FreeRadius/LDAP Generic Reply Attribute

Joel Prine jprine at suite224.net
Wed Mar 10 23:03:40 CET 2010


GOT IT!

In order to add both Cisco-AVParis to the access-reply you must format them in LDAP as follows:
The critical part is the "+=" so that both attributes get appended to the request...

radiusReplyItem:Cisco-Avpair += 'lcp:interface-config#1=rate-limit input 768000 144000 144000 conform-action continue exceed-action drop'
radiusReplyItem:Cisco-Avpair += 'lcp:interface-config#1=rate-limit output 3072000 576000 576000 conform-action continue exceed-action drop'

Also here is the "ldap.attrmap" file i am using in case someone else want to do this....
checkItem       Cleartext-Password              userPassword
replyItem       $GENERIC$                       radiusReplyItem

replyItem       Service-Type                    radiusServiceType
replyItem       Framed-Protocol                 radiusFramedProtocol
replyItem       Framed-IP-Address               radiusFramedIPAddress
replyItem       Framed-IP-Netmask               radiusFramedIPNetmask
replyItem       Framed-Route                    radiusFramedRoute
replyItem       Framed-Routing                  radiusFramedRouting
replyItem       Filter-Id                       radiusFilterId
replyItem       Framed-MTU                      radiusFramedMTU
replyItem       Framed-Compression              radiusFramedCompression
replyItem       Login-IP-Host                   radiusLoginIPHost
replyItem       Login-Service                   radiusLoginService
replyItem       Login-TCP-Port                  radiusLoginTCPPort
replyItem       Callback-Number                 radiusCallbackNumber
replyItem       Callback-Id                     radiusCallbackId
replyItem       Framed-IPX-Network              radiusFramedIPXNetwork
replyItem       Class                           radiusClass
replyItem       Session-Timeout                 radiusSessionTimeout
replyItem       Idle-Timeout                    radiusIdleTimeout
replyItem       Termination-Action              radiusTerminationAction
replyItem       Login-LAT-Service               radiusLoginLATService
replyItem       Login-LAT-Node                  radiusLoginLATNode
replyItem       Login-LAT-Group                 radiusLoginLATGroup
replyItem       Framed-AppleTalk-Link           radiusFramedAppleTalkLink
replyItem       Framed-AppleTalk-Network        radiusFramedAppleTalkNetwork
replyItem       Framed-AppleTalk-Zone           radiusFramedAppleTalkZone
replyItem       Port-Limit                      radiusPortLimit
replyItem       Login-LAT-Port                  radiusLoginLATPort
replyItem       Tunnel-Type                     radiusTunnelType
replyItem       Tunnel-Medium-Type              radiusTunnelMediumType
replyItem       Tunnel-Private-Group-Id         radiusTunnelPrivateGroupId

Any questions, please let me know.

Thank You,
Joel Prine
Systems Engineer
MCSE, CCNA, CSE
Conneaut Telephone / Suite224 Internet
Phone: (440) 593.7160
Fax: (440) 599.2230
JPrine at suite224.net<mailto:JPrine at suite224.net>

[cid:image001.jpg at 01CA262C.F8CBE910]
1
[cid:image002.jpg at 01CA262C.F8CBE910]




________________________________
P.O. Box 579 | Conneaut, Ohio 44030 | Ph: (440) 593.7113 | TF Ph: (888) 566.7113 | Fax:  (440) 599.2230
________________________________




On Mar 10, 2010, at 4:38 PM, Joel Prine wrote:

Update 2:
got it most of the way:

in order to get it past the "#" and "=" in the string you must quote ONLY the value not the attribute name as below...

LDAP directory entry....
radiusReplyItem: Cisco-Avpair = 'lcp:interface-config#1=rate-limit input 768000 144000 144000 conform-action continue exceed-action drop'

my only problem now is i need to send two of these for input and output:
radiusReplyItem: Cisco-Avpair = 'lcp:interface-config#1=rate-limit input 768000 144000 144000 conform-action continue exceed-action drop'
radiusReplyItem: Cisco-Avpair = 'lcp:interface-config#1=rate-limit output 3072000 576000 576000 conform-action continue exceed-action drop'

Still working this one out....

Any questions, please let me know.

Thank You,
Joel Prine
Systems Engineer
MCSE, CCNA, CSE
Conneaut Telephone / Suite224 Internet
Phone: (440) 593.7160
Fax: (440) 599.2230
JPrine at suite224.net<mailto:JPrine at suite224.net>

<image001.jpg>
1
<image002.jpg>




________________________________
P.O. Box 579 | Conneaut, Ohio 44030 | Ph: (440) 593.7113 | TF Ph: (888) 566.7113 | Fax:  (440) 599.2230
________________________________




On Mar 10, 2010, at 4:03 PM, Joel Prine wrote:

UPDATE:

It is definitely the "#" that is killing me, if i move the "#" sign anywhere in the string it keeps only the piece prior to the "#" sign of the string, is there a way to escape this character?

Any questions, please let me know.

Thank You,
Joel Prine
Systems Engineer
MCSE, CCNA, CSE
Conneaut Telephone / Suite224 Internet
Phone: (440) 593.7160
Fax: (440) 599.2230
JPrine at suite224.net<mailto:JPrine at suite224.net>

<image001.jpg>
1
<image002.jpg>




________________________________
P.O. Box 579 | Conneaut, Ohio 44030 | Ph: (440) 593.7113 | TF Ph: (888) 566.7113 | Fax:  (440) 599.2230
________________________________




On Mar 10, 2010, at 3:55 PM, Joel Prine wrote:

Hello,

I need to pass an odd reply attribute back to my Cisco router to limit DSL users speeds on the interface. I am moving from radiator to freeradius, we are going this fine on radiator from a mysql database.

The ldap entry in the directory is
radiusReplyItem: Cisco-Avpair = lcp:interface-config#1=rate-limit input 512000 96000 96000 conform-action continue exceed-action drop

It appears that it is being truncated at the "#" sign, is this field too long? or is a special character messing it up, is there anyway i can escape the special character if so?

Thanks for any help!



Here is the DEBUG, I have bolded the lines i noticed....
*********************
rad_recv: Access-Request packet from host 72.2.95.130 port 1645, id=121, length=94
        Framed-Protocol = PPP
        User-Name = "jprine at suitedsl"
        User-Password = "overout22"
        NAS-Port-Type = Virtual
        NAS-Port = 0
        NAS-Port-Id = "4/0/0/0"
        Service-Type = Framed-User
        NAS-IP-Address = 72.2.95.130
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] Looking up realm "suitedsl" for User-Name = "jprine at suitedsl"
[suffix] No such realm "suitedsl"
++[suffix] returns noop
[ldap] performing user authorization for jprine at suitedsl
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> jprine at suitedsl
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=jprine at suitedsl)
[ldap]  expand: dc=suite224,dc=net -> dc=suite224,dc=net
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=suite224,dc=net, with filter (uid=jprine at suitedsl)
[ldap] looking for check items in directory...
  [ldap] userPassword -> Cleartext-Password == "{CRYPT}$1$j83AynGz$QIU88xh94V3ocCI.zT/1R1"
[ldap] looking for reply items in directory...
  [ldap] radiusFramedIPAddress -> Framed-IP-Address = 72.2.84.77
  [ldap] extracted attribute Cisco-AVPair from generic item Cisco-Avpair = lcp:interface-config#1=rate-limit input 512000 96000 96000 conform-action continue exceed-action drop
[ldap] Setting Auth-Type = LDAP
[ldap] user jprine at suitedsl authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = LDAP
+- entering group LDAP {...}
[ldap] login attempt by "jprine at suitedsl" with password "overout22"
[ldap] user DN: cn=jprine at suitedsl,ou=freeradius,dc=suite224,dc=net
  [ldap] (re)connect to 127.0.0.1:389, authentication 1
  [ldap] bind as cn=jprine at suitedsl,ou=freeradius,dc=suite224,dc=net/overout22 to 127.0.0.1:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
[ldap] user jprine at suitedsl authenticated succesfully
++[ldap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 121 to 72.2.95.130 port 1645
        Framed-IP-Address = 72.2.84.77
        Cisco-AVPair = "lcp:interface-config"
Finished request 30.


Any questions, please let me know.

Thank You,
Joel Prine
Systems Engineer
MCSE, CCNA, CSE
Conneaut Telephone / Suite224 Internet
Phone: (440) 593.7160
Fax: (440) 599.2230
JPrine at suite224.net<mailto:JPrine at suite224.net>

<image001.jpg>
1
<image002.jpg>




________________________________
P.O. Box 579 | Conneaut, Ohio 44030 | Ph: (440) 593.7113 | TF Ph: (888) 566.7113 | Fax:  (440) 599.2230
________________________________







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100310/94f5f9d7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2798 bytes
Desc: image001.jpg
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100310/94f5f9d7/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 6667 bytes
Desc: image002.jpg
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100310/94f5f9d7/attachment-0001.jpg>


More information about the Freeradius-Users mailing list