FreeRADIUS, OpenLDAP and F5 VSAs
Hi, I am trying to send F5 vendor-specific attributes in the Access-Accept packet. When freeradius (ldap module) searches and finds a specific user in openldap, It processes the user's attributes and adds them to the control list. One of the attributes specifies the group that user account belongs to. The next step is to find that user in the specified group, which is successful. Only this time, there are some F5 VSAs that are not getting added to the reply list. When I pass those VSAs in the Access-Accept packet, I see them as Attr-26 = 0x00000d2f I have read the rlm_ldap and related documentation on the wiki. I am not sure why I don't see the value of F5 VSAs in the reply as I can definitely process the attributes defined for a user account under the People subtree. Below is the debug output and some configuration. Can anyone point me to the right direction. Thank you. *RADIUS debug* Ready to process requests. rad_recv: Access-Request packet from host 198.82.169.55 port 52634, id=78, length=132 User-Name = 'dawson' NAS-IP-Address = 198.82.169.55 NAS-Port = 234234 Message-Authenticator = 0x9552e405f519c05100b3510ad97bcec0 MS-CHAP-Challenge = 0x9dcbb5409eb06d58 MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000dcc9a916ce5fc5419b592ba3be3e116831d411dc6e454c81 (0) # Executing section authorize from file /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) ? if (User-Name != "%{tolower:%{User-Name}}") (0) expand: "%{tolower:%{User-Name}}" -> 'dawson' (0) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (0) ? if (User-Name =~ / /) (0) ? if (User-Name =~ / /) -> FALSE (0) ? if (User-Name =~ /@.*@/ ) (0) ? if (User-Name =~ /@.*@/ ) -> FALSE (0) ? if (User-Name =~ /\\.\\./ ) (0) ? if (User-Name =~ /\\.\\./ ) -> FALSE (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) ? if (User-Name =~ /\\.$/) (0) ? if (User-Name =~ /\\.$/) -> FALSE (0) ? if (User-Name =~ /@\\./) (0) ? if (User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) auth_log : expand: "/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/ 198.82.169.55/auth-detail-20140519' (0) auth_log : /apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/ 198.82.169.55/auth-detail-20140519 (0) auth_log : expand: "%t" -> 'Mon May 19 14:55:25 2014' (0) [auth_log] = ok (0) update control { (0) expand: "uid=%{User-Name},ou=People,ou=NIS,o=vt" -> 'uid=dawson,ou=People,ou=NIS,o=vt' (0) Ldap-UserDn := "uid=dawson,ou=People,ou=NIS,o=vt" (0) } # update control = noop rlm_ldap (ldap): Reserved connection (4) (0) ldap : expand: "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))" -> '(&(uid=dawson))' (0) ldap : expand: "ou=People,ou=NIS,o=vt" -> 'ou=People,ou=NIS,o=vt' (0) ldap : Performing search in 'ou=People,ou=NIS,o=vt' with filter '(&(uid=dawson))' (0) ldap : Waiting for search result... (0) ldap : User object found at DN "uid=dawson,ou=People,ou=NIS,o=vt" (0) ldap : Processing user attributes (0) ldap : control:Password-With-Header += '{nt}D3055AE4C0D68D8BA71C538D1518B5CD' (0) ldap : control:Password-With-Header += '{SSHA}omkfyFmnMrEq1jWG9T86Gh+XlpR87z11' (0) ldap : control:Prohibited := FALSE (0) ldap : control:Group-Membership := 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' (0) ldap : control:Group-Membership := 'cn=TLOS,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' rlm_ldap (ldap): Released connection (4) (0) [-ldap] = ok (0) pap : Normalizing NT-Password from hex encoding (0) pap : Normalizing SSHA1-Password from base64 encoding (0) pap : No clear-text password in the request. Not performing PAP. (0) [pap] = noop (0) mschap : Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok (0) ? if (!(control:NT-Password) || control:Prohibited == TRUE) (0) ? if (!(control:NT-Password) || control:Prohibited == TRUE) -> FALSE (0) ? if (Ldap-Group != "%{control:Group-Membership}") (0) expand: "%{control:Group-Membership}" -> 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' (0) Searching for user in group "cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt" rlm_ldap (ldap): Reserved connection (4) (0) Using user DN from request "uid=dawson,ou=People,ou=NIS,o=vt" (0) Checking for user in group objects (0) expand: "(&(objectClass=f5Group)(member=%{control:Ldap-UserDn}))" -> '(&(objectClass=f5Group)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))' (0) Performing search in 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' with filter '(&(objectClass=f5Group)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))' (0) Waiting for search result... (0) User found in group object rlm_ldap (ldap): Released connection (4) (0) ? if (Ldap-Group != "%{control:Group-Membership}") -> FALSE (0) else else { (0) update reply { (0) expand: "%{reply:F5-LTM-User-Info-1}" -> '' (0) F5-LTM-User-Info-1 := "" (0) expand: "%{reply:F5-LTM-User-Role}" -> '' (0) F5-LTM-User-Role := Administrator (0) expand: "%{reply:F5-LTM-User-Partition}" -> '' (0) F5-LTM-User-Partition := "" (0) expand: "%{reply:F5-LTM-User-Shell}" -> '' (0) F5-LTM-User-Shell := "" (0) } # update reply = noop (0) } # else else = noop (0) ? if ("%{reply:F5-LTM-User-Info-1}") (0) expand: "%{reply:F5-LTM-User-Info-1}" -> '' (0) ? if ("%{reply:F5-LTM-User-Info-1}") -> FALSE (0) } # authorize = ok (0) Found Auth-Type = MSCHAP (0) # Executing group from file /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default (0) authenticate { (0) mschap : No Cleartext-Password configured. Cannot create LM-Password (0) mschap : Found NT-Password (0) mschap : Client is using MS-CHAPv1 with NT-Password (0) mschap : adding MS-CHAPv1 MPPE keys (0) [mschap] = ok (0) } # authenticate = ok (0) WARNING: Empty post-auth section. Using default return values. (0) # Executing section post-auth from file /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default Sending Access-Accept of id 78 from 198.82.169.55 port 1830 to 198.82.169.55 port 52634 F5-LTM-User-Info-1 = '' F5-LTM-User-Role = Administrator F5-LTM-User-Partition = '' F5-LTM-User-Shell = '' MS-CHAP-MPPE-Keys = 0x0000000000000000122d083be857e0cf1f5c975f5efd01cc0000000000000000 MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (0) Finished request 0. Waking up in 0.3 seconds. Waking up in 4.6 seconds. *radtest* $ radtest -t mschap -x dawson wakkawakka 198.82.169.55:1830 234234 testing123 /apps/radius/freeradius-3.0.1/bin/radclient: /usr/local/samba/lib/libtalloc.so.2: no version information available (required by /apps/radius/freeradius-3.0.1/bin/radclient) /apps/radius/freeradius-3.0.1/bin/radclient: /usr/local/samba/lib/libtalloc.so.2: no version information available (required by /apps/radius/freeradius-3.0.1/lib/libfreeradius-radius.so) Sending Access-Request of id 78 from 0.0.0.0 port 52634 to 198.82.169.55 port 1830 User-Name = 'dawson' NAS-IP-Address = 198.82.169.55 NAS-Port = 234234 Message-Authenticator = 0x00 MS-CHAP-Challenge = 0x9dcbb5409eb06d58 MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000dcc9a916ce5fc5419b592ba3be3e116831d411dc6e454c81 Code: 1 Id: 78 Length: 132 Vector: 1e35220367d4329bdebec2d38afe7fd6 Data: 01 08 64 61 77 73 6f 6e 04 06 c6 52 a9 37 05 06 00 03 92 fa 50 12 95 52 e4 05 f5 19 c0 51 00 b3 51 0a d9 7b ce c0 1a 10 00 00 01 37 0b 0a 9d cb b5 40 9e b0 6d 58 1a 3a 00 00 01 37 01 34 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 dc c9 a9 16 ce 5f c5 41 9b 59 2b a3 be 3e 11 68 31 d4 11 dc 6e 45 4c 81 rad_recv: Access-Accept packet from host 198.82.169.55 port 1830, id=78, length=114 Code: 2 Id: 78 Length: 114 Vector: e1389574bdb00555d937ba3d5fac91d7 Data: 1a 06 00 00 0d 2f 1a 0c 00 00 0d 2f 01 06 00 00 00 00 1a 06 00 00 0d 2f 1a 06 00 00 0d 2f 1a 28 00 00 01 37 0c 22 1d 16 9c ca 93 1c 0f eb 35 cd 73 0b ac 58 5c 61 81 2a d8 a6 81 3e bb 70 4a ce 98 0e d8 d5 d9 d3 1a 0c 00 00 01 37 07 06 00 00 00 01 1a 0c 00 00 01 37 08 06 00 00 00 06 Attr-26 = 0x00000d2f F5-LTM-User-Role = Administrator Attr-26 = 0x00000d2f Attr-26 = 0x00000d2f MS-CHAP-MPPE-Keys = 0x MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed *LDAP module* user { base_dn = "ou=People,${..base_dn}" filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))" scope = 'sub' } group { base_dn = "ou=Groups,ou=F5,ou=Configuration,${..base_dn}" filter = "(objectClass=f5Group)" scope = 'base' name_attribute = cn membership_filter = "(member=%{control:Ldap-UserDn})" } *Default server* authorize { filter_username preprocess auth_log update control{ Ldap-UserDn := "uid=%{User-Name},ou=People,ou=NIS,o=vt" } -ldap pap mschap #Invalid People if(!(control:NT-Password) || control:Prohibited == TRUE){ update control{ Auth-Type := Reject } } #"%{control:Group-Membership}" if(Ldap-Group != "%{control:Group-Membership}"){ update control{ Auth-Type:=Reject } } else{ update reply{ F5-LTM-User-Info-1 := "%{reply:F5-LTM-User-Info-1}" F5-LTM-User-Role := "%{reply:F5-LTM-User-Role}" F5-LTM-User-Partition := "%{reply:F5-LTM-User-Partition}" F5-LTM-User-Shell := "%{reply:F5-LTM-User-Shell}" } } } authenticate { mschap pap } *OpenLDAP Entries* # dawson, People, NIS, vt dn: uid=dawson,ou=People,ou=NIS,o=vt cn: Jacob M. Dawson uid: dawson sn: Dawson givenName: Jacob groupMembership: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt prohibited: FALSE objectClass: inetOrgPerson objectClass: nisUserAccount # R&D, Groups, F5, Configuration, NIS, vt dn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt cn: R&D description: Entiries for the R&D group user accounts userInfo: R&D userPartition: RnD userRole: 100 userShell: tmsh member: uid=dawson,ou=People,ou=NIS,o=vt objectClass: f5Group objectClass: groupOfNames
Also, the update section under the ldap modules looks like this. update { control:Password-With-Header += 'userPassword' control:NT-Password := 'ntPassword' control:Prohibited := 'prohibited' control:Group-Membership := 'groupMembership' reply:F5-LTM-User-Info-1 := 'userInfo' reply:F5-LTM-User-Role := 'userRole' reply:F5-LTM-User-Partition := 'userPartition' reply:F5-LTM-User-Shell := 'userShell' } On Mon, May 19, 2014 at 3:33 PM, Ajinkya Fotedar <ajinkyafotedar@gmail.com>wrote:
Hi,
I am trying to send F5 vendor-specific attributes in the Access-Accept packet.
When freeradius (ldap module) searches and finds a specific user in openldap, It processes the user's attributes and adds them to the control list. One of the attributes specifies the group that user account belongs to.
The next step is to find that user in the specified group, which is successful. Only this time, there are some F5 VSAs that are not getting added to the reply list. When I pass those VSAs in the Access-Accept packet, I see them as Attr-26 = 0x00000d2f
I have read the rlm_ldap and related documentation on the wiki. I am not sure why I don't see the value of F5 VSAs in the reply as I can definitely process the attributes defined for a user account under the People subtree.
Below is the debug output and some configuration. Can anyone point me to the right direction.
Thank you.
*RADIUS debug*
Ready to process requests.
rad_recv: Access-Request packet from host 198.82.169.55 port 52634, id=78, length=132
User-Name = 'dawson'
NAS-IP-Address = 198.82.169.55
NAS-Port = 234234
Message-Authenticator = 0x9552e405f519c05100b3510ad97bcec0
MS-CHAP-Challenge = 0x9dcbb5409eb06d58
MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000dcc9a916ce5fc5419b592ba3be3e116831d411dc6e454c81
(0) # Executing section authorize from file /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) ? if (User-Name != "%{tolower:%{User-Name}}")
(0) expand: "%{tolower:%{User-Name}}" -> 'dawson'
(0) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(0) ? if (User-Name =~ / /)
(0) ? if (User-Name =~ / /) -> FALSE
(0) ? if (User-Name =~ /@.*@/ )
(0) ? if (User-Name =~ /@.*@/ ) -> FALSE
(0) ? if (User-Name =~ /\\.\\./ )
(0) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(0) ? if (User-Name =~ /\\.$/)
(0) ? if (User-Name =~ /\\.$/) -> FALSE
(0) ? if (User-Name =~ /@\\./)
(0) ? if (User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) auth_log : expand: "/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/ 198.82.169.55/auth-detail-20140519'
(0) auth_log : /apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/ 198.82.169.55/auth-detail-20140519
(0) auth_log : expand: "%t" -> 'Mon May 19 14:55:25 2014'
(0) [auth_log] = ok
(0) update control {
(0) expand: "uid=%{User-Name},ou=People,ou=NIS,o=vt" -> 'uid=dawson,ou=People,ou=NIS,o=vt'
(0) Ldap-UserDn := "uid=dawson,ou=People,ou=NIS,o=vt"
(0) } # update control = noop
rlm_ldap (ldap): Reserved connection (4)
(0) ldap : expand: "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))" -> '(&(uid=dawson))'
(0) ldap : expand: "ou=People,ou=NIS,o=vt" -> 'ou=People,ou=NIS,o=vt'
(0) ldap : Performing search in 'ou=People,ou=NIS,o=vt' with filter '(&(uid=dawson))'
(0) ldap : Waiting for search result...
(0) ldap : User object found at DN "uid=dawson,ou=People,ou=NIS,o=vt"
(0) ldap : Processing user attributes
(0) ldap : control:Password-With-Header += '{nt}D3055AE4C0D68D8BA71C538D1518B5CD'
(0) ldap : control:Password-With-Header += '{SSHA}omkfyFmnMrEq1jWG9T86Gh+XlpR87z11'
(0) ldap : control:Prohibited := FALSE
(0) ldap : control:Group-Membership := 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt'
(0) ldap : control:Group-Membership := 'cn=TLOS,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt'
rlm_ldap (ldap): Released connection (4)
(0) [-ldap] = ok
(0) pap : Normalizing NT-Password from hex encoding
(0) pap : Normalizing SSHA1-Password from base64 encoding
(0) pap : No clear-text password in the request. Not performing PAP.
(0) [pap] = noop
(0) mschap : Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(0) [mschap] = ok
(0) ? if (!(control:NT-Password) || control:Prohibited == TRUE)
(0) ? if (!(control:NT-Password) || control:Prohibited == TRUE) -> FALSE
(0) ? if (Ldap-Group != "%{control:Group-Membership}")
(0) expand: "%{control:Group-Membership}" -> 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt'
(0) Searching for user in group "cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt"
rlm_ldap (ldap): Reserved connection (4)
(0) Using user DN from request "uid=dawson,ou=People,ou=NIS,o=vt"
(0) Checking for user in group objects
(0) expand: "(&(objectClass=f5Group)(member=%{control:Ldap-UserDn}))" -> '(&(objectClass=f5Group)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))'
(0) Performing search in 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' with filter '(&(objectClass=f5Group)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))'
(0) Waiting for search result...
(0) User found in group object
rlm_ldap (ldap): Released connection (4)
(0) ? if (Ldap-Group != "%{control:Group-Membership}") -> FALSE
(0) else else {
(0) update reply {
(0) expand: "%{reply:F5-LTM-User-Info-1}" -> ''
(0) F5-LTM-User-Info-1 := ""
(0) expand: "%{reply:F5-LTM-User-Role}" -> ''
(0) F5-LTM-User-Role := Administrator
(0) expand: "%{reply:F5-LTM-User-Partition}" -> ''
(0) F5-LTM-User-Partition := ""
(0) expand: "%{reply:F5-LTM-User-Shell}" -> ''
(0) F5-LTM-User-Shell := ""
(0) } # update reply = noop
(0) } # else else = noop
(0) ? if ("%{reply:F5-LTM-User-Info-1}")
(0) expand: "%{reply:F5-LTM-User-Info-1}" -> ''
(0) ? if ("%{reply:F5-LTM-User-Info-1}") -> FALSE
(0) } # authorize = ok
(0) Found Auth-Type = MSCHAP
(0) # Executing group from file /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default
(0) authenticate {
(0) mschap : No Cleartext-Password configured. Cannot create LM-Password
(0) mschap : Found NT-Password
(0) mschap : Client is using MS-CHAPv1 with NT-Password
(0) mschap : adding MS-CHAPv1 MPPE keys
(0) [mschap] = ok
(0) } # authenticate = ok
(0) WARNING: Empty post-auth section. Using default return values.
(0) # Executing section post-auth from file /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default
Sending Access-Accept of id 78 from 198.82.169.55 port 1830 to 198.82.169.55 port 52634
F5-LTM-User-Info-1 = ''
F5-LTM-User-Role = Administrator
F5-LTM-User-Partition = ''
F5-LTM-User-Shell = ''
MS-CHAP-MPPE-Keys = 0x0000000000000000122d083be857e0cf1f5c975f5efd01cc0000000000000000
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(0) Finished request 0.
Waking up in 0.3 seconds.
Waking up in 4.6 seconds.
*radtest*
$ radtest -t mschap -x dawson wakkawakka 198.82.169.55:1830 234234 testing123
/apps/radius/freeradius-3.0.1/bin/radclient: /usr/local/samba/lib/libtalloc.so.2: no version information available (required by /apps/radius/freeradius-3.0.1/bin/radclient)
/apps/radius/freeradius-3.0.1/bin/radclient: /usr/local/samba/lib/libtalloc.so.2: no version information available (required by /apps/radius/freeradius-3.0.1/lib/libfreeradius-radius.so)
Sending Access-Request of id 78 from 0.0.0.0 port 52634 to 198.82.169.55 port 1830
User-Name = 'dawson'
NAS-IP-Address = 198.82.169.55
NAS-Port = 234234
Message-Authenticator = 0x00
MS-CHAP-Challenge = 0x9dcbb5409eb06d58
MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000dcc9a916ce5fc5419b592ba3be3e116831d411dc6e454c81
Code: 1
Id: 78
Length: 132
Vector: 1e35220367d4329bdebec2d38afe7fd6
Data: 01 08 64 61 77 73 6f 6e
04 06 c6 52 a9 37
05 06 00 03 92 fa
50 12 95 52 e4 05 f5 19 c0 51 00 b3 51 0a d9 7b ce c0
1a 10 00 00 01 37 0b 0a 9d cb b5 40 9e b0 6d 58
1a 3a 00 00 01 37 01 34 00 01 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
dc c9 a9 16 ce 5f c5 41 9b 59 2b a3 be 3e 11 68
31 d4 11 dc 6e 45 4c 81
rad_recv: Access-Accept packet from host 198.82.169.55 port 1830, id=78, length=114
Code: 2
Id: 78
Length: 114
Vector: e1389574bdb00555d937ba3d5fac91d7
Data: 1a 06 00 00 0d 2f
1a 0c 00 00 0d 2f 01 06 00 00 00 00
1a 06 00 00 0d 2f
1a 06 00 00 0d 2f
1a 28 00 00 01 37 0c 22 1d 16 9c ca 93 1c 0f eb 35 cd
73 0b ac 58 5c 61 81 2a d8 a6 81 3e bb 70 4a ce
98 0e d8 d5 d9 d3
1a 0c 00 00 01 37 07 06 00 00 00 01
1a 0c 00 00 01 37 08 06 00 00 00 06
Attr-26 = 0x00000d2f
F5-LTM-User-Role = Administrator
Attr-26 = 0x00000d2f
Attr-26 = 0x00000d2f
MS-CHAP-MPPE-Keys = 0x
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
*LDAP module*
user {
base_dn = "ou=People,${..base_dn}"
filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))"
scope = 'sub'
}
group {
base_dn = "ou=Groups,ou=F5,ou=Configuration,${..base_dn}"
filter = "(objectClass=f5Group)"
scope = 'base'
name_attribute = cn
membership_filter = "(member=%{control:Ldap-UserDn})"
}
*Default server*
authorize {
filter_username
preprocess
auth_log
update control{
Ldap-UserDn := "uid=%{User-Name},ou=People,ou=NIS,o=vt"
}
-ldap
pap
mschap
#Invalid People
if(!(control:NT-Password) || control:Prohibited == TRUE){
update control{
Auth-Type := Reject
}
}
#"%{control:Group-Membership}"
if(Ldap-Group != "%{control:Group-Membership}"){
update control{
Auth-Type:=Reject
}
}
else{
update reply{
F5-LTM-User-Info-1 := "%{reply:F5-LTM-User-Info-1}"
F5-LTM-User-Role := "%{reply:F5-LTM-User-Role}"
F5-LTM-User-Partition := "%{reply:F5-LTM-User-Partition}"
F5-LTM-User-Shell := "%{reply:F5-LTM-User-Shell}"
}
}
}
authenticate {
mschap
pap
}
*OpenLDAP Entries*
# dawson, People, NIS, vt
dn: uid=dawson,ou=People,ou=NIS,o=vt
cn: Jacob M. Dawson
uid: dawson
sn: Dawson
givenName: Jacob
groupMembership: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt
prohibited: FALSE
objectClass: inetOrgPerson
objectClass: nisUserAccount
# R&D, Groups, F5, Configuration, NIS, vt
dn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt
cn: R&D
description: Entiries for the R&D group user accounts
userInfo: R&D
userPartition: RnD
userRole: 100
userShell: tmsh
member: uid=dawson,ou=People,ou=NIS,o=vt
objectClass: f5Group
objectClass: groupOfNames
On 19 May 2014, at 20:36, Ajinkya Fotedar <ajinkyafotedar@gmail.com> wrote:
Also, the update section under the ldap modules looks like this.
update { control:Password-With-Header += 'userPassword' control:NT-Password := 'ntPassword' control:Prohibited := 'prohibited' control:Group-Membership := 'groupMembership' reply:F5-LTM-User-Info-1 := 'userInfo' reply:F5-LTM-User-Role := 'userRole' reply:F5-LTM-User-Partition := 'userPartition' reply:F5-LTM-User-Shell := 'userShell' }
Attributes are not retrieved for groups. You need to add profiles with the various reply attributes, and add that profile to the user. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Hi Arran, Thank you so much for the reply. I have made the above changes and I can see the attributes in the reply message (Access-accept packet). Although, I am not sure if this is what it should look like. I have not tested it with F5 but just want to make sure that I am heading in the right direction. Below is the debug and some configurations from FreeRADIUS and OpenLDAP. Please let me know your thoughts. Thank you. *RADIUS debug* rad_recv: Access-Request packet from host 198.82.169.55 port 50524, id=211, length=132 User-Name = 'dawson' NAS-IP-Address = 198.82.169.55 NAS-Port = 234234 Message-Authenticator = 0x14e775dc18fbbbd91c707988226a3a22 MS-CHAP-Challenge = 0xa92999be9652acdb MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000003ef65405da922bbe8b1f37ff9ba63458917d6bc42cf704c3 (0) # Executing section authorize from file /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) ? if (User-Name != "%{tolower:%{User-Name}}") (0) expand: "%{tolower:%{User-Name}}" -> 'dawson' (0) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (0) ? if (User-Name =~ / /) (0) ? if (User-Name =~ / /) -> FALSE (0) ? if (User-Name =~ /@.*@/ ) (0) ? if (User-Name =~ /@.*@/ ) -> FALSE (0) ? if (User-Name =~ /\\.\\./ ) (0) ? if (User-Name =~ /\\.\\./ ) -> FALSE (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) ? if (User-Name =~ /\\.$/) (0) ? if (User-Name =~ /\\.$/) -> FALSE (0) ? if (User-Name =~ /@\\./) (0) ? if (User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) auth_log : expand: "/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/ 198.82.169.55/auth-detail-20140520' (0) auth_log : /apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/ 198.82.169.55/auth-detail-20140520 (0) auth_log : expand: "%t" -> 'Tue May 20 11:37:46 2014' (0) [auth_log] = ok (0) update control { (0) expand: "uid=%{User-Name},ou=People,ou=NIS,o=vt" -> 'uid=dawson,ou=People,ou=NIS,o=vt' (0) Ldap-UserDn := "uid=dawson,ou=People,ou=NIS,o=vt" (0) } # update control = noop rlm_ldap (ldap): Reserved connection (4) (0) ldap : expand: "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))" -> '(&(uid=dawson))' (0) ldap : expand: "ou=People,ou=NIS,o=vt" -> 'ou=People,ou=NIS,o=vt' (0) ldap : Performing search in 'ou=People,ou=NIS,o=vt' with filter '(&(uid=dawson))' (0) ldap : Waiting for search result... (0) ldap : User object found at DN "uid=dawson,ou=People,ou=NIS,o=vt" (0) ldap : expand: "(&)" -> '(&)' (0) ldap : Performing search in 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' with filter '(&)' (0) ldap : Waiting for search result... (0) ldap : Processing profile attributes (0) ldap : reply:Reply-Message := 'F5-LTM-User-Info-1+=\"R&D\"' (0) ldap : reply:Reply-Message := 'F5-LTM-User-Partition+=\"RnD\"' (0) ldap : reply:Reply-Message := 'F5-LTM-User-Role+=100' (0) ldap : reply:Reply-Message := 'F5-LTM-User-Shell+=\"tmsh\"' (0) ldap : Processing user attributes (0) ldap : control:Password-With-Header += '{nt}D3055AE4C0D68D8BA71C538D1518B5CD' (0) ldap : control:Password-With-Header += '{SSHA}omkfyFmnMrEq1jWG9T86Gh+XlpR87z11' (0) ldap : control:Prohibited := FALSE (0) ldap : control:Radius-Profile-DN := 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' rlm_ldap (ldap): Released connection (4) (0) [-ldap] = ok (0) pap : Normalizing NT-Password from hex encoding (0) pap : Normalizing SSHA1-Password from base64 encoding (0) pap : No clear-text password in the request. Not performing PAP. (0) [pap] = noop (0) mschap : Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok (0) ? if (!(control:NT-Password) || control:Prohibited == TRUE) (0) ? if (!(control:NT-Password) || control:Prohibited == TRUE) -> FALSE (0) ? if (Ldap-Group != "%{control:Radius-Profile-DN}") (0) expand: "%{control:Radius-Profile-DN}" -> 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' (0) Searching for user in group "cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt" rlm_ldap (ldap): Reserved connection (4) (0) Using user DN from request "uid=dawson,ou=People,ou=NIS,o=vt" (0) Checking for user in group objects (0) expand: "(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))" -> '(&(objectClass=groupOfNames)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))' (0) Performing search in 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' with filter '(&(objectClass=groupOfNames)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))' (0) Waiting for search result... (0) User found in group object rlm_ldap (ldap): Released connection (4) (0) ? if (Ldap-Group != "%{control:Radius-Profile-DN}") -> FALSE (0) else else { (0) update control { (0) Auth-Type := Accept (0) } # update control = noop (0) } # else else = noop (0) ? if ("%{reply:F5-LTM-User-Info-1}") (0) expand: "%{reply:F5-LTM-User-Info-1}" -> '' (0) ? if ("%{reply:F5-LTM-User-Info-1}") -> FALSE (0) } # authorize = ok (0) Found Auth-Type = Accept (0) Auth-Type = Accept, accepting the user *(0) WARNING: Empty post-auth section. Using default return values.* (0) # Executing section post-auth from file /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default Sending Access-Accept of id 211 from 198.82.169.55 port 1830 to 198.82.169.55 port 50524 Reply-Message = 'F5-LTM-User-Info-1+=\"R&D\"' Reply-Message = 'F5-LTM-User-Partition+=\"RnD\"' Reply-Message = 'F5-LTM-User-Role+=100' Reply-Message = 'F5-LTM-User-Shell+=\"tmsh\"' (0) Finished request 0. Waking up in 0.3 seconds. Waking up in 4.6 seconds. (0) Cleaning up request packet ID 211 with timestamp +2 *Ready to process requests.* *radtest* $ radtest -t mschap -x dawson wakkawakka 198.82.169.55:1830 234234 testing123 /apps/radius/freeradius-3.0.1/bin/radclient: /usr/local/samba/lib/libtalloc.so.2: no version information available (required by /apps/radius/freeradius-3.0.1/bin/radclient) /apps/radius/freeradius-3.0.1/bin/radclient: /usr/local/samba/lib/libtalloc.so.2: no version information available (required by /apps/radius/freeradius-3.0.1/lib/libfreeradius-radius.so) Sending Access-Request of id 211 from 0.0.0.0 port 50524 to 198.82.169.55 port 1830 User-Name = 'dawson' NAS-IP-Address = 198.82.169.55 NAS-Port = 234234 Message-Authenticator = 0x00 MS-CHAP-Challenge = 0xa92999be9652acdb MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000003ef65405da922bbe8b1f37ff9ba63458917d6bc42cf704c3 Code: 1 Id: 211 Length: 132 Vector: b3c92ab8d0c718d8e265b6301bae7a11 Data: 01 08 64 61 77 73 6f 6e 04 06 c6 52 a9 37 05 06 00 03 92 fa 50 12 14 e7 75 dc 18 fb bb d9 1c 70 79 88 22 6a 3a 22 1a 10 00 00 01 37 0b 0a a9 29 99 be 96 52 ac db 1a 3a 00 00 01 37 01 34 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3e f6 54 05 da 92 2b be 8b 1f 37 ff 9b a6 34 58 91 7d 6b c4 2c f7 04 c3 rad_recv: Access-Accept packet from host 198.82.169.55 port 1830, id=211, length=127 Code: 2 Id: 211 Length: 127 Vector: ff52e972ccb4ee95c7b64719c2ea3986 Data: 12 1b 46 35 2d 4c 54 4d 2d 55 73 65 72 2d 49 6e 66 6f 2d 31 2b 3d 22 52 26 44 22 12 1e 46 35 2d 4c 54 4d 2d 55 73 65 72 2d 50 61 72 74 69 74 69 6f 6e 2b 3d 22 52 6e 44 22 12 17 46 35 2d 4c 54 4d 2d 55 73 65 72 2d 52 6f 6c 65 2b 3d 31 30 30 12 1b 46 35 2d 4c 54 4d 2d 55 73 65 72 2d 53 68 65 6c 6c 2b 3d 22 74 6d 73 68 22 Reply-Message = 'F5-LTM-User-Info-1+=\"R&D\"' Reply-Message = 'F5-LTM-User-Partition+=\"RnD\"' Reply-Message = 'F5-LTM-User-Role+=100' Reply-Message = 'F5-LTM-User-Shell+=\"tmsh\"' *sites-enabled/default* authorize { filter_username preprocess auth_log update control{ Ldap-UserDn := "uid=%{User-Name},ou=People,ou=NIS,o=vt" } -ldap pap mschap if(!(control:NT-Password) || control:Prohibited == TRUE){ update control{ Auth-Type := Reject } } if(Ldap-Group != "%{control:Radius-Profile-DN}"){ update control{ Auth-Type:=Reject } } else{ update control{ Auth-Type:=Accept } } authenticate { mschap pap } *mods-enabled/ldap* update { control:Password-With-Header += 'userPassword' control:NT-Password := 'ntPassword' control:Prohibited := 'prohibited' control:Radius-Profile-DN := 'radiusProfileDn' reply:Reply-Message := 'radiusReplyMessage' } user { base_dn = "ou=People,${..base_dn}" filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))" scope = 'sub' } group { base_dn = "ou=Groups,ou=F5,ou=Configuration,${..base_dn}" filter = "(objectClass=groupOfNames)" scope = 'base' name_attribute = cn membership_filter = "(member=%{control:Ldap-UserDn})" } *OpenLDAP* # R&D, Groups, F5, Configuration, NIS, vt dn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt cn: R&D description: Entiries for the R&D group user accounts member: uid=dawson,ou=People,ou=NIS,o=vt radiusReplyMessage: F5-LTM-User-Info-1+="R&D" radiusReplyMessage: F5-LTM-User-Partition+="RnD" radiusReplyMessage: F5-LTM-User-Role+=100 radiusReplyMessage: F5-LTM-User-Shell+="tmsh" objectClass: groupOfNames objectClass: radiusprofile # dawson, People, NIS, vt dn: uid=dawson,ou=People,ou=NIS,o=vt cn: Jacob M. Dawson uid: dawson sn: Dawson givenName: Jacob objectClass: inetOrgPerson objectClass: nisUserAccount objectClass: radiusprofile prohibited: FALSE radiusProfileDn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt *F5 VSAs* VENDOR F5 3375 BEGIN-VENDOR F5 ATTRIBUTE F5-LTM-User-Role 1 integer ATTRIBUTE F5-LTM-User-Role-Universal 2 integer # enable/disable ATTRIBUTE F5-LTM-User-Partition 3 string ATTRIBUTE F5-LTM-User-Console 4 integer # enable/disable ATTRIBUTE F5-LTM-User-Shell 5 string # supported values are disable, tmsh, and bpsh ATTRIBUTE F5-LTM-User-Context-1 10 integer ATTRIBUTE F5-LTM-User-Context-2 11 integer ATTRIBUTE F5-LTM-User-Info-1 12 string ATTRIBUTE F5-LTM-User-Info-2 13 string VALUE F5-LTM-User-Role Administrator 0 VALUE F5-LTM-User-Role Resource-Admin 20 VALUE F5-LTM-User-Role User-Manager 40 VALUE F5-LTM-User-Role Manager 100 VALUE F5-LTM-User-Role App-Editor 300 VALUE F5-LTM-User-Role Operator 400 VALUE F5-LTM-User-Role Guest 700 VALUE F5-LTM-User-Role Policy-Editor 800 VALUE F5-LTM-User-Role No-Access 900 VALUE F5-LTM-User-Role-Universal Disabled 0 VALUE F5-LTM-User-Role-Universal Enabled 1 VALUE F5-LTM-User-Console Disabled 0 VALUE F5-LTM-User-Console Enabled 1 END-VENDOR F5 On Mon, May 19, 2014 at 4:26 PM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
On 19 May 2014, at 20:36, Ajinkya Fotedar <ajinkyafotedar@gmail.com> wrote:
Also, the update section under the ldap modules looks like this.
update { control:Password-With-Header += 'userPassword' control:NT-Password := 'ntPassword' control:Prohibited := 'prohibited' control:Group-Membership := 'groupMembership' reply:F5-LTM-User-Info-1 := 'userInfo' reply:F5-LTM-User-Role := 'userRole' reply:F5-LTM-User-Partition := 'userPartition' reply:F5-LTM-User-Shell := 'userShell' }
Attributes are not retrieved for groups. You need to add profiles with the various reply attributes, and add that profile to the user.
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Particularly concerned about the F5-LTM-User-Role attribute since its an integer. I want to provide Manager (100) access to this user account, as defined in the F5 dictionary. Have I defined this attribute right in openldap. Would really appreciate if you could throw some light on that, and the rest of the attributes. Thank you. On Tue, May 20, 2014 at 11:59 AM, Ajinkya Fotedar <ajinkyafotedar@gmail.com>wrote:
Hi Arran,
Thank you so much for the reply. I have made the above changes and I can see the attributes in the reply message (Access-accept packet). Although, I am not sure if this is what it should look like. I have not tested it with F5 but just want to make sure that I am heading in the right direction. Below is the debug and some configurations from FreeRADIUS and OpenLDAP.
Please let me know your thoughts.
Thank you.
*RADIUS debug*
rad_recv: Access-Request packet from host 198.82.169.55 port 50524, id=211, length=132
User-Name = 'dawson'
NAS-IP-Address = 198.82.169.55
NAS-Port = 234234
Message-Authenticator = 0x14e775dc18fbbbd91c707988226a3a22
MS-CHAP-Challenge = 0xa92999be9652acdb
MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000003ef65405da922bbe8b1f37ff9ba63458917d6bc42cf704c3
(0) # Executing section authorize from file /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) ? if (User-Name != "%{tolower:%{User-Name}}")
(0) expand: "%{tolower:%{User-Name}}" -> 'dawson'
(0) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(0) ? if (User-Name =~ / /)
(0) ? if (User-Name =~ / /) -> FALSE
(0) ? if (User-Name =~ /@.*@/ )
(0) ? if (User-Name =~ /@.*@/ ) -> FALSE
(0) ? if (User-Name =~ /\\.\\./ )
(0) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(0) ? if (User-Name =~ /\\.$/)
(0) ? if (User-Name =~ /\\.$/) -> FALSE
(0) ? if (User-Name =~ /@\\./)
(0) ? if (User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) auth_log : expand: "/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/ 198.82.169.55/auth-detail-20140520'
(0) auth_log : /apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/ 198.82.169.55/auth-detail-20140520
(0) auth_log : expand: "%t" -> 'Tue May 20 11:37:46 2014'
(0) [auth_log] = ok
(0) update control {
(0) expand: "uid=%{User-Name},ou=People,ou=NIS,o=vt" -> 'uid=dawson,ou=People,ou=NIS,o=vt'
(0) Ldap-UserDn := "uid=dawson,ou=People,ou=NIS,o=vt"
(0) } # update control = noop
rlm_ldap (ldap): Reserved connection (4)
(0) ldap : expand: "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))" -> '(&(uid=dawson))'
(0) ldap : expand: "ou=People,ou=NIS,o=vt" -> 'ou=People,ou=NIS,o=vt'
(0) ldap : Performing search in 'ou=People,ou=NIS,o=vt' with filter '(&(uid=dawson))'
(0) ldap : Waiting for search result...
(0) ldap : User object found at DN "uid=dawson,ou=People,ou=NIS,o=vt"
(0) ldap : expand: "(&)" -> '(&)'
(0) ldap : Performing search in 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' with filter '(&)'
(0) ldap : Waiting for search result...
(0) ldap : Processing profile attributes
(0) ldap : reply:Reply-Message := 'F5-LTM-User-Info-1+=\"R&D\"'
(0) ldap : reply:Reply-Message := 'F5-LTM-User-Partition+=\"RnD\"'
(0) ldap : reply:Reply-Message := 'F5-LTM-User-Role+=100'
(0) ldap : reply:Reply-Message := 'F5-LTM-User-Shell+=\"tmsh\"'
(0) ldap : Processing user attributes
(0) ldap : control:Password-With-Header += '{nt}D3055AE4C0D68D8BA71C538D1518B5CD'
(0) ldap : control:Password-With-Header += '{SSHA}omkfyFmnMrEq1jWG9T86Gh+XlpR87z11'
(0) ldap : control:Prohibited := FALSE
(0) ldap : control:Radius-Profile-DN := 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt'
rlm_ldap (ldap): Released connection (4)
(0) [-ldap] = ok
(0) pap : Normalizing NT-Password from hex encoding
(0) pap : Normalizing SSHA1-Password from base64 encoding
(0) pap : No clear-text password in the request. Not performing PAP.
(0) [pap] = noop
(0) mschap : Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(0) [mschap] = ok
(0) ? if (!(control:NT-Password) || control:Prohibited == TRUE)
(0) ? if (!(control:NT-Password) || control:Prohibited == TRUE) -> FALSE
(0) ? if (Ldap-Group != "%{control:Radius-Profile-DN}")
(0) expand: "%{control:Radius-Profile-DN}" -> 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt'
(0) Searching for user in group "cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt"
rlm_ldap (ldap): Reserved connection (4)
(0) Using user DN from request "uid=dawson,ou=People,ou=NIS,o=vt"
(0) Checking for user in group objects
(0) expand: "(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))" -> '(&(objectClass=groupOfNames)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))'
(0) Performing search in 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' with filter '(&(objectClass=groupOfNames)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))'
(0) Waiting for search result...
(0) User found in group object
rlm_ldap (ldap): Released connection (4)
(0) ? if (Ldap-Group != "%{control:Radius-Profile-DN}") -> FALSE
(0) else else {
(0) update control {
(0) Auth-Type := Accept
(0) } # update control = noop
(0) } # else else = noop
(0) ? if ("%{reply:F5-LTM-User-Info-1}")
(0) expand: "%{reply:F5-LTM-User-Info-1}" -> ''
(0) ? if ("%{reply:F5-LTM-User-Info-1}") -> FALSE
(0) } # authorize = ok
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
*(0) WARNING: Empty post-auth section. Using default return values.*
(0) # Executing section post-auth from file /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default
Sending Access-Accept of id 211 from 198.82.169.55 port 1830 to 198.82.169.55 port 50524
Reply-Message = 'F5-LTM-User-Info-1+=\"R&D\"'
Reply-Message = 'F5-LTM-User-Partition+=\"RnD\"'
Reply-Message = 'F5-LTM-User-Role+=100'
Reply-Message = 'F5-LTM-User-Shell+=\"tmsh\"'
(0) Finished request 0.
Waking up in 0.3 seconds.
Waking up in 4.6 seconds.
(0) Cleaning up request packet ID 211 with timestamp +2
*Ready to process requests.*
*radtest*
$ radtest -t mschap -x dawson wakkawakka 198.82.169.55:1830 234234 testing123
/apps/radius/freeradius-3.0.1/bin/radclient: /usr/local/samba/lib/libtalloc.so.2: no version information available (required by /apps/radius/freeradius-3.0.1/bin/radclient)
/apps/radius/freeradius-3.0.1/bin/radclient: /usr/local/samba/lib/libtalloc.so.2: no version information available (required by /apps/radius/freeradius-3.0.1/lib/libfreeradius-radius.so)
Sending Access-Request of id 211 from 0.0.0.0 port 50524 to 198.82.169.55 port 1830
User-Name = 'dawson'
NAS-IP-Address = 198.82.169.55
NAS-Port = 234234
Message-Authenticator = 0x00
MS-CHAP-Challenge = 0xa92999be9652acdb
MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000003ef65405da922bbe8b1f37ff9ba63458917d6bc42cf704c3
Code: 1
Id: 211
Length: 132
Vector: b3c92ab8d0c718d8e265b6301bae7a11
Data: 01 08 64 61 77 73 6f 6e
04 06 c6 52 a9 37
05 06 00 03 92 fa
50 12 14 e7 75 dc 18 fb bb d9 1c 70 79 88 22 6a 3a 22
1a 10 00 00 01 37 0b 0a a9 29 99 be 96 52 ac db
1a 3a 00 00 01 37 01 34 00 01 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
3e f6 54 05 da 92 2b be 8b 1f 37 ff 9b a6 34 58
91 7d 6b c4 2c f7 04 c3
rad_recv: Access-Accept packet from host 198.82.169.55 port 1830, id=211, length=127
Code: 2
Id: 211
Length: 127
Vector: ff52e972ccb4ee95c7b64719c2ea3986
Data: 12 1b 46 35 2d 4c 54 4d 2d 55 73 65 72 2d 49 6e 66 6f
2d 31 2b 3d 22 52 26 44 22
12 1e 46 35 2d 4c 54 4d 2d 55 73 65 72 2d 50 61 72 74
69 74 69 6f 6e 2b 3d 22 52 6e 44 22
12 17 46 35 2d 4c 54 4d 2d 55 73 65 72 2d 52 6f 6c 65
2b 3d 31 30 30
12 1b 46 35 2d 4c 54 4d 2d 55 73 65 72 2d 53 68 65 6c
6c 2b 3d 22 74 6d 73 68 22
Reply-Message = 'F5-LTM-User-Info-1+=\"R&D\"'
Reply-Message = 'F5-LTM-User-Partition+=\"RnD\"'
Reply-Message = 'F5-LTM-User-Role+=100'
Reply-Message = 'F5-LTM-User-Shell+=\"tmsh\"'
*sites-enabled/default*
authorize {
filter_username
preprocess
auth_log
update control{
Ldap-UserDn := "uid=%{User-Name},ou=People,ou=NIS,o=vt"
}
-ldap
pap
mschap
if(!(control:NT-Password) || control:Prohibited == TRUE){
update control{
Auth-Type := Reject
}
}
if(Ldap-Group != "%{control:Radius-Profile-DN}"){
update control{
Auth-Type:=Reject
}
}
else{
update control{
Auth-Type:=Accept
}
}
authenticate {
mschap
pap
}
*mods-enabled/ldap*
update {
control:Password-With-Header += 'userPassword'
control:NT-Password := 'ntPassword'
control:Prohibited := 'prohibited'
control:Radius-Profile-DN := 'radiusProfileDn'
reply:Reply-Message := 'radiusReplyMessage'
}
user {
base_dn = "ou=People,${..base_dn}"
filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))"
scope = 'sub'
}
group {
base_dn = "ou=Groups,ou=F5,ou=Configuration,${..base_dn}"
filter = "(objectClass=groupOfNames)"
scope = 'base'
name_attribute = cn
membership_filter = "(member=%{control:Ldap-UserDn})"
}
*OpenLDAP*
# R&D, Groups, F5, Configuration, NIS, vt
dn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt
cn: R&D
description: Entiries for the R&D group user accounts
member: uid=dawson,ou=People,ou=NIS,o=vt
radiusReplyMessage: F5-LTM-User-Info-1+="R&D"
radiusReplyMessage: F5-LTM-User-Partition+="RnD"
radiusReplyMessage: F5-LTM-User-Role+=100
radiusReplyMessage: F5-LTM-User-Shell+="tmsh"
objectClass: groupOfNames
objectClass: radiusprofile
# dawson, People, NIS, vt
dn: uid=dawson,ou=People,ou=NIS,o=vt
cn: Jacob M. Dawson
uid: dawson
sn: Dawson
givenName: Jacob
objectClass: inetOrgPerson
objectClass: nisUserAccount
objectClass: radiusprofile
prohibited: FALSE
radiusProfileDn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt
*F5 VSAs*
VENDOR F5 3375
BEGIN-VENDOR F5
ATTRIBUTE F5-LTM-User-Role 1 integer
ATTRIBUTE F5-LTM-User-Role-Universal 2 integer # enable/disable
ATTRIBUTE F5-LTM-User-Partition 3 string
ATTRIBUTE F5-LTM-User-Console 4 integer # enable/disable
ATTRIBUTE F5-LTM-User-Shell 5 string # supported values are disable, tmsh, and bpsh
ATTRIBUTE F5-LTM-User-Context-1 10 integer
ATTRIBUTE F5-LTM-User-Context-2 11 integer
ATTRIBUTE F5-LTM-User-Info-1 12 string
ATTRIBUTE F5-LTM-User-Info-2 13 string
VALUE F5-LTM-User-Role Administrator 0
VALUE F5-LTM-User-Role Resource-Admin 20
VALUE F5-LTM-User-Role User-Manager 40
VALUE F5-LTM-User-Role Manager 100
VALUE F5-LTM-User-Role App-Editor 300
VALUE F5-LTM-User-Role Operator 400
VALUE F5-LTM-User-Role Guest 700
VALUE F5-LTM-User-Role Policy-Editor 800
VALUE F5-LTM-User-Role No-Access 900
VALUE F5-LTM-User-Role-Universal Disabled 0
VALUE F5-LTM-User-Role-Universal Enabled 1
VALUE F5-LTM-User-Console Disabled 0
VALUE F5-LTM-User-Console Enabled 1
END-VENDOR F5
On Mon, May 19, 2014 at 4:26 PM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
On 19 May 2014, at 20:36, Ajinkya Fotedar <ajinkyafotedar@gmail.com> wrote:
Also, the update section under the ldap modules looks like this.
update { control:Password-With-Header += 'userPassword' control:NT-Password := 'ntPassword' control:Prohibited := 'prohibited' control:Group-Membership := 'groupMembership' reply:F5-LTM-User-Info-1 := 'userInfo' reply:F5-LTM-User-Role := 'userRole' reply:F5-LTM-User-Partition := 'userPartition' reply:F5-LTM-User-Shell := 'userShell' }
Attributes are not retrieved for groups. You need to add profiles with the various reply attributes, and add that profile to the user.
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Arran, I have used radiusReplyItem attribute in the user objects in openldap. I have modified the entries in openldap accordingly and can see the required attributes as a reply item in the Access-accept packet. Although not getting the attributes as I would expect. This has something to do with attribute mapping but I am not sure which parts of the FreeRADIUS server config require tweaks. Can anyone help me out with the same. This is how I would like the radtest to look like: $ radtest jsmith test 192.168.1.100 0 secret Sending Access-Request of id 187 to 192.168.1.100 port 1812 User-Name = "jsmith" User-Password = "test" NAS-IP-Address = 192.168.1.100 NAS-Port = 0 rad_recv: Access-Accept packet from host 192.168.1.100 port 1812, id=187, length=112 Service-Type = Framed-User Framed-Protocol = PPP Framed-Routing = Broadcast-Listen Filter-Id = "std.ppp" Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP * F5-LTM-User-Role = Manager* * F5-LTM-User-Info-1 = "mgmt"* * F5-LTM-User-Partition = "admin"* * F5-LTM-User-Shell = "tmsh"* And this is what it looks like right now: $ radtest -t mschap dawson wakkawakka 198.82.169.55:1830 234234 testing123 Sending Access-Request of id 48 from 0.0.0.0 port 33814 to 198.82.169.55 port 1830 User-Name = 'dawson' NAS-IP-Address = 198.82.169.55 NAS-Port = 234234 Message-Authenticator = 0x00 MS-CHAP-Challenge = 0x45c9d617e4bbadea MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000079a2d20cd58f9af0c5957ede5deaf85b04b2dd9bec6104eb rad_recv: Access-Accept packet from host 198.82.169.55 port 1830, id=48, length=153 *F5-LTM-User-Info-1 = 'F5-LTM-User-Info-1+=\"R&D\"'* * F5-LTM-User-Info-1 = 'F5-LTM-User-Partition+=\"RnD\"'* * F5-LTM-User-Info-1 = 'F5-LTM-User-Role+=\"100\"'* * F5-LTM-User-Info-1 = 'F5-LTM-User-Shell+=\"tmsh\"'* Below are the outputs for radius debug, radtest and some FreeRADIUS and OpenLDAP config. Would really appreciate any help. Thank you. *RADIUS debug* rad_recv: Access-Request packet from host 198.82.169.55 port 34716, id=142, length=132 User-Name = 'dawson' NAS-IP-Address = 198.82.169.55 NAS-Port = 234234 Message-Authenticator = 0xa28852d05f29ba0fac4c4b1046e4178c MS-CHAP-Challenge = 0x4e9904591878fd82 MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000606a875cc1203e10b37861612644c9e3f4e709f7e56f53b9 (0) # Executing section authorize from file /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) ? if (User-Name != "%{tolower:%{User-Name}}") (0) expand: "%{tolower:%{User-Name}}" -> 'dawson' (0) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (0) ? if (User-Name =~ / /) (0) ? if (User-Name =~ / /) -> FALSE (0) ? if (User-Name =~ /@.*@/ ) (0) ? if (User-Name =~ /@.*@/ ) -> FALSE (0) ? if (User-Name =~ /\\.\\./ ) (0) ? if (User-Name =~ /\\.\\./ ) -> FALSE (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) ? if (User-Name =~ /\\.$/) (0) ? if (User-Name =~ /\\.$/) -> FALSE (0) ? if (User-Name =~ /@\\./) (0) ? if (User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) auth_log : expand: "/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/ 198.82.169.55/auth-detail-20140521' (0) auth_log : /apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/ 198.82.169.55/auth-detail-20140521 (0) auth_log : expand: "%t" -> 'Wed May 21 08:31:51 2014' (0) [auth_log] = ok (0) update control { (0) expand: "uid=%{User-Name},ou=People,ou=NIS,o=vt" -> 'uid=dawson,ou=People,ou=NIS,o=vt' (0) Ldap-UserDn := "uid=dawson,ou=People,ou=NIS,o=vt" (0) } # update control = noop rlm_ldap (ldap): Reserved connection (4) (0) ldap : expand: "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))" -> '(&(uid=dawson))' (0) ldap : expand: "ou=People,ou=NIS,o=vt" -> 'ou=People,ou=NIS,o=vt' (0) ldap : Performing search in 'ou=People,ou=NIS,o=vt' with filter '(&(uid=dawson))' (0) ldap : Waiting for search result... (0) ldap : User object found at DN "uid=dawson,ou=People,ou=NIS,o=vt" (0) ldap : expand: "(&)" -> '(&)' (0) ldap : Performing search in 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' with filter '(&)' (0) ldap : Waiting for search result... (0) ldap : Processing profile attributes (0) ldap : reply:F5-LTM-User-Info-1 := 'F5-LTM-User-Info-1+=\"R&D\"' (0) ldap : reply:F5-LTM-User-Info-1 := 'F5-LTM-User-Partition+=\"RnD\"' (0) ldap : reply:F5-LTM-User-Info-1 := 'F5-LTM-User-Role+=\"100\"' (0) ldap : reply:F5-LTM-User-Info-1 := 'F5-LTM-User-Shell+=\"tmsh\"' (0) ldap : Processing user attributes (0) ldap : control:Password-With-Header += '{nt}D3055AE4C0D68D8BA71C538D1518B5CD' (0) ldap : control:Password-With-Header += '{SSHA}omkfyFmnMrEq1jWG9T86Gh+XlpR87z11' (0) ldap : control:Prohibited := FALSE (0) ldap : control:Radius-Profile-DN := 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' rlm_ldap (ldap): Released connection (4) *rlm_ldap (ldap): Closing connection (0): Too many free connections (5 > 3)* (0) [-ldap] = ok (0) pap : Normalizing NT-Password from hex encoding (0) pap : Normalizing SSHA1-Password from base64 encoding (0) pap : No clear-text password in the request. Not performing PAP. (0) [pap] = noop (0) mschap : Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok (0) ? if (!(control:NT-Password) || control:Prohibited == TRUE) (0) ? if (!(control:NT-Password) || control:Prohibited == TRUE) -> FALSE (0) ? if (Ldap-Group != "%{control:Radius-Profile-DN}") (0) expand: "%{control:Radius-Profile-DN}" -> 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' (0) Searching for user in group "cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt" rlm_ldap (ldap): Reserved connection (4) (0) Using user DN from request "uid=dawson,ou=People,ou=NIS,o=vt" (0) Checking for user in group objects (0) expand: "(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))" -> '(&(objectClass=groupOfNames)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))' (0) Performing search in 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' with filter '(&(objectClass=groupOfNames)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))' (0) Waiting for search result... (0) User found in group object rlm_ldap (ldap): Released connection (4) (0) ? if (Ldap-Group != "%{control:Radius-Profile-DN}") -> FALSE (0) else else { (0) update control { (0) Auth-Type := Accept (0) } # update control = noop (0) } # else else = noop (0) } # authorize = ok (0) Found Auth-Type = Accept (0) Auth-Type = Accept, accepting the user *(0) WARNING: Empty post-auth section. Using default return values.* (0) # Executing section post-auth from file /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default Sending Access-Accept of id 142 from 198.82.169.55 port 1830 to 198.82.169.55 port 34716 F5-LTM-User-Info-1 = 'F5-LTM-User-Info-1+=\"R&D\"' F5-LTM-User-Info-1 = 'F5-LTM-User-Partition+=\"RnD\"' F5-LTM-User-Info-1 = 'F5-LTM-User-Role+=\"100\"' F5-LTM-User-Info-1 = 'F5-LTM-User-Shell+=\"tmsh\"' (0) Finished request 0. Waking up in 0.3 seconds. Waking up in 4.6 seconds. (0) Cleaning up request packet ID 142 with timestamp +12 *Ready to process requests.* *radtest* $ radtest -t mschap dawson wakkawakka 198.82.169.55:1830 234234 testing123 Sending Access-Request of id 48 from 0.0.0.0 port 33814 to 198.82.169.55 port 1830 User-Name = 'dawson' NAS-IP-Address = 198.82.169.55 NAS-Port = 234234 Message-Authenticator = 0x00 MS-CHAP-Challenge = 0x45c9d617e4bbadea MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000079a2d20cd58f9af0c5957ede5deaf85b04b2dd9bec6104eb rad_recv: Access-Accept packet from host 198.82.169.55 port 1830, id=48, length=153 F5-LTM-User-Info-1 = 'F5-LTM-User-Info-1+=\"R&D\"' F5-LTM-User-Info-1 = 'F5-LTM-User-Partition+=\"RnD\"' F5-LTM-User-Info-1 = 'F5-LTM-User-Role+=\"100\"' F5-LTM-User-Info-1 = 'F5-LTM-User-Shell+=\"tmsh\"' *sites-enabled/default* authorize { filter_username preprocess auth_log update control{ Ldap-UserDn := "uid=%{User-Name},ou=People,ou=NIS,o=vt" } -ldap pap mschap if(!(control:NT-Password) || control:Prohibited == TRUE){ update control{ Auth-Type := Reject } } if(Ldap-Group != "%{control:Radius-Profile-DN}"){ update control{ Auth-Type:=Reject } } else{ update control{ Auth-Type:=Accept } } authenticate { mschap pap } *mods-enabled/ldap* update { control:Password-With-Header += 'userPassword' control:NT-Password := 'ntPassword' control:Prohibited := 'prohibited' control:Radius-Profile-DN := 'radiusProfileDn' reply:F5-LTM-User-Info-1 := 'radiusReplyItem' #reply:Reply-Message := 'radiusReplyMessage' } user { base_dn = "ou=People,${..base_dn}" filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))" scope = 'sub' } group { base_dn = "ou=Groups,ou=F5,ou=Configuration,${..base_dn}" filter = "(objectClass=groupOfNames)" scope = 'base' name_attribute = cn membership_filter = "(member=%{control:Ldap-UserDn})" } *OpenLDAP* # R&D, Groups, F5, Configuration, NIS, vt dn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt cn: R&D description: Entiries for the R&D group user accounts member: uid=dawson,ou=People,ou=NIS,o=vt radiusReplyItem: F5-LTM-User-Info-1+="R&D" radiusReplyItem: F5-LTM-User-Partition+="RnD" radiusReplyItem: F5-LTM-User-Role+=100 radiusReplyItem: F5-LTM-User-Shell+="tmsh" objectClass: groupOfNames objectClass: radiusprofile # dawson, People, NIS, vt dn: uid=dawson,ou=People,ou=NIS,o=vt cn: Jacob M. Dawson uid: dawson sn: Dawson givenName: Jacob objectClass: inetOrgPerson objectClass: nisUserAccount objectClass: radiusprofile prohibited: FALSE radiusProfileDn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt *F5 VSAs* VENDOR F5 3375 BEGIN-VENDOR F5 ATTRIBUTE F5-LTM-User-Role 1 integer ATTRIBUTE F5-LTM-User-Role-Universal 2 integer # enable/disable ATTRIBUTE F5-LTM-User-Partition 3 string ATTRIBUTE F5-LTM-User-Console 4 integer # enable/disable ATTRIBUTE F5-LTM-User-Shell 5 string # supported values are disable, tmsh, and bpsh ATTRIBUTE F5-LTM-User-Context-1 10 integer ATTRIBUTE F5-LTM-User-Context-2 11 integer ATTRIBUTE F5-LTM-User-Info-1 12 string ATTRIBUTE F5-LTM-User-Info-2 13 string VALUE F5-LTM-User-Role Administrator 0 VALUE F5-LTM-User-Role Resource-Admin 20 VALUE F5-LTM-User-Role User-Manager 40 VALUE F5-LTM-User-Role Manager 100 VALUE F5-LTM-User-Role App-Editor 300 VALUE F5-LTM-User-Role Operator 400 VALUE F5-LTM-User-Role Guest 700 VALUE F5-LTM-User-Role Policy-Editor 800 VALUE F5-LTM-User-Role No-Access 900 VALUE F5-LTM-User-Role-Universal Disabled 0 VALUE F5-LTM-User-Role-Universal Enabled 1 VALUE F5-LTM-User-Console Disabled 0 VALUE F5-LTM-User-Console Enabled 1 END-VENDOR F5 On Mon, May 19, 2014 at 4:26 PM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
On 19 May 2014, at 20:36, Ajinkya Fotedar <ajinkyafotedar@gmail.com> wrote:
Also, the update section under the ldap modules looks like this.
update { control:Password-With-Header += 'userPassword' control:NT-Password := 'ntPassword' control:Prohibited := 'prohibited' control:Group-Membership := 'groupMembership' reply:F5-LTM-User-Info-1 := 'userInfo' reply:F5-LTM-User-Role := 'userRole' reply:F5-LTM-User-Partition := 'userPartition' reply:F5-LTM-User-Shell := 'userShell' }
Attributes are not retrieved for groups. You need to add profiles with the various reply attributes, and add that profile to the user.
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 21.05.2014 21:41, Ajinkya Fotedar wrote:
(0) ldap : reply:F5-LTM-User-Info-1 := 'F5-LTM-User-Info-1+=\"R&D\"' (0) ldap : reply:F5-LTM-User-Info-1 := 'F5-LTM-User-Partition+=\"RnD\"' (0) ldap : reply:F5-LTM-User-Info-1 := 'F5-LTM-User-Role+=\"100\"' (0) ldap : reply:F5-LTM-User-Info-1 := 'F5-LTM-User-Shell+=\"tmsh\"'
what's actually wrong in your config is this entry in the ldap update map : reply:F5-LTM-User-Info-1 := 'radiusReplyItem' if you're using 3.0.x you should actually use valuepair_attribute = "radiusReplyItem" in your ldap configuration and update your ldap entries to add the list : # R&D, Groups, F5, Configuration, NIS, vt dn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt cn: R&D description: Entiries for the R&D group user accounts member: uid=dawson,ou=People,ou=NIS,o=vt radiusReplyItem: reply:F5-LTM-User-Info-1+="R&D" radiusReplyItem: reply:F5-LTM-User-Partition+="RnD" radiusReplyItem: reply:F5-LTM-User-Role+=100 radiusReplyItem: reply:F5-LTM-User-Shell+="tmsh" you could set in the update {} section reply: += 'radiusReplyItem' and this would also work, but this is provided as a backward compatibility. i'll encourage you to rather use the new valuepair_attribute for reference : https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/mods-avail... Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: olivier@heliosnet.org
Worked like a charm. Thank you so much Olivier ! On Thu, May 22, 2014 at 1:28 AM, Olivier Beytrison <olivier@heliosnet.org>wrote:
On 21.05.2014 21:41, Ajinkya Fotedar wrote:
(0) ldap : reply:F5-LTM-User-Info-1 := 'F5-LTM-User-Info-1+=\"R&D\"' (0) ldap : reply:F5-LTM-User-Info-1 := 'F5-LTM-User-Partition+=\"RnD\"' (0) ldap : reply:F5-LTM-User-Info-1 := 'F5-LTM-User-Role+=\"100\"' (0) ldap : reply:F5-LTM-User-Info-1 := 'F5-LTM-User-Shell+=\"tmsh\"'
what's actually wrong in your config is this entry in the ldap update map :
reply:F5-LTM-User-Info-1 := 'radiusReplyItem'
if you're using 3.0.x you should actually use valuepair_attribute = "radiusReplyItem" in your ldap configuration
and update your ldap entries to add the list :
# R&D, Groups, F5, Configuration, NIS, vt dn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt cn: R&D description: Entiries for the R&D group user accounts member: uid=dawson,ou=People,ou=NIS,o=vt radiusReplyItem: reply:F5-LTM-User-Info-1+="R&D" radiusReplyItem: reply:F5-LTM-User-Partition+="RnD" radiusReplyItem: reply:F5-LTM-User-Role+=100 radiusReplyItem: reply:F5-LTM-User-Shell+="tmsh"
you could set in the update {} section reply: += 'radiusReplyItem' and this would also work, but this is provided as a backward compatibility. i'll encourage you to rather use the new valuepair_attribute
for reference : https://github.com/FreeRADIUS/ freeradius-server/blob/master/raddb/mods-available/ldap#L27
Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: olivier@heliosnet.org
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
participants (3)
-
Ajinkya Fotedar -
Arran Cudbard-Bell -
Olivier Beytrison