FreeRADIUS, OpenLDAP and F5 VSAs
Ajinkya Fotedar
ajinkyafotedar at gmail.com
Tue May 20 18:07:58 CEST 2014
Particularly concerned about the F5-LTM-User-Role attribute since its an
integer. I want to provide Manager (100) access to this user account, as
defined in the F5 dictionary. Have I defined this attribute right in
openldap. Would really appreciate if you could throw some light on that,
and the rest of the attributes.
Thank you.
On Tue, May 20, 2014 at 11:59 AM, Ajinkya Fotedar
<ajinkyafotedar at gmail.com>wrote:
> Hi Arran,
>
> Thank you so much for the reply. I have made the above changes and I can
> see the attributes in the reply message (Access-accept packet).
> Although, I am not sure if this is what it should look like. I have not
> tested it with F5 but just want to make sure that I am heading in the right
> direction.
> Below is the debug and some configurations from FreeRADIUS and OpenLDAP.
>
> Please let me know your thoughts.
>
> Thank you.
>
>
>
> *RADIUS debug*
>
>
> rad_recv: Access-Request packet from host 198.82.169.55 port 50524,
> id=211, length=132
>
> User-Name = 'dawson'
>
> NAS-IP-Address = 198.82.169.55
>
> NAS-Port = 234234
>
> Message-Authenticator = 0x14e775dc18fbbbd91c707988226a3a22
>
> MS-CHAP-Challenge = 0xa92999be9652acdb
>
> MS-CHAP-Response =
> 0x00010000000000000000000000000000000000000000000000003ef65405da922bbe8b1f37ff9ba63458917d6bc42cf704c3
>
> (0) # Executing section authorize from file
> /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default
>
> (0) authorize {
>
> (0) filter_username filter_username {
>
> (0) ? if (User-Name != "%{tolower:%{User-Name}}")
>
> (0) expand: "%{tolower:%{User-Name}}" -> 'dawson'
>
> (0) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
>
> (0) ? if (User-Name =~ / /)
>
> (0) ? if (User-Name =~ / /) -> FALSE
>
> (0) ? if (User-Name =~ /@.*@/ )
>
> (0) ? if (User-Name =~ /@.*@/ ) -> FALSE
>
> (0) ? if (User-Name =~ /\\.\\./ )
>
> (0) ? if (User-Name =~ /\\.\\./ ) -> FALSE
>
> (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
>
> (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
> FALSE
>
> (0) ? if (User-Name =~ /\\.$/)
>
> (0) ? if (User-Name =~ /\\.$/) -> FALSE
>
> (0) ? if (User-Name =~ /@\\./)
>
> (0) ? if (User-Name =~ /@\\./) -> FALSE
>
> (0) } # filter_username filter_username = notfound
>
> (0) [preprocess] = ok
>
> (0) auth_log : expand:
> "/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
> -> '/apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/
> 198.82.169.55/auth-detail-20140520'
>
> (0) auth_log :
> /apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to
> /apps/home/radius/freeradius/load-balancing/var/log/radius/radacct/
> 198.82.169.55/auth-detail-20140520
>
> (0) auth_log : expand: "%t" -> 'Tue May 20 11:37:46 2014'
>
> (0) [auth_log] = ok
>
> (0) update control {
>
> (0) expand: "uid=%{User-Name},ou=People,ou=NIS,o=vt" ->
> 'uid=dawson,ou=People,ou=NIS,o=vt'
>
> (0) Ldap-UserDn := "uid=dawson,ou=People,ou=NIS,o=vt"
>
> (0) } # update control = noop
>
> rlm_ldap (ldap): Reserved connection (4)
>
> (0) ldap : expand: "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))" ->
> '(&(uid=dawson))'
>
> (0) ldap : expand: "ou=People,ou=NIS,o=vt" -> 'ou=People,ou=NIS,o=vt'
>
> (0) ldap : Performing search in 'ou=People,ou=NIS,o=vt' with filter
> '(&(uid=dawson))'
>
> (0) ldap : Waiting for search result...
>
> (0) ldap : User object found at DN "uid=dawson,ou=People,ou=NIS,o=vt"
>
> (0) ldap : expand: "(&)" -> '(&)'
>
> (0) ldap : Performing search in
> 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' with filter '(&)'
>
> (0) ldap : Waiting for search result...
>
> (0) ldap : Processing profile attributes
>
> (0) ldap : reply:Reply-Message := 'F5-LTM-User-Info-1+=\"R&D\"'
>
> (0) ldap : reply:Reply-Message := 'F5-LTM-User-Partition+=\"RnD\"'
>
> (0) ldap : reply:Reply-Message := 'F5-LTM-User-Role+=100'
>
> (0) ldap : reply:Reply-Message := 'F5-LTM-User-Shell+=\"tmsh\"'
>
> (0) ldap : Processing user attributes
>
> (0) ldap : control:Password-With-Header +=
> '{nt}D3055AE4C0D68D8BA71C538D1518B5CD'
>
> (0) ldap : control:Password-With-Header +=
> '{SSHA}omkfyFmnMrEq1jWG9T86Gh+XlpR87z11'
>
> (0) ldap : control:Prohibited := FALSE
>
> (0) ldap : control:Radius-Profile-DN :=
> 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt'
>
> rlm_ldap (ldap): Released connection (4)
>
> (0) [-ldap] = ok
>
> (0) pap : Normalizing NT-Password from hex encoding
>
> (0) pap : Normalizing SSHA1-Password from base64 encoding
>
> (0) pap : No clear-text password in the request. Not performing PAP.
>
> (0) [pap] = noop
>
> (0) mschap : Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
>
> (0) [mschap] = ok
>
> (0) ? if (!(control:NT-Password) || control:Prohibited == TRUE)
>
> (0) ? if (!(control:NT-Password) || control:Prohibited == TRUE) -> FALSE
>
> (0) ? if (Ldap-Group != "%{control:Radius-Profile-DN}")
>
> (0) expand: "%{control:Radius-Profile-DN}" ->
> 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt'
>
> (0) Searching for user in group
> "cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt"
>
> rlm_ldap (ldap): Reserved connection (4)
>
> (0) Using user DN from request "uid=dawson,ou=People,ou=NIS,o=vt"
>
> (0) Checking for user in group objects
>
> (0) expand:
> "(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))" ->
> '(&(objectClass=groupOfNames)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))'
>
> (0) Performing search in
> 'cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt' with filter
> '(&(objectClass=groupOfNames)(member=uid\3ddawson\2cou\3dPeople\2cou\3dNIS\2co\3dvt))'
>
> (0) Waiting for search result...
>
> (0) User found in group object
>
> rlm_ldap (ldap): Released connection (4)
>
> (0) ? if (Ldap-Group != "%{control:Radius-Profile-DN}") -> FALSE
>
> (0) else else {
>
> (0) update control {
>
> (0) Auth-Type := Accept
>
> (0) } # update control = noop
>
> (0) } # else else = noop
>
> (0) ? if ("%{reply:F5-LTM-User-Info-1}")
>
> (0) expand: "%{reply:F5-LTM-User-Info-1}" -> ''
>
> (0) ? if ("%{reply:F5-LTM-User-Info-1}") -> FALSE
>
> (0) } # authorize = ok
>
> (0) Found Auth-Type = Accept
>
> (0) Auth-Type = Accept, accepting the user
>
> *(0) WARNING: Empty post-auth section. Using default return values.*
>
> (0) # Executing section post-auth from file
> /apps/home/radius/freeradius/load-balancing/etc/raddb/sites-enabled/default
>
> Sending Access-Accept of id 211 from 198.82.169.55 port 1830 to
> 198.82.169.55 port 50524
>
> Reply-Message = 'F5-LTM-User-Info-1+=\"R&D\"'
>
> Reply-Message = 'F5-LTM-User-Partition+=\"RnD\"'
>
> Reply-Message = 'F5-LTM-User-Role+=100'
>
> Reply-Message = 'F5-LTM-User-Shell+=\"tmsh\"'
>
> (0) Finished request 0.
>
> Waking up in 0.3 seconds.
>
> Waking up in 4.6 seconds.
>
> (0) Cleaning up request packet ID 211 with timestamp +2
>
> *Ready to process requests.*
>
>
>
>
> *radtest*
>
>
> $ radtest -t mschap -x dawson wakkawakka 198.82.169.55:1830 234234
> testing123
>
> /apps/radius/freeradius-3.0.1/bin/radclient:
> /usr/local/samba/lib/libtalloc.so.2: no version information available
> (required by /apps/radius/freeradius-3.0.1/bin/radclient)
>
> /apps/radius/freeradius-3.0.1/bin/radclient:
> /usr/local/samba/lib/libtalloc.so.2: no version information available
> (required by /apps/radius/freeradius-3.0.1/lib/libfreeradius-radius.so)
>
> Sending Access-Request of id 211 from 0.0.0.0 port 50524 to 198.82.169.55
> port 1830
>
> User-Name = 'dawson'
>
> NAS-IP-Address = 198.82.169.55
>
> NAS-Port = 234234
>
> Message-Authenticator = 0x00
>
> MS-CHAP-Challenge = 0xa92999be9652acdb
>
> MS-CHAP-Response =
> 0x00010000000000000000000000000000000000000000000000003ef65405da922bbe8b1f37ff9ba63458917d6bc42cf704c3
>
> Code: 1
>
> Id: 211
>
> Length: 132
>
> Vector: b3c92ab8d0c718d8e265b6301bae7a11
>
> Data: 01 08 64 61 77 73 6f 6e
>
> 04 06 c6 52 a9 37
>
> 05 06 00 03 92 fa
>
> 50 12 14 e7 75 dc 18 fb bb d9 1c 70 79 88 22 6a 3a 22
>
> 1a 10 00 00 01 37 0b 0a a9 29 99 be 96 52 ac db
>
> 1a 3a 00 00 01 37 01 34 00 01 00 00 00 00 00 00 00 00
>
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>
> 3e f6 54 05 da 92 2b be 8b 1f 37 ff 9b a6 34 58
>
> 91 7d 6b c4 2c f7 04 c3
>
> rad_recv: Access-Accept packet from host 198.82.169.55 port 1830, id=211,
> length=127
>
> Code: 2
>
> Id: 211
>
> Length: 127
>
> Vector: ff52e972ccb4ee95c7b64719c2ea3986
>
> Data: 12 1b 46 35 2d 4c 54 4d 2d 55 73 65 72 2d 49 6e 66 6f
>
> 2d 31 2b 3d 22 52 26 44 22
>
> 12 1e 46 35 2d 4c 54 4d 2d 55 73 65 72 2d 50 61 72 74
>
> 69 74 69 6f 6e 2b 3d 22 52 6e 44 22
>
> 12 17 46 35 2d 4c 54 4d 2d 55 73 65 72 2d 52 6f 6c 65
>
> 2b 3d 31 30 30
>
> 12 1b 46 35 2d 4c 54 4d 2d 55 73 65 72 2d 53 68 65 6c
>
> 6c 2b 3d 22 74 6d 73 68 22
>
> Reply-Message = 'F5-LTM-User-Info-1+=\"R&D\"'
>
> Reply-Message = 'F5-LTM-User-Partition+=\"RnD\"'
>
> Reply-Message = 'F5-LTM-User-Role+=100'
>
> Reply-Message = 'F5-LTM-User-Shell+=\"tmsh\"'
>
>
>
>
> *sites-enabled/default*
>
>
> authorize {
>
> filter_username
>
> preprocess
>
> auth_log
>
>
>
> update control{
>
> Ldap-UserDn := "uid=%{User-Name},ou=People,ou=NIS,o=vt"
>
> }
>
>
>
> -ldap
>
> pap
>
> mschap
>
>
> if(!(control:NT-Password) || control:Prohibited == TRUE){
>
> update control{
>
> Auth-Type := Reject
>
> }
>
> }
>
>
> if(Ldap-Group != "%{control:Radius-Profile-DN}"){
>
> update control{
>
> Auth-Type:=Reject
>
> }
>
> }
>
> else{
>
> update control{
>
> Auth-Type:=Accept
>
> }
>
>
>
> }
>
>
> authenticate {
>
> mschap
>
> pap
>
> }
>
>
>
>
> *mods-enabled/ldap*
>
>
> update {
>
> control:Password-With-Header += 'userPassword'
>
> control:NT-Password := 'ntPassword'
>
> control:Prohibited := 'prohibited'
>
> control:Radius-Profile-DN := 'radiusProfileDn'
>
> reply:Reply-Message := 'radiusReplyMessage'
>
> }
>
>
>
> user {
>
> base_dn = "ou=People,${..base_dn}"
>
> filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))"
>
> scope = 'sub'
>
> }
>
>
>
> group {
>
> base_dn = "ou=Groups,ou=F5,ou=Configuration,${..base_dn}"
>
> filter = "(objectClass=groupOfNames)"
>
> scope = 'base'
>
> name_attribute = cn
>
> membership_filter = "(member=%{control:Ldap-UserDn})"
>
> }
>
>
>
>
> *OpenLDAP*
>
>
> # R&D, Groups, F5, Configuration, NIS, vt
>
> dn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt
>
> cn: R&D
>
> description: Entiries for the R&D group user accounts
>
> member: uid=dawson,ou=People,ou=NIS,o=vt
>
> radiusReplyMessage: F5-LTM-User-Info-1+="R&D"
>
> radiusReplyMessage: F5-LTM-User-Partition+="RnD"
>
> radiusReplyMessage: F5-LTM-User-Role+=100
>
> radiusReplyMessage: F5-LTM-User-Shell+="tmsh"
>
> objectClass: groupOfNames
>
> objectClass: radiusprofile
>
>
> # dawson, People, NIS, vt
>
> dn: uid=dawson,ou=People,ou=NIS,o=vt
>
> cn: Jacob M. Dawson
>
> uid: dawson
>
> sn: Dawson
>
> givenName: Jacob
>
> objectClass: inetOrgPerson
>
> objectClass: nisUserAccount
>
> objectClass: radiusprofile
>
> prohibited: FALSE
>
> radiusProfileDn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt
>
>
>
>
> *F5 VSAs*
>
>
> VENDOR F5 3375
>
> BEGIN-VENDOR F5
>
>
> ATTRIBUTE F5-LTM-User-Role 1 integer
>
> ATTRIBUTE F5-LTM-User-Role-Universal 2 integer # enable/disable
>
> ATTRIBUTE F5-LTM-User-Partition 3 string
>
> ATTRIBUTE F5-LTM-User-Console 4 integer # enable/disable
>
> ATTRIBUTE F5-LTM-User-Shell 5 string # supported values
> are disable, tmsh, and bpsh
>
> ATTRIBUTE F5-LTM-User-Context-1 10 integer
>
> ATTRIBUTE F5-LTM-User-Context-2 11 integer
>
> ATTRIBUTE F5-LTM-User-Info-1 12 string
>
> ATTRIBUTE F5-LTM-User-Info-2 13 string
>
>
> VALUE F5-LTM-User-Role Administrator 0
>
> VALUE F5-LTM-User-Role Resource-Admin 20
>
> VALUE F5-LTM-User-Role User-Manager 40
>
> VALUE F5-LTM-User-Role Manager 100
>
> VALUE F5-LTM-User-Role App-Editor 300
>
> VALUE F5-LTM-User-Role Operator 400
>
> VALUE F5-LTM-User-Role Guest 700
>
> VALUE F5-LTM-User-Role Policy-Editor 800
>
> VALUE F5-LTM-User-Role No-Access 900
>
>
> VALUE F5-LTM-User-Role-Universal Disabled 0
>
> VALUE F5-LTM-User-Role-Universal Enabled 1
>
>
> VALUE F5-LTM-User-Console Disabled 0
>
> VALUE F5-LTM-User-Console Enabled 1
>
>
> END-VENDOR F5
>
>
>
> On Mon, May 19, 2014 at 4:26 PM, Arran Cudbard-Bell <
> a.cudbardb at freeradius.org> wrote:
>
>>
>> On 19 May 2014, at 20:36, Ajinkya Fotedar <ajinkyafotedar at gmail.com>
>> wrote:
>>
>> > Also, the update section under the ldap modules looks like this.
>> >
>> > update {
>> > control:Password-With-Header += 'userPassword'
>> > control:NT-Password := 'ntPassword'
>> > control:Prohibited := 'prohibited'
>> > control:Group-Membership := 'groupMembership'
>> > reply:F5-LTM-User-Info-1 := 'userInfo'
>> > reply:F5-LTM-User-Role := 'userRole'
>> > reply:F5-LTM-User-Partition := 'userPartition'
>> > reply:F5-LTM-User-Shell := 'userShell'
>> > }
>>
>> Attributes are not retrieved for groups. You need to add profiles with
>> the various reply attributes, and add that profile to the user.
>>
>> -Arran
>>
>> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
>> FreeRADIUS Development Team
>>
>> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140520/04cd5296/attachment-0001.html>
More information about the Freeradius-Users
mailing list