Issues with vendor 3375 (F5) and FreeRADIUS

Coy Hile (BLOOMBERG/ 919 3RD A) chile1 at bloomberg.net
Tue Nov 21 15:52:27 UTC 2023 

Good morning,

We're running into issues with F5 devices and authorization against FreeRADIUS. Our network team have included the following dictionary (which is loaded via a $INCLUDE directive in /etc/raddb/dictionary):

VENDOR f5 3375
BEGIN-VENDOR f5

ATTRIBUTE F5-LTM-User-Role 1 integer
ATTRIBUTE F5-LTM-User-Role-Universal 2 integer # enable/disable
ATTRIBUTE F5-LTM-User-Partition 3 string
ATTRIBUTE F5-LTM-User-Console 4 integer # enable/disable
ATTRIBUTE F5-LTM-User-Shell 5 string # supported values are disable and tmsh
ATTRIBUTE F5-LTM-User-Context-1 10 integer
ATTRIBUTE F5-LTM-User-Context-2 11 integer
ATTRIBUTE F5-LTM-User-Info-1 12 string
ATTRIBUTE F5-LTM-User-Info-2 13 string
ATTRIBUTE F5-LTM-Audit-Msg 14 string
# F5OS vendor-specific-attributes
ATTRIBUTE F5-F5OS-UID 21 integer
ATTRIBUTE F5-F5OS-GID 22 integer
ATTRIBUTE F5-F5OS-HOMEDIR 23 string
ATTRIBUTE F5-F5OS-SHELL 24 string
ATTRIBUTE F5-F5OS-USERINFO 25 string

VALUE F5-LTM-User-Role Administrator 0
VALUE F5-LTM-User-Role Resource-Admin 20
VALUE F5-LTM-User-Role User-Manager 40
VALUE F5-LTM-User-Role Auditor 80
VALUE F5-LTM-User-Role Manager 100
VALUE F5-LTM-User-Role App-Editor 300
VALUE F5-LTM-User-Role Advanced-Operator 350
VALUE F5-LTM-User-Role Operator 400
VALUE F5-LTM-User-Role Firewall-Manager 450
VALUE F5-LTM-User-Role Fraud-Protection-Manager 480
VALUE F5-LTM-User-Role Certificate-Manager 500
VALUE F5-LTM-User-Role IRule-Manager 510
VALUE F5-LTM-User-Role Guest 700
VALUE F5-LTM-User-Role Web-Application-Security-Administrator 800
VALUE F5-LTM-User-Role Web-Application-Security-Editor 810
VALUE F5-LTM-User-Role Web-Application-Security-Operation-Administrator 820
VALUE F5-LTM-User-Role Acceleration-Policy-Editor 850
VALUE F5-LTM-User-Role No-Access 900
VALUE F5-LTM-User-Role-Universal Disabled 0
VALUE F5-LTM-User-Role-Universal Enabled 1
VALUE F5-LTM-User-Console Disabled 0
VALUE F5-LTM-User-Console Enabled 1

END-VENDOR f5

Further, Shane has configured the server to return the following VSAs for a superuser:

Tue Nov 14 13:51:39 2023
Packet-Type = Access-Accept
F5-LTM-User-Role = Administrator
F5-F5OS-GID = 9000
F5-F5OS-UID = 1001
Timestamp = 1699987899


However, tcpdump shows the following:

radcas-rr-641 /root # tcpdump -i bond0 -n -vvv host 10.91.250.120
tcpdump: listening on bond0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:51:39.232624 IP (tos 0x0, ttl 55, id 19394, offset 0, flags [DF], proto UDP (17), length 115)
10.91.250.120.54996 > 10.124.134.47.radius-new: [udp sum ok] RADIUS, length: 87
Access-Request (1), id: 0x1f, Authenticator: 314fd8be32430e77a584870ba696ba64
User-Name Attribute (1), length: 10, Value: sedelman
0x0000: 7365 6465 6c6d 616e
User-Password Attribute (2), length: 18, Value:
0x0000: 612c f40e 6250 6c36 fd6e ca89 0853 028f
NAS-IP-Address Attribute (4), length: 6, Value: 100.65.6.2
0x0000: 6441 0602
NAS-Identifier Attribute (32), length: 15, Value: password-auth
0x0000: 7061 7373 776f 7264 2d61 7574 68
NAS-Port Attribute (5), length: 6, Value: 7692
0x0000: 0000 1e0c
NAS-Port-Type Attribute (61), length: 6, Value: Virtual
0x0000: 0000 0005
Service-Type Attribute (6), length: 6, Value: Authenticate Only
0x0000: 0000 0008
13:51:39.278923 IP (tos 0x0, ttl 64, id 21787, offset 0, flags [none], proto UDP (17), length 84)
10.124.134.47.radius-new > 10.91.250.120.54996: [bad udp cksum 0x95d0 -> 0x3ad8!] RADIUS, length: 56
Access-Accept (2), id: 0x1f, Authenticator: 61df1ce227ff006987a4d9f0506a2cd9
Vendor-Specific Attribute (26), length: 12, Value: Vendor: Unknown (3375)
Vendor Attribute: 1, Length: 4, Value: ....
0x0000: 0000 0d2f 0106 0000 0000
Vendor-Specific Attribute (26), length: 12, Value: Vendor: Unknown (3375)
Vendor Attribute: 22, Length: 4, Value: ..#(
0x0000: 0000 0d2f 1606 0000 2328
Vendor-Specific Attribute (26), length: 12, Value: Vendor: Unknown (3375)
Vendor Attribute: 21, Length: 4, Value: ....
0x0000: 0000 0d2f 1506 0000 03e9

Why is the vendor showing up as "unknown (3375)" when 3375 is the vendor ID for F5? The attributes that FreeRADIUS says it's sending back actually match the vendor attributes, but they're all jumbled.

-c

More information about the Freeradius-Users mailing list