FreeRADIUS, OpenLDAP and F5 VSAs
Ajinkya Fotedar
ajinkyafotedar at gmail.com
Wed May 21 21:41:38 CEST 2014
Hi Arran,
I have used radiusReplyItem attribute in the user objects in openldap. I
have modified the entries in openldap accordingly and can see the required
attributes as a reply item in the Access-accept packet. Although not
getting the attributes as I would expect. This has something to do with
attribute mapping but I am not sure which parts of the FreeRADIUS server
config require tweaks. Can anyone help me out with the same.
This is how I would like the radtest to look like:
$ radtest jsmith test 192.168.1.100 0 secret
Sending Access-Request of id 187 to 192.168.1.100 port 1812
User-Name = "jsmith"
User-Password = "test"
NAS-IP-Address = 192.168.1.100
NAS-Port = 0
rad_recv: Access-Accept packet from host 192.168.1.100 port 1812, id=187,
length=112
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Routing = Broadcast-Listen
Filter-Id = "std.ppp"
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
* F5-LTM-User-Role = Manager*
* F5-LTM-User-Info-1 = "mgmt"*
* F5-LTM-User-Partition = "admin"*
* F5-LTM-User-Shell = "tmsh"*
And this is what it looks like right now:
$ radtest -t mschap dawson wakkawakka 198.82.169.55:1830 234234 testing123
Sending Access-Request of id 48 from 0.0.0.0 port 33814 to 198.82.169.55
port 1830
User-Name = 'dawson'
NAS-IP-Address = 198.82.169.55
NAS-Port = 234234
Message-Authenticator = 0x00
MS-CHAP-Challenge = 0x45c9d617e4bbadea
MS-CHAP-Response =
0x000100000000000000000000000000000000000000000000000079a2d20cd58f9af0c5957ede5deaf85b04b2dd9bec6104eb
rad_recv: Access-Accept packet from host 198.82.169.55 port 1830, id=48,
length=153
*F5-LTM-User-Info-1 = 'F5-LTM-User-Info-1+=\"R&D\"'*
* F5-LTM-User-Info-1 = 'F5-LTM-User-Partition+=\"RnD\"'*
* F5-LTM-User-Info-1 = 'F5-LTM-User-Role+=\"100\"'*
* F5-LTM-User-Info-1 = 'F5-LTM-User-Shell+=\"tmsh\"'*
Below are the outputs for radius debug, radtest and some FreeRADIUS and
OpenLDAP config.
Would really appreciate any help.
Thank you.
*RADIUS debug*
rad_recv: Access-Request packet from host 198.82.169.55 port 34716, id=142,
length=132
User-Name = 'dawson'
NAS-IP-Address = 198.82.169.55
NAS-Port = 234234
Message-Authenticator = 0xa28852d05f29ba0fac4c4b1046e4178c
MS-CHAP-Challenge = 0x4e9904591878fd82
MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000606a875cc1203e10b37861612644c9e3f4e709f7e56f53b9
(0) # Executing section authorize from file
/apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) ? if (User-Name != "%{tolower:%{User-Name}}")
(0) expand: "%{tolower:%{User-Name}}" -> 'dawson'
(0) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(0) ? if (User-Name =~ / /)
(0) ? if (User-Name =~ / /) -> FALSE
(0) ? if (User-Name =~ /@.*@/ )
(0) ? if (User-Name =~ /@.*@/ ) -> FALSE
(0) ? if (User-Name =~ /\\.\\./ )
(0) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(0) ? if (User-Name =~ /\\.$/)
(0) ? if (User-Name =~ /\\.$/) -> FALSE
(0) ? if (User-Name =~ /@\\./)
(0) ? if (User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) auth_log : expand:
"/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
-> '/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/
198.82.169.55/auth-detail-20140521'
(0) auth_log :
/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to
/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/
198.82.169.55/auth-detail-20140521
(0) auth_log : expand: "%t" -> 'Wed May 21 08:31:51 2014'
(0) [auth_log] = ok
(0) update control {
(0) expand: "uid=%{User-Name},ou=People,ou=NIS,o=vt" ->
'uid=dawson,ou=People,ou=NIS,o=vt'
(0) Ldap-UserDn := "uid=dawson,ou=People,ou=NIS,o=vt"
(0) } # update control = noop
rlm_ldap (ldap): Reserved connection (4)
(0) ldap : expand: "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))" ->
'(&(uid=dawson))'
(0) ldap : expand: "ou=People,ou=NIS,o=vt" -> 'ou=People,ou=NIS,o=vt'
(0) ldap : Performing search in 'ou=People,ou=NIS,o=vt' with filter
'(&(uid=dawson))'
(0) ldap : Waiting for search result...
(0) ldap : User object found at DN "uid=dawson,ou=People,ou=NIS,o=vt"
(0) ldap : expand: "(&)" -> '(&)'
(0) ldap : Performing search in
'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' with filter '(&)'
(0) ldap : Waiting for search result...
(0) ldap : Processing profile attributes
(0) ldap : reply:F5-LTM-User-Info-1 := 'F5-LTM-User-Info-1+=\"R&D\"'
(0) ldap : reply:F5-LTM-User-Info-1 := 'F5-LTM-User-Partition+=\"RnD\"'
(0) ldap : reply:F5-LTM-User-Info-1 := 'F5-LTM-User-Role+=\"100\"'
(0) ldap : reply:F5-LTM-User-Info-1 := 'F5-LTM-User-Shell+=\"tmsh\"'
(0) ldap : Processing user attributes
(0) ldap : control:Password-With-Header +=
'{nt}D3055AE4C0D68D8BA71C538D1518B5CD'
(0) ldap : control:Password-With-Header +=
'{SSHA}omkfyFmnMrEq1jWG9T86Gh+XlpR87z11'
(0) ldap : control:Prohibited := FALSE
(0) ldap : control:Radius-Profile-DN :=
'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt'
rlm_ldap (ldap): Released connection (4)
*rlm_ldap (ldap): Closing connection (0): Too many free connections (5 > 3)*
(0) [-ldap] = ok
(0) pap : Normalizing NT-Password from hex encoding
(0) pap : Normalizing SSHA1-Password from base64 encoding
(0) pap : No clear-text password in the request. Not performing PAP.
(0) [pap] = noop
(0) mschap : Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(0) [mschap] = ok
(0) ? if (!(control:NT-Password) || control:Prohibited == TRUE)
(0) ? if (!(control:NT-Password) || control:Prohibited == TRUE) -> FALSE
(0) ? if (Ldap-Group != "%{control:Radius-Profile-DN}")
(0) expand: "%{control:Radius-Profile-DN}" ->
'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt'
(0) Searching for user in group
"cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt"
rlm_ldap (ldap): Reserved connection (4)
(0) Using user DN from request "uid=dawson,ou=People,ou=NIS,o=vt"
(0) Checking for user in group objects
(0) expand: "(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))"
->
'(&(objectClass=groupOfNames)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))'
(0) Performing search in
'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' with filter
'(&(objectClass=groupOfNames)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))'
(0) Waiting for search result...
(0) User found in group object
rlm_ldap (ldap): Released connection (4)
(0) ? if (Ldap-Group != "%{control:Radius-Profile-DN}") -> FALSE
(0) else else {
(0) update control {
(0) Auth-Type := Accept
(0) } # update control = noop
(0) } # else else = noop
(0) } # authorize = ok
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
*(0) WARNING: Empty post-auth section. Using default return values.*
(0) # Executing section post-auth from file
/apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default
Sending Access-Accept of id 142 from 198.82.169.55 port 1830 to
198.82.169.55 port 34716
F5-LTM-User-Info-1 = 'F5-LTM-User-Info-1+=\"R&D\"'
F5-LTM-User-Info-1 = 'F5-LTM-User-Partition+=\"RnD\"'
F5-LTM-User-Info-1 = 'F5-LTM-User-Role+=\"100\"'
F5-LTM-User-Info-1 = 'F5-LTM-User-Shell+=\"tmsh\"'
(0) Finished request 0.
Waking up in 0.3 seconds.
Waking up in 4.6 seconds.
(0) Cleaning up request packet ID 142 with timestamp +12
*Ready to process requests.*
*radtest*
$ radtest -t mschap dawson wakkawakka 198.82.169.55:1830 234234 testing123
Sending Access-Request of id 48 from 0.0.0.0 port 33814 to 198.82.169.55
port 1830
User-Name = 'dawson'
NAS-IP-Address = 198.82.169.55
NAS-Port = 234234
Message-Authenticator = 0x00
MS-CHAP-Challenge = 0x45c9d617e4bbadea
MS-CHAP-Response =
0x000100000000000000000000000000000000000000000000000079a2d20cd58f9af0c5957ede5deaf85b04b2dd9bec6104eb
rad_recv: Access-Accept packet from host 198.82.169.55 port 1830, id=48,
length=153
F5-LTM-User-Info-1 = 'F5-LTM-User-Info-1+=\"R&D\"'
F5-LTM-User-Info-1 = 'F5-LTM-User-Partition+=\"RnD\"'
F5-LTM-User-Info-1 = 'F5-LTM-User-Role+=\"100\"'
F5-LTM-User-Info-1 = 'F5-LTM-User-Shell+=\"tmsh\"'
*sites-enabled/default*
authorize {
filter_username
preprocess
auth_log
update control{
Ldap-UserDn := "uid=%{User-Name},ou=People,ou=NIS,o=vt"
}
-ldap
pap
mschap
if(!(control:NT-Password) || control:Prohibited == TRUE){
update control{
Auth-Type := Reject
}
}
if(Ldap-Group != "%{control:Radius-Profile-DN}"){
update control{
Auth-Type:=Reject
}
}
else{
update control{
Auth-Type:=Accept
}
}
authenticate {
mschap
pap
}
*mods-enabled/ldap*
update {
control:Password-With-Header += 'userPassword'
control:NT-Password := 'ntPassword'
control:Prohibited := 'prohibited'
control:Radius-Profile-DN := 'radiusProfileDn'
reply:F5-LTM-User-Info-1 := 'radiusReplyItem'
#reply:Reply-Message := 'radiusReplyMessage'
}
user {
base_dn = "ou=People,${..base_dn}"
filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))"
scope = 'sub'
}
group {
base_dn = "ou=Groups,ou=F5,ou=Configuration,${..base_dn}"
filter = "(objectClass=groupOfNames)"
scope = 'base'
name_attribute = cn
membership_filter = "(member=%{control:Ldap-UserDn})"
}
*OpenLDAP*
# R&D, Groups, F5, Configuration, NIS, vt
dn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt
cn: R&D
description: Entiries for the R&D group user accounts
member: uid=dawson,ou=People,ou=NIS,o=vt
radiusReplyItem: F5-LTM-User-Info-1+="R&D"
radiusReplyItem: F5-LTM-User-Partition+="RnD"
radiusReplyItem: F5-LTM-User-Role+=100
radiusReplyItem: F5-LTM-User-Shell+="tmsh"
objectClass: groupOfNames
objectClass: radiusprofile
# dawson, People, NIS, vt
dn: uid=dawson,ou=People,ou=NIS,o=vt
cn: Jacob M. Dawson
uid: dawson
sn: Dawson
givenName: Jacob
objectClass: inetOrgPerson
objectClass: nisUserAccount
objectClass: radiusprofile
prohibited: FALSE
radiusProfileDn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt
*F5 VSAs*
VENDOR F5 3375
BEGIN-VENDOR F5
ATTRIBUTE F5-LTM-User-Role 1 integer
ATTRIBUTE F5-LTM-User-Role-Universal 2 integer # enable/disable
ATTRIBUTE F5-LTM-User-Partition 3 string
ATTRIBUTE F5-LTM-User-Console 4 integer # enable/disable
ATTRIBUTE F5-LTM-User-Shell 5 string # supported values
are disable, tmsh, and bpsh
ATTRIBUTE F5-LTM-User-Context-1 10 integer
ATTRIBUTE F5-LTM-User-Context-2 11 integer
ATTRIBUTE F5-LTM-User-Info-1 12 string
ATTRIBUTE F5-LTM-User-Info-2 13 string
VALUE F5-LTM-User-Role Administrator 0
VALUE F5-LTM-User-Role Resource-Admin 20
VALUE F5-LTM-User-Role User-Manager 40
VALUE F5-LTM-User-Role Manager 100
VALUE F5-LTM-User-Role App-Editor 300
VALUE F5-LTM-User-Role Operator 400
VALUE F5-LTM-User-Role Guest 700
VALUE F5-LTM-User-Role Policy-Editor 800
VALUE F5-LTM-User-Role No-Access 900
VALUE F5-LTM-User-Role-Universal Disabled 0
VALUE F5-LTM-User-Role-Universal Enabled 1
VALUE F5-LTM-User-Console Disabled 0
VALUE F5-LTM-User-Console Enabled 1
END-VENDOR F5
On Mon, May 19, 2014 at 4:26 PM, Arran Cudbard-Bell <
a.cudbardb at freeradius.org> wrote:
>
> On 19 May 2014, at 20:36, Ajinkya Fotedar <ajinkyafotedar at gmail.com>
> wrote:
>
> > Also, the update section under the ldap modules looks like this.
> >
> > update {
> > control:Password-With-Header += 'userPassword'
> > control:NT-Password := 'ntPassword'
> > control:Prohibited := 'prohibited'
> > control:Group-Membership := 'groupMembership'
> > reply:F5-LTM-User-Info-1 := 'userInfo'
> > reply:F5-LTM-User-Role := 'userRole'
> > reply:F5-LTM-User-Partition := 'userPartition'
> > reply:F5-LTM-User-Shell := 'userShell'
> > }
>
> Attributes are not retrieved for groups. You need to add profiles with the
> various reply attributes, and add that profile to the user.
>
> -Arran
>
> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> FreeRADIUS Development Team
>
> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140521/1e0d18ef/attachment-0001.html>
More information about the Freeradius-Users
mailing list