Re: FreeRADIUS fails to include attributes in response to a Juniper switch
On Aug 11, 2022, at 9:27 AM, White, Daniel E. (GSFC-770.0)[AEGIS] via Freeradius-Users <freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org>> wrote: I tried commenting it out. Same failure. I suggest reading the documentation instead of trying random things. And paying attention to what you're doing. Your "users" file entries are mostly wrong. # DEFAULT Auth-Type := ntlm_auth bobb Cleartext-Password := "hello" Typo in "bobb". This doesn't affect anything, but it's still a typo. Not a typo. I used a different name. DEFAULT LDAP-Group == "CN=engineer,OU=Network,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4" This matches the LDAP group, and then... does nothing. See the documentation for the "users" file, and look for reply attributes. Looking at the man page for users, I now see what you are referring to. i.e. Why doesn't it send any reply attributes when I don't put reply attributes in the users file?" That question answers itself. So... put reply attributes here. As done in the other examples. As the documentation says. I am following what was previously done on Cistron RADIUS DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP Old and not necessary. Delete it. It is in the default file from freeradius.x86_64 3.0.20-12.module+el8.6.0+13617+542eca26 @rhel-8-for-x86_64-appstream-rpms DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP Old and not necessary. Delete it. It is in the default file from freeradius.x86_64 3.0.20-12.module+el8.6.0+13617+542eca26 @rhel-8-for-x86_64-appstream-rpms DEFAULT Hint == "SLIP" Framed-Protocol = SLIP Old and not necessary. Delete it. It is in the default file from freeradius.x86_64 3.0.20-12.module+el8.6.0+13617+542eca26 @rhel-8-for-x86_64-appstream-rpms DEFAULT Group-Name = "CN=engineer,OU=Network,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4" Juniper-Local-User-Name = "remote-nocengr", Service-Type = Login-User, Fall-Through = No Why "Group-Name", and not "LDAP-Group"? DEFAULT Group = "CN=engineer,OU=Network,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4" Juniper-Local-User-Name = "remote-nocengr", Service-Type = Login-User, Fall-Through = Yes Why "Group", and not "LDAP-Group"? The documentation makes it clear that "Group" and "Group-Name" is for unix group checking. And the main difference between the last two entires is that one has "Fall-Through = yes", and the other has "Fall-Through = no". You're randomly using "LDAP-Group", "Group", and "Group-Name" as synonyms. They're not. You're randomly adding reply attributes to some users file entries, and then not to others. Please be more specific as to “the documentation”. I found “LDAP-Group", "Group", and "Group-Name" referenced in dictionary.freeradius.internal but without any explanation. This looks like you're just trying a bunch of things by mashing at the keyboard, and not paying attention to details. It helps rather a lot to read the docs, to pay attention to details, and to take a careful approach to making changes. Where is the documentation about adding VSA’s to the RADIUS response, please ?
On Aug 12, 2022, at 7:30 AM, White, Daniel E. (GSFC-770.0)[AEGIS] via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Old and not necessary. Delete it.
It is in the default file from freeradius.x86_64 3.0.20-12.module+el8.6.0+13617+542eca26 @rhel-8-for-x86_64-appstream-rpms
Are you using those entries? No? Then they don't do anything for you. Either they can be left alone, (because they have no effect), or they can be deleted (because they have no effect). The server comes with many examples and defaults for many different situations. We're well aware of where these come from. The goal is to allow administrators to get "most things" working quickly, with minimal effort. But it never hurts to read the examples and defaults. For many reasons. It helps you understand how the server works. I helps you see examples of the server doing different things. And it lets you read something and go "I'm not using that feature, I can probably delete this bit of the configuration".
The documentation makes it clear that "Group" and "Group-Name" is for unix group checking. ... Please be more specific as to “the documentation”. I found “LDAP-Group", "Group", and "Group-Name" referenced in dictionary.freeradius.internal but without any explanation.
Is that the only documentation which comes with the server? If you read the LDAP module configuration and documentation, it says to use LDAP-Group for LDAP group checking. Nothing in any of the LDAP documentation says to use Group or Group-Name. There is *other* documentation which refers to Group and Group-Name, and *other* module configuration. But that doesn't matter, because you're not using the relevant module(s).
Where is the documentation about adding VSA’s to the RADIUS response, please ?
VSA documentation is not needed. There is nothing special about VSAs. They're just attributes with names. So to add VSAs to the response, you use "name = value", as with any other attribute. You got that part right in the example "users" file you posted. If you had fixed it so that the rest of it was correct, you would have seen the Juniper-Local-User-Name in the response. Your "users" file entry would have worked if you had added reply attributes to the line using LDAP-Group. Which was what I was suggesting that you do. If you had simply done that, there would be no need to ask the question about "adding VSAs to the RADIUS response". You would have done it, and seen that it worked. There are few things to improve here. One is a methodical approach. This is documented in "man radiusd" among other places. Make one change, test it, and go to the next thing only when that change works. This method allows you to focus on one problem at a time. It also is *faster* than making a bunch of changes, and then trying to figure out which of 10 things broke the server. Making one change at a time also lets you understand the server better. It lets you ignore all of the stuff you don't care about right now, and focus on the behavior difference which MUST be due to that change. That lets you build a mental model of how the server works, one piece at a time. Another thing to improve is attention to detail. Nothing in the documentation says you can use "Group" or "Group-Name" for LDAP group checking. The documentation DOES say to use LDAP-Group. It is therefore completely wrong (and a waste of time) to use anything other than LDAP-Group for group checking. The same goes for "users" file entries. Don't just randomly type things in, and wonder why entries with no reply attributes don't send reply attributes. The format of the "users" file is document, and the file itself points you to the relevant "man" page. It is a complete waste of time to randomly poke at the file without understanding how it works. A much better approach is to read the documentation, and edit the file with the goal of creating a configuration that reaches the goal you want, given the behavior of the "users" file. The way it's coming across right now is that you don't read the documentation, or you don't believe it, or you simple don't pay attention. This approach is guaranteed to waste enormous amounts of time. Alan DeKok.
participants (2)
-
Alan DeKok -
White, Daniel E. (GSFC-770.0)[AEGIS]