cb b5 40 9e b0 6d 58
1a 3a 00 00 01 37 01 34 00 01 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
dc c9 a9 16 ce 5f c5 41 9b 59 2b a3 be 3e 11 68
31 d4 11 dc 6e 45 4c 81
rad_recv: Access-Accept packet from host 198.82.169.55 port 1830, id=78, length=114
Code: 2
Id: 78
Length: 114
Vector: e1389574bdb00555d937ba3d5fac91d7
Data: 1a 06 00 00 0d 2f
1a 0c 00 00 0d 2f 01 06 00 00 00 00
1a 06 00 00 0d 2f
1a 06 00 00 0d 2f
1a 28 00 00 01 37 0c 22 1d 16 9c ca 93 1c 0f eb 35 cd
73 0b ac 58 5c 61 81 2a d8 a6 81 3e bb 70 4a ce
98 0e d8 d5 d9 d3
1a 0c 00 00 01 37 07 06 00 00 00 01
1a 0c 00 00 01 37 08 06 00 00 00 06
Attr-26 = 0x00000d2f
F5-LTM-User-Role = Administrator
Attr-26 = 0x00000d2f
Attr-26 = 0x00000d2f
MS-CHAP-MPPE-Keys = 0x
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
LDAP module
user {
base_dn = "ou=People,${..base_dn}"
filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))"
scope = 'sub'
}
group {
base_dn = "ou=Groups,ou=F5,ou=Configuration,${..base_dn}"
filter = "(objectClass=f5Group)"
scope = 'base'
name_attribute = cn
membership_filter = "(member=%{control:Ldap-UserDn})"
}
Default server
authorize {
filter_username
preprocess
auth_log
update control{
Ldap-UserDn := "uid=%{User-Name},ou=People,ou=NIS,o=vt"
}
-ldap
pap
mschap
#Invalid People
if(!(control:NT-Password) || control:Prohibited == TRUE){
update control{
Auth-Type := Reject
}
}
#"%{control:Group-Membership}"
if(Ldap-Group != "%{control:Group-Membership}"){
update control{
Auth-Type:=Reject
}
}
else{
update reply{
F5-LTM-User-Info-1 := "%{reply:F5-LTM-User-Info-1}"
F5-LTM-User-Role := "%{reply:F5-LTM-User-Role}"
F5-LTM-User-Partition := "%{reply:F5-LTM-User-Partition}"
F5-LTM-User-Shell := "%{reply:F5-LTM-User-Shell}"
}
}
}
authenticate {
mschap
pap
}
OpenLDAP Entries
# dawson, People, NIS, vt
dn: uid=dawson,ou=People,ou=NIS,o=vt
cn: Jacob M. Dawson
uid: dawson
sn: Dawson
givenName: Jacob
groupMembership: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt
prohibited: FALSE
objectClass: inetOrgPerson
objectClass: nisUserAccount
# R&D, Groups, F5, Configuration, NIS, vt
dn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt
cn: R&D
description: Entiries for the R&D group user accounts
userInfo: R&D
userPartition: RnD
userRole: 100
userShell: tmsh
member: uid=dawson,ou=People,ou=NIS,o=vt
objectClass: f5Group
objectClass: groupOfNames