FreeRADIUS, OpenLDAP and F5 VSAs
Ajinkya Fotedar
ajinkyafotedar at gmail.com
Tue May 20 17:59:43 CEST 2014
Hi Arran,
Thank you so much for the reply. I have made the above changes and I can
see the attributes in the reply message (Access-accept packet).
Although, I am not sure if this is what it should look like. I have not
tested it with F5 but just want to make sure that I am heading in the right
direction.
Below is the debug and some configurations from FreeRADIUS and OpenLDAP.
Please let me know your thoughts.
Thank you.
*RADIUS debug*
rad_recv: Access-Request packet from host 198.82.169.55 port 50524, id=211,
length=132
User-Name = 'dawson'
NAS-IP-Address = 198.82.169.55
NAS-Port = 234234
Message-Authenticator = 0x14e775dc18fbbbd91c707988226a3a22
MS-CHAP-Challenge = 0xa92999be9652acdb
MS-CHAP-Response =
0x00010000000000000000000000000000000000000000000000003ef65405da922bbe8b1f37ff9ba63458917d6bc42cf704c3
(0) # Executing section authorize from file
/apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) ? if (User-Name != "%{tolower:%{User-Name}}")
(0) expand: "%{tolower:%{User-Name}}" -> 'dawson'
(0) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(0) ? if (User-Name =~ / /)
(0) ? if (User-Name =~ / /) -> FALSE
(0) ? if (User-Name =~ /@.*@/ )
(0) ? if (User-Name =~ /@.*@/ ) -> FALSE
(0) ? if (User-Name =~ /\\.\\./ )
(0) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(0) ? if (User-Name =~ /\\.$/)
(0) ? if (User-Name =~ /\\.$/) -> FALSE
(0) ? if (User-Name =~ /@\\./)
(0) ? if (User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) auth_log : expand:
"/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
-> '/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/
198.82.169.55/auth-detail-20140520'
(0) auth_log :
/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to
/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/
198.82.169.55/auth-detail-20140520
(0) auth_log : expand: "%t" -> 'Tue May 20 11:37:46 2014'
(0) [auth_log] = ok
(0) update control {
(0) expand: "uid=%{User-Name},ou=People,ou=NIS,o=vt" ->
'uid=dawson,ou=People,ou=NIS,o=vt'
(0) Ldap-UserDn := "uid=dawson,ou=People,ou=NIS,o=vt"
(0) } # update control = noop
rlm_ldap (ldap): Reserved connection (4)
(0) ldap : expand: "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))" ->
'(&(uid=dawson))'
(0) ldap : expand: "ou=People,ou=NIS,o=vt" -> 'ou=People,ou=NIS,o=vt'
(0) ldap : Performing search in 'ou=People,ou=NIS,o=vt' with filter
'(&(uid=dawson))'
(0) ldap : Waiting for search result...
(0) ldap : User object found at DN "uid=dawson,ou=People,ou=NIS,o=vt"
(0) ldap : expand: "(&)" -> '(&)'
(0) ldap : Performing search in
'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' with filter '(&)'
(0) ldap : Waiting for search result...
(0) ldap : Processing profile attributes
(0) ldap : reply:Reply-Message := 'F5-LTM-User-Info-1+=\"R&D\"'
(0) ldap : reply:Reply-Message := 'F5-LTM-User-Partition+=\"RnD\"'
(0) ldap : reply:Reply-Message := 'F5-LTM-User-Role+=100'
(0) ldap : reply:Reply-Message := 'F5-LTM-User-Shell+=\"tmsh\"'
(0) ldap : Processing user attributes
(0) ldap : control:Password-With-Header +=
'{nt}D3055AE4C0D68D8BA71C538D1518B5CD'
(0) ldap : control:Password-With-Header +=
'{SSHA}omkfyFmnMrEq1jWG9T86Gh+XlpR87z11'
(0) ldap : control:Prohibited := FALSE
(0) ldap : control:Radius-Profile-DN :=
'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt'
rlm_ldap (ldap): Released connection (4)
(0) [-ldap] = ok
(0) pap : Normalizing NT-Password from hex encoding
(0) pap : Normalizing SSHA1-Password from base64 encoding
(0) pap : No clear-text password in the request. Not performing PAP.
(0) [pap] = noop
(0) mschap : Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(0) [mschap] = ok
(0) ? if (!(control:NT-Password) || control:Prohibited == TRUE)
(0) ? if (!(control:NT-Password) || control:Prohibited == TRUE) -> FALSE
(0) ? if (Ldap-Group != "%{control:Radius-Profile-DN}")
(0) expand: "%{control:Radius-Profile-DN}" ->
'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt'
(0) Searching for user in group
"cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt"
rlm_ldap (ldap): Reserved connection (4)
(0) Using user DN from request "uid=dawson,ou=People,ou=NIS,o=vt"
(0) Checking for user in group objects
(0) expand: "(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))"
->
'(&(objectClass=groupOfNames)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))'
(0) Performing search in
'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' with filter
'(&(objectClass=groupOfNames)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))'
(0) Waiting for search result...
(0) User found in group object
rlm_ldap (ldap): Released connection (4)
(0) ? if (Ldap-Group != "%{control:Radius-Profile-DN}") -> FALSE
(0) else else {
(0) update control {
(0) Auth-Type := Accept
(0) } # update control = noop
(0) } # else else = noop
(0) ? if ("%{reply:F5-LTM-User-Info-1}")
(0) expand: "%{reply:F5-LTM-User-Info-1}" -> ''
(0) ? if ("%{reply:F5-LTM-User-Info-1}") -> FALSE
(0) } # authorize = ok
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
*(0) WARNING: Empty post-auth section. Using default return values.*
(0) # Executing section post-auth from file
/apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default
Sending Access-Accept of id 211 from 198.82.169.55 port 1830 to
198.82.169.55 port 50524
Reply-Message = 'F5-LTM-User-Info-1+=\"R&D\"'
Reply-Message = 'F5-LTM-User-Partition+=\"RnD\"'
Reply-Message = 'F5-LTM-User-Role+=100'
Reply-Message = 'F5-LTM-User-Shell+=\"tmsh\"'
(0) Finished request 0.
Waking up in 0.3 seconds.
Waking up in 4.6 seconds.
(0) Cleaning up request packet ID 211 with timestamp +2
*Ready to process requests.*
*radtest*
$ radtest -t mschap -x dawson wakkawakka 198.82.169.55:1830 234234
testing123
/apps/radius/freeradius-3.0.1/bin/radclient:
/usr/local/samba/lib/libtalloc.so.2: no version information available
(required by /apps/radius/freeradius-3.0.1/bin/radclient)
/apps/radius/freeradius-3.0.1/bin/radclient:
/usr/local/samba/lib/libtalloc.so.2: no version information available
(required by /apps/radius/freeradius-3.0.1/lib/libfreeradius-radius.so)
Sending Access-Request of id 211 from 0.0.0.0 port 50524 to 198.82.169.55
port 1830
User-Name = 'dawson'
NAS-IP-Address = 198.82.169.55
NAS-Port = 234234
Message-Authenticator = 0x00
MS-CHAP-Challenge = 0xa92999be9652acdb
MS-CHAP-Response =
0x00010000000000000000000000000000000000000000000000003ef65405da922bbe8b1f37ff9ba63458917d6bc42cf704c3
Code: 1
Id: 211
Length: 132
Vector: b3c92ab8d0c718d8e265b6301bae7a11
Data: 01 08 64 61 77 73 6f 6e
04 06 c6 52 a9 37
05 06 00 03 92 fa
50 12 14 e7 75 dc 18 fb bb d9 1c 70 79 88 22 6a 3a 22
1a 10 00 00 01 37 0b 0a a9 29 99 be 96 52 ac db
1a 3a 00 00 01 37 01 34 00 01 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
3e f6 54 05 da 92 2b be 8b 1f 37 ff 9b a6 34 58
91 7d 6b c4 2c f7 04 c3
rad_recv: Access-Accept packet from host 198.82.169.55 port 1830, id=211,
length=127
Code: 2
Id: 211
Length: 127
Vector: ff52e972ccb4ee95c7b64719c2ea3986
Data: 12 1b 46 35 2d 4c 54 4d 2d 55 73 65 72 2d 49 6e 66 6f
2d 31 2b 3d 22 52 26 44 22
12 1e 46 35 2d 4c 54 4d 2d 55 73 65 72 2d 50 61 72 74
69 74 69 6f 6e 2b 3d 22 52 6e 44 22
12 17 46 35 2d 4c 54 4d 2d 55 73 65 72 2d 52 6f 6c 65
2b 3d 31 30 30
12 1b 46 35 2d 4c 54 4d 2d 55 73 65 72 2d 53 68 65 6c
6c 2b 3d 22 74 6d 73 68 22
Reply-Message = 'F5-LTM-User-Info-1+=\"R&D\"'
Reply-Message = 'F5-LTM-User-Partition+=\"RnD\"'
Reply-Message = 'F5-LTM-User-Role+=100'
Reply-Message = 'F5-LTM-User-Shell+=\"tmsh\"'
*sites-enabled/default*
authorize {
filter_username
preprocess
auth_log
update control{
Ldap-UserDn := "uid=%{User-Name},ou=People,ou=NIS,o=vt"
}
-ldap
pap
mschap
if(!(control:NT-Password) || control:Prohibited == TRUE){
update control{
Auth-Type := Reject
}
}
if(Ldap-Group != "%{control:Radius-Profile-DN}"){
update control{
Auth-Type:=Reject
}
}
else{
update control{
Auth-Type:=Accept
}
}
authenticate {
mschap
pap
}
*mods-enabled/ldap*
update {
control:Password-With-Header += 'userPassword'
control:NT-Password := 'ntPassword'
control:Prohibited := 'prohibited'
control:Radius-Profile-DN := 'radiusProfileDn'
reply:Reply-Message := 'radiusReplyMessage'
}
user {
base_dn = "ou=People,${..base_dn}"
filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))"
scope = 'sub'
}
group {
base_dn = "ou=Groups,ou=F5,ou=Configuration,${..base_dn}"
filter = "(objectClass=groupOfNames)"
scope = 'base'
name_attribute = cn
membership_filter = "(member=%{control:Ldap-UserDn})"
}
*OpenLDAP*
# R&D, Groups, F5, Configuration, NIS, vt
dn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt
cn: R&D
description: Entiries for the R&D group user accounts
member: uid=dawson,ou=People,ou=NIS,o=vt
radiusReplyMessage: F5-LTM-User-Info-1+="R&D"
radiusReplyMessage: F5-LTM-User-Partition+="RnD"
radiusReplyMessage: F5-LTM-User-Role+=100
radiusReplyMessage: F5-LTM-User-Shell+="tmsh"
objectClass: groupOfNames
objectClass: radiusprofile
# dawson, People, NIS, vt
dn: uid=dawson,ou=People,ou=NIS,o=vt
cn: Jacob M. Dawson
uid: dawson
sn: Dawson
givenName: Jacob
objectClass: inetOrgPerson
objectClass: nisUserAccount
objectClass: radiusprofile
prohibited: FALSE
radiusProfileDn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt
*F5 VSAs*
VENDOR F5 3375
BEGIN-VENDOR F5
ATTRIBUTE F5-LTM-User-Role 1 integer
ATTRIBUTE F5-LTM-User-Role-Universal 2 integer # enable/disable
ATTRIBUTE F5-LTM-User-Partition 3 string
ATTRIBUTE F5-LTM-User-Console 4 integer # enable/disable
ATTRIBUTE F5-LTM-User-Shell 5 string # supported values
are disable, tmsh, and bpsh
ATTRIBUTE F5-LTM-User-Context-1 10 integer
ATTRIBUTE F5-LTM-User-Context-2 11 integer
ATTRIBUTE F5-LTM-User-Info-1 12 string
ATTRIBUTE F5-LTM-User-Info-2 13 string
VALUE F5-LTM-User-Role Administrator 0
VALUE F5-LTM-User-Role Resource-Admin 20
VALUE F5-LTM-User-Role User-Manager 40
VALUE F5-LTM-User-Role Manager 100
VALUE F5-LTM-User-Role App-Editor 300
VALUE F5-LTM-User-Role Operator 400
VALUE F5-LTM-User-Role Guest 700
VALUE F5-LTM-User-Role Policy-Editor 800
VALUE F5-LTM-User-Role No-Access 900
VALUE F5-LTM-User-Role-Universal Disabled 0
VALUE F5-LTM-User-Role-Universal Enabled 1
VALUE F5-LTM-User-Console Disabled 0
VALUE F5-LTM-User-Console Enabled 1
END-VENDOR F5
On Mon, May 19, 2014 at 4:26 PM, Arran Cudbard-Bell <
a.cudbardb at freeradius.org> wrote:
>
> On 19 May 2014, at 20:36, Ajinkya Fotedar <ajinkyafotedar at gmail.com>
> wrote:
>
> > Also, the update section under the ldap modules looks like this.
> >
> > update {
> > control:Password-With-Header += 'userPassword'
> > control:NT-Password := 'ntPassword'
> > control:Prohibited := 'prohibited'
> > control:Group-Membership := 'groupMembership'
> > reply:F5-LTM-User-Info-1 := 'userInfo'
> > reply:F5-LTM-User-Role := 'userRole'
> > reply:F5-LTM-User-Partition := 'userPartition'
> > reply:F5-LTM-User-Shell := 'userShell'
> > }
>
> Attributes are not retrieved for groups. You need to add profiles with the
> various reply attributes, and add that profile to the user.
>
> -Arran
>
> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> FreeRADIUS Development Team
>
> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140520/b7fd856d/attachment-0001.html>
More information about the Freeradius-Users
mailing list