FreeRADIUS, OpenLDAP and F5 VSAs
Ajinkya Fotedar
ajinkyafotedar at gmail.com
Mon May 19 21:36:17 CEST 2014
Also, the update section under the ldap modules looks like this.
update {
control:Password-With-Header += 'userPassword'
control:NT-Password := 'ntPassword'
control:Prohibited := 'prohibited'
control:Group-Membership := 'groupMembership'
reply:F5-LTM-User-Info-1 := 'userInfo'
reply:F5-LTM-User-Role := 'userRole'
reply:F5-LTM-User-Partition := 'userPartition'
reply:F5-LTM-User-Shell := 'userShell'
}
On Mon, May 19, 2014 at 3:33 PM, Ajinkya Fotedar
<ajinkyafotedar at gmail.com>wrote:
> Hi,
>
> I am trying to send F5 vendor-specific attributes in the Access-Accept
> packet.
>
> When freeradius (ldap module) searches and finds a specific user in
> openldap, It processes the user's attributes and adds them to the control
> list. One of the attributes specifies the group that user account belongs
> to.
>
> The next step is to find that user in the specified group, which is
> successful. Only this time, there are some F5 VSAs that are not getting
> added to the reply list. When I pass those VSAs in the Access-Accept
> packet, I see them as Attr-26 = 0x00000d2f
>
> I have read the rlm_ldap and related documentation on the wiki. I am not
> sure why I don't see the value of F5 VSAs in the reply as I can definitely
> process the attributes defined for a user account under the People subtree.
>
> Below is the debug output and some configuration. Can anyone point me to
> the right direction.
>
>
> Thank you.
>
>
> *RADIUS debug*
>
>
> Ready to process requests.
>
> rad_recv: Access-Request packet from host 198.82.169.55 port 52634, id=78,
> length=132
>
> User-Name = 'dawson'
>
> NAS-IP-Address = 198.82.169.55
>
> NAS-Port = 234234
>
> Message-Authenticator = 0x9552e405f519c05100b3510ad97bcec0
>
> MS-CHAP-Challenge = 0x9dcbb5409eb06d58
>
> MS-CHAP-Response =
> 0x0001000000000000000000000000000000000000000000000000dcc9a916ce5fc5419b592ba3be3e116831d411dc6e454c81
>
> (0) # Executing section authorize from file
> /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default
>
> (0) authorize {
>
> (0) filter_username filter_username {
>
> (0) ? if (User-Name != "%{tolower:%{User-Name}}")
>
> (0) expand: "%{tolower:%{User-Name}}" -> 'dawson'
>
> (0) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
>
> (0) ? if (User-Name =~ / /)
>
> (0) ? if (User-Name =~ / /) -> FALSE
>
> (0) ? if (User-Name =~ /@.*@/ )
>
> (0) ? if (User-Name =~ /@.*@/ ) -> FALSE
>
> (0) ? if (User-Name =~ /\\.\\./ )
>
> (0) ? if (User-Name =~ /\\.\\./ ) -> FALSE
>
> (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
>
> (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
> FALSE
>
> (0) ? if (User-Name =~ /\\.$/)
>
> (0) ? if (User-Name =~ /\\.$/) -> FALSE
>
> (0) ? if (User-Name =~ /@\\./)
>
> (0) ? if (User-Name =~ /@\\./) -> FALSE
>
> (0) } # filter_username filter_username = notfound
>
> (0) [preprocess] = ok
>
> (0) auth_log : expand:
> "/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
> -> '/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/
> 198.82.169.55/auth-detail-20140519'
>
> (0) auth_log :
> /apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to
> /apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/
> 198.82.169.55/auth-detail-20140519
>
> (0) auth_log : expand: "%t" -> 'Mon May 19 14:55:25 2014'
>
> (0) [auth_log] = ok
>
> (0) update control {
>
> (0) expand: "uid=%{User-Name},ou=People,ou=NIS,o=vt" ->
> 'uid=dawson,ou=People,ou=NIS,o=vt'
>
> (0) Ldap-UserDn := "uid=dawson,ou=People,ou=NIS,o=vt"
>
> (0) } # update control = noop
>
> rlm_ldap (ldap): Reserved connection (4)
>
> (0) ldap : expand: "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))" ->
> '(&(uid=dawson))'
>
> (0) ldap : expand: "ou=People,ou=NIS,o=vt" -> 'ou=People,ou=NIS,o=vt'
>
> (0) ldap : Performing search in 'ou=People,ou=NIS,o=vt' with filter
> '(&(uid=dawson))'
>
> (0) ldap : Waiting for search result...
>
> (0) ldap : User object found at DN "uid=dawson,ou=People,ou=NIS,o=vt"
>
> (0) ldap : Processing user attributes
>
> (0) ldap : control:Password-With-Header +=
> '{nt}D3055AE4C0D68D8BA71C538D1518B5CD'
>
> (0) ldap : control:Password-With-Header +=
> '{SSHA}omkfyFmnMrEq1jWG9T86Gh+XlpR87z11'
>
> (0) ldap : control:Prohibited := FALSE
>
> (0) ldap : control:Group-Membership :=
> 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt'
>
> (0) ldap : control:Group-Membership :=
> 'cn=TLOS,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt'
>
> rlm_ldap (ldap): Released connection (4)
>
> (0) [-ldap] = ok
>
> (0) pap : Normalizing NT-Password from hex encoding
>
> (0) pap : Normalizing SSHA1-Password from base64 encoding
>
> (0) pap : No clear-text password in the request. Not performing PAP.
>
> (0) [pap] = noop
>
> (0) mschap : Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
>
> (0) [mschap] = ok
>
> (0) ? if (!(control:NT-Password) || control:Prohibited == TRUE)
>
> (0) ? if (!(control:NT-Password) || control:Prohibited == TRUE) -> FALSE
>
> (0) ? if (Ldap-Group != "%{control:Group-Membership}")
>
> (0) expand: "%{control:Group-Membership}" ->
> 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt'
>
> (0) Searching for user in group
> "cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt"
>
> rlm_ldap (ldap): Reserved connection (4)
>
> (0) Using user DN from request "uid=dawson,ou=People,ou=NIS,o=vt"
>
> (0) Checking for user in group objects
>
> (0) expand: "(&(objectClass=f5Group)(member=%{control:Ldap-UserDn}))" ->
> '(&(objectClass=f5Group)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))'
>
> (0) Performing search in
> 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' with filter
> '(&(objectClass=f5Group)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))'
>
> (0) Waiting for search result...
>
> (0) User found in group object
>
> rlm_ldap (ldap): Released connection (4)
>
> (0) ? if (Ldap-Group != "%{control:Group-Membership}") -> FALSE
>
> (0) else else {
>
> (0) update reply {
>
> (0) expand: "%{reply:F5-LTM-User-Info-1}" -> ''
>
> (0) F5-LTM-User-Info-1 := ""
>
> (0) expand: "%{reply:F5-LTM-User-Role}" -> ''
>
> (0) F5-LTM-User-Role := Administrator
>
> (0) expand: "%{reply:F5-LTM-User-Partition}" -> ''
>
> (0) F5-LTM-User-Partition := ""
>
> (0) expand: "%{reply:F5-LTM-User-Shell}" -> ''
>
> (0) F5-LTM-User-Shell := ""
>
> (0) } # update reply = noop
>
> (0) } # else else = noop
>
> (0) ? if ("%{reply:F5-LTM-User-Info-1}")
>
> (0) expand: "%{reply:F5-LTM-User-Info-1}" -> ''
>
> (0) ? if ("%{reply:F5-LTM-User-Info-1}") -> FALSE
>
> (0) } # authorize = ok
>
> (0) Found Auth-Type = MSCHAP
>
> (0) # Executing group from file
> /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default
>
> (0) authenticate {
>
> (0) mschap : No Cleartext-Password configured. Cannot create LM-Password
>
> (0) mschap : Found NT-Password
>
> (0) mschap : Client is using MS-CHAPv1 with NT-Password
>
> (0) mschap : adding MS-CHAPv1 MPPE keys
>
> (0) [mschap] = ok
>
> (0) } # authenticate = ok
>
> (0) WARNING: Empty post-auth section. Using default return values.
>
> (0) # Executing section post-auth from file
> /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default
>
> Sending Access-Accept of id 78 from 198.82.169.55 port 1830 to
> 198.82.169.55 port 52634
>
> F5-LTM-User-Info-1 = ''
>
> F5-LTM-User-Role = Administrator
>
> F5-LTM-User-Partition = ''
>
> F5-LTM-User-Shell = ''
>
> MS-CHAP-MPPE-Keys =
> 0x0000000000000000122d083be857e0cf1f5c975f5efd01cc0000000000000000
>
> MS-MPPE-Encryption-Policy = Encryption-Allowed
>
> MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
>
> (0) Finished request 0.
>
> Waking up in 0.3 seconds.
>
> Waking up in 4.6 seconds.
>
>
>
>
> *radtest*
>
>
> $ radtest -t mschap -x dawson wakkawakka 198.82.169.55:1830 234234
> testing123
>
> /apps/radius/freeradius-3.0.1/bin/radclient:
> /usr/local/samba/lib/libtalloc.so.2: no version information available
> (required by /apps/radius/freeradius-3.0.1/bin/radclient)
>
> /apps/radius/freeradius-3.0.1/bin/radclient:
> /usr/local/samba/lib/libtalloc.so.2: no version information available
> (required by /apps/radius/freeradius-3.0.1/lib/libfreeradius-radius.so)
>
> Sending Access-Request of id 78 from 0.0.0.0 port 52634 to 198.82.169.55
> port 1830
>
> User-Name = 'dawson'
>
> NAS-IP-Address = 198.82.169.55
>
> NAS-Port = 234234
>
> Message-Authenticator = 0x00
>
> MS-CHAP-Challenge = 0x9dcbb5409eb06d58
>
> MS-CHAP-Response =
> 0x0001000000000000000000000000000000000000000000000000dcc9a916ce5fc5419b592ba3be3e116831d411dc6e454c81
>
> Code: 1
>
> Id: 78
>
> Length: 132
>
> Vector: 1e35220367d4329bdebec2d38afe7fd6
>
> Data: 01 08 64 61 77 73 6f 6e
>
> 04 06 c6 52 a9 37
>
> 05 06 00 03 92 fa
>
> 50 12 95 52 e4 05 f5 19 c0 51 00 b3 51 0a d9 7b ce c0
>
> 1a 10 00 00 01 37 0b 0a 9d cb b5 40 9e b0 6d 58
>
> 1a 3a 00 00 01 37 01 34 00 01 00 00 00 00 00 00 00 00
>
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>
> dc c9 a9 16 ce 5f c5 41 9b 59 2b a3 be 3e 11 68
>
> 31 d4 11 dc 6e 45 4c 81
>
> rad_recv: Access-Accept packet from host 198.82.169.55 port 1830, id=78,
> length=114
>
> Code: 2
>
> Id: 78
>
> Length: 114
>
> Vector: e1389574bdb00555d937ba3d5fac91d7
>
> Data: 1a 06 00 00 0d 2f
>
> 1a 0c 00 00 0d 2f 01 06 00 00 00 00
>
> 1a 06 00 00 0d 2f
>
> 1a 06 00 00 0d 2f
>
> 1a 28 00 00 01 37 0c 22 1d 16 9c ca 93 1c 0f eb 35 cd
>
> 73 0b ac 58 5c 61 81 2a d8 a6 81 3e bb 70 4a ce
>
> 98 0e d8 d5 d9 d3
>
> 1a 0c 00 00 01 37 07 06 00 00 00 01
>
> 1a 0c 00 00 01 37 08 06 00 00 00 06
>
> Attr-26 = 0x00000d2f
>
> F5-LTM-User-Role = Administrator
>
> Attr-26 = 0x00000d2f
>
> Attr-26 = 0x00000d2f
>
> MS-CHAP-MPPE-Keys = 0x
>
> MS-MPPE-Encryption-Policy = Encryption-Allowed
>
> MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
>
>
>
>
> *LDAP module*
>
>
> user {
>
> base_dn = "ou=People,${..base_dn}"
>
> filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))"
>
> scope = 'sub'
>
> }
>
>
> group {
>
> base_dn = "ou=Groups,ou=F5,ou=Configuration,${..base_dn}"
>
> filter = "(objectClass=f5Group)"
>
> scope = 'base'
>
> name_attribute = cn
>
> membership_filter = "(member=%{control:Ldap-UserDn})"
>
> }
>
>
>
>
> *Default server*
>
>
> authorize {
>
> filter_username
>
> preprocess
>
> auth_log
>
> update control{
>
> Ldap-UserDn := "uid=%{User-Name},ou=People,ou=NIS,o=vt"
>
> }
>
> -ldap
>
> pap
>
> mschap
>
>
> #Invalid People
>
> if(!(control:NT-Password) || control:Prohibited == TRUE){
>
> update control{
>
> Auth-Type := Reject
>
> }
>
> }
>
>
> #"%{control:Group-Membership}"
>
> if(Ldap-Group != "%{control:Group-Membership}"){
>
> update control{
>
> Auth-Type:=Reject
>
> }
>
> }
>
>
>
> else{
>
> update reply{
>
> F5-LTM-User-Info-1 := "%{reply:F5-LTM-User-Info-1}"
>
> F5-LTM-User-Role := "%{reply:F5-LTM-User-Role}"
>
> F5-LTM-User-Partition := "%{reply:F5-LTM-User-Partition}"
>
> F5-LTM-User-Shell := "%{reply:F5-LTM-User-Shell}"
>
> }
>
> }
>
> }
>
>
> authenticate {
>
> mschap
>
> pap
>
> }
>
>
>
>
>
> *OpenLDAP Entries*
>
>
> # dawson, People, NIS, vt
>
> dn: uid=dawson,ou=People,ou=NIS,o=vt
>
> cn: Jacob M. Dawson
>
> uid: dawson
>
> sn: Dawson
>
> givenName: Jacob
>
> groupMembership: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt
>
> prohibited: FALSE
>
> objectClass: inetOrgPerson
>
> objectClass: nisUserAccount
>
>
> # R&D, Groups, F5, Configuration, NIS, vt
>
> dn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt
>
> cn: R&D
>
> description: Entiries for the R&D group user accounts
>
> userInfo: R&D
>
> userPartition: RnD
>
> userRole: 100
>
> userShell: tmsh
>
> member: uid=dawson,ou=People,ou=NIS,o=vt
>
> objectClass: f5Group
>
> objectClass: groupOfNames
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140519/ac96aad5/attachment-0001.html>
More information about the Freeradius-Users
mailing list