FreeRADIUS, OpenLDAP and F5 VSAs

Ajinkya Fotedar ajinkyafotedar at gmail.com
Mon May 19 21:33:07 CEST 2014 

Hi,

I am trying to send F5 vendor-specific attributes in the Access-Accept
packet.

When freeradius (ldap module) searches and finds a specific user in
openldap, It processes the user's attributes and adds them to the control
list. One of the attributes specifies the group that user account belongs
to.

The next step is to find that user in the specified group, which is
successful. Only this time, there are some F5 VSAs that are not getting
added to the reply list. When I pass those VSAs in the Access-Accept
packet, I see them as Attr-26 = 0x00000d2f

I have read the rlm_ldap and related documentation on the wiki. I am not
sure why I don't see the value of F5 VSAs in the reply as I can definitely
process the attributes defined for a user account under the People subtree.

Below is the debug output and some configuration. Can anyone point me to
the right direction.


Thank you.


*RADIUS debug*


Ready to process requests.

rad_recv: Access-Request packet from host 198.82.169.55 port 52634, id=78,
length=132

User-Name = 'dawson'

NAS-IP-Address = 198.82.169.55

NAS-Port = 234234

Message-Authenticator = 0x9552e405f519c05100b3510ad97bcec0

MS-CHAP-Challenge = 0x9dcbb5409eb06d58

MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000dcc9a916ce5fc5419b592ba3be3e116831d411dc6e454c81

(0) # Executing section authorize from file
/apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default

(0)   authorize {

(0)   filter_username filter_username {

(0)    ? if (User-Name != "%{tolower:%{User-Name}}")

(0) expand: "%{tolower:%{User-Name}}" -> 'dawson'

(0)    ? if (User-Name != "%{tolower:%{User-Name}}")  -> FALSE

(0)    ? if (User-Name =~ / /)

(0)    ? if (User-Name =~ / /)  -> FALSE

(0)    ? if (User-Name =~ /@.*@/ )

(0)    ? if (User-Name =~ /@.*@/ )  -> FALSE

(0)    ? if (User-Name =~ /\\.\\./ )

(0)    ? if (User-Name =~ /\\.\\./ )  -> FALSE

(0)    ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))

(0)    ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   ->
FALSE

(0)    ? if (User-Name =~ /\\.$/)

(0)    ? if (User-Name =~ /\\.$/)   -> FALSE

(0)    ? if (User-Name =~ /@\\./)

(0)    ? if (User-Name =~ /@\\./)   -> FALSE

(0)   } # filter_username filter_username = notfound

(0)   [preprocess] = ok

(0) auth_log : expand:
"/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
-> '/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/
198.82.169.55/auth-detail-20140519'

(0) auth_log :
/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to
/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/
198.82.169.55/auth-detail-20140519

(0) auth_log : expand: "%t" -> 'Mon May 19 14:55:25 2014'

(0)   [auth_log] = ok

(0)   update control {

(0) expand: "uid=%{User-Name},ou=People,ou=NIS,o=vt" ->
'uid=dawson,ou=People,ou=NIS,o=vt'

(0) Ldap-UserDn := "uid=dawson,ou=People,ou=NIS,o=vt"

(0)   } # update control = noop

rlm_ldap (ldap): Reserved connection (4)

(0) ldap : expand: "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))" ->
'(&(uid=dawson))'

(0) ldap : expand: "ou=People,ou=NIS,o=vt" -> 'ou=People,ou=NIS,o=vt'

(0) ldap : Performing search in 'ou=People,ou=NIS,o=vt' with filter
'(&(uid=dawson))'

(0) ldap : Waiting for search result...

(0) ldap : User object found at DN "uid=dawson,ou=People,ou=NIS,o=vt"

(0) ldap : Processing user attributes

(0) ldap : control:Password-With-Header +=
'{nt}D3055AE4C0D68D8BA71C538D1518B5CD'

(0) ldap : control:Password-With-Header +=
'{SSHA}omkfyFmnMrEq1jWG9T86Gh+XlpR87z11'

(0) ldap : control:Prohibited := FALSE

(0) ldap : control:Group-Membership :=
'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt'

(0) ldap : control:Group-Membership :=
'cn=TLOS,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt'

rlm_ldap (ldap): Released connection (4)

(0)   [-ldap] = ok

(0) pap : Normalizing NT-Password from hex encoding

(0) pap : Normalizing SSHA1-Password from base64 encoding

(0) pap : No clear-text password in the request.  Not performing PAP.

(0)   [pap] = noop

(0) mschap : Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'

(0)   [mschap] = ok

(0)   ? if (!(control:NT-Password) || control:Prohibited == TRUE)

(0)   ? if (!(control:NT-Password) || control:Prohibited == TRUE) -> FALSE

(0)   ? if (Ldap-Group != "%{control:Group-Membership}")

(0) expand: "%{control:Group-Membership}" ->
'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt'

(0) Searching for user in group
"cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt"

rlm_ldap (ldap): Reserved connection (4)

(0) Using user DN from request "uid=dawson,ou=People,ou=NIS,o=vt"

(0) Checking for user in group objects

(0) expand: "(&(objectClass=f5Group)(member=%{control:Ldap-UserDn}))" ->
'(&(objectClass=f5Group)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))'

(0) Performing search in
'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' with filter
'(&(objectClass=f5Group)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))'

(0) Waiting for search result...

(0) User found in group object

rlm_ldap (ldap): Released connection (4)

(0)   ? if (Ldap-Group != "%{control:Group-Membership}") -> FALSE

(0)   else else {

(0)    update reply {

(0) expand: "%{reply:F5-LTM-User-Info-1}" -> ''

(0) F5-LTM-User-Info-1 := ""

(0) expand: "%{reply:F5-LTM-User-Role}" -> ''

(0) F5-LTM-User-Role := Administrator

(0) expand: "%{reply:F5-LTM-User-Partition}" -> ''

(0) F5-LTM-User-Partition := ""

(0) expand: "%{reply:F5-LTM-User-Shell}" -> ''

(0) F5-LTM-User-Shell := ""

(0)    } # update reply = noop

(0)   } # else else = noop

(0)   ? if ("%{reply:F5-LTM-User-Info-1}")

(0) expand: "%{reply:F5-LTM-User-Info-1}" -> ''

(0)   ? if ("%{reply:F5-LTM-User-Info-1}") -> FALSE

(0)  } #  authorize = ok

(0) Found Auth-Type = MSCHAP

(0) # Executing group from file
/apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default

(0)   authenticate {

(0) mschap : No Cleartext-Password configured.  Cannot create LM-Password

(0) mschap : Found NT-Password

(0) mschap : Client is using MS-CHAPv1 with NT-Password

(0) mschap : adding MS-CHAPv1 MPPE keys

(0)   [mschap] = ok

(0)  } #  authenticate = ok

(0) WARNING: Empty post-auth section.  Using default return values.

(0) # Executing section post-auth from file
/apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default

Sending Access-Accept of id 78 from 198.82.169.55 port 1830 to
198.82.169.55 port 52634

F5-LTM-User-Info-1 = ''

F5-LTM-User-Role = Administrator

F5-LTM-User-Partition = ''

F5-LTM-User-Shell = ''

MS-CHAP-MPPE-Keys =
0x0000000000000000122d083be857e0cf1f5c975f5efd01cc0000000000000000

MS-MPPE-Encryption-Policy = Encryption-Allowed

MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed

(0) Finished request 0.

Waking up in 0.3 seconds.

Waking up in 4.6 seconds.




*radtest*


$ radtest -t mschap -x dawson wakkawakka 198.82.169.55:1830 234234
testing123

/apps/radius/freeradius-3.0.1/bin/radclient:
/usr/local/samba/lib/libtalloc.so.2: no version information available
(required by /apps/radius/freeradius-3.0.1/bin/radclient)

/apps/radius/freeradius-3.0.1/bin/radclient:
/usr/local/samba/lib/libtalloc.so.2: no version information available
(required by /apps/radius/freeradius-3.0.1/lib/libfreeradius-radius.so)

Sending Access-Request of id 78 from 0.0.0.0 port 52634 to 198.82.169.55
port 1830

User-Name = 'dawson'

NAS-IP-Address = 198.82.169.55

NAS-Port = 234234

Message-Authenticator = 0x00

MS-CHAP-Challenge = 0x9dcbb5409eb06d58

MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000dcc9a916ce5fc5419b592ba3be3e116831d411dc6e454c81

  Code: 1

  Id: 78

  Length: 132

  Vector: 1e35220367d4329bdebec2d38afe7fd6

  Data: 01  08  64 61 77 73 6f 6e

04  06  c6 52 a9 37

05  06  00 03 92 fa

50  12  95 52 e4 05 f5 19 c0 51 00 b3 51 0a d9 7b ce c0

1a  10  00 00 01 37 0b 0a 9d cb b5 40 9e b0 6d 58

1a  3a  00 00 01 37 01 34 00 01 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

dc c9 a9 16 ce 5f c5 41 9b 59 2b a3 be 3e 11 68

31 d4 11 dc 6e 45 4c 81

rad_recv: Access-Accept packet from host 198.82.169.55 port 1830, id=78,
length=114

  Code: 2

  Id: 78

  Length: 114

  Vector: e1389574bdb00555d937ba3d5fac91d7

  Data: 1a  06  00 00 0d 2f

1a  0c  00 00 0d 2f 01 06 00 00 00 00

1a  06  00 00 0d 2f

1a  06  00 00 0d 2f

1a  28  00 00 01 37 0c 22 1d 16 9c ca 93 1c 0f eb 35 cd

73 0b ac 58 5c 61 81 2a d8 a6 81 3e bb 70 4a ce

98 0e d8 d5 d9 d3

1a  0c  00 00 01 37 07 06 00 00 00 01

1a  0c  00 00 01 37 08 06 00 00 00 06

Attr-26 = 0x00000d2f

F5-LTM-User-Role = Administrator

Attr-26 = 0x00000d2f

Attr-26 = 0x00000d2f

MS-CHAP-MPPE-Keys = 0x

MS-MPPE-Encryption-Policy = Encryption-Allowed

MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed




*LDAP module*


user {

        base_dn = "ou=People,${..base_dn}"

 filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))"

 scope = 'sub'

     }


group {

        base_dn = "ou=Groups,ou=F5,ou=Configuration,${..base_dn}"

        filter = "(objectClass=f5Group)"

        scope = 'base'

        name_attribute = cn

        membership_filter = "(member=%{control:Ldap-UserDn})"

     }




*Default server*


authorize {

    filter_username

    preprocess

    auth_log

    update control{

        Ldap-UserDn := "uid=%{User-Name},ou=People,ou=NIS,o=vt"

    }

    -ldap

    pap

    mschap


    #Invalid People

    if(!(control:NT-Password) || control:Prohibited == TRUE){

    update control{

        Auth-Type := Reject

        }

    }


    #"%{control:Group-Membership}"

    if(Ldap-Group != "%{control:Group-Membership}"){

      update control{

          Auth-Type:=Reject

        }

    }



 else{

       update reply{

          F5-LTM-User-Info-1 := "%{reply:F5-LTM-User-Info-1}"

          F5-LTM-User-Role := "%{reply:F5-LTM-User-Role}"

          F5-LTM-User-Partition := "%{reply:F5-LTM-User-Partition}"

          F5-LTM-User-Shell := "%{reply:F5-LTM-User-Shell}"

       }

    }

}


authenticate {

        mschap

        pap

}





*OpenLDAP Entries*


# dawson, People, NIS, vt

dn: uid=dawson,ou=People,ou=NIS,o=vt

cn: Jacob M. Dawson

uid: dawson

sn: Dawson

givenName: Jacob

groupMembership: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt

prohibited: FALSE

objectClass: inetOrgPerson

objectClass: nisUserAccount


# R&D, Groups, F5, Configuration, NIS, vt

dn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt

cn: R&D

description: Entiries for the R&D group user accounts

userInfo: R&D

userPartition: RnD

userRole: 100

userShell: tmsh

member: uid=dawson,ou=People,ou=NIS,o=vt

objectClass: f5Group

objectClass: groupOfNames
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140519/65048ed8/attachment-0001.html>

More information about the Freeradius-Users mailing list