
please can anybody give me a hint how to get vendor specific atributes from LDAP and send it to the NAS? My freeradius version is 2.1.7-7.el5.

When I authenticate against the users file, everything works well.

rad_recv: Access-Request packet from host port 60528, id=101, length=73
User-Name = "rad-oper"
User-Password = "rad-oper"
NAS-Identifier = "ar-srx100-default"
NAS-IP-Address =
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "rad-oper", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry rad-oper at line 53
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "rad-oper"
[pap] Using clear text password "rad-oper"
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 101 to port 60528
Juniper-Local-User-Name := "class2"
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 101 with timestamp +302
Ready to process requests.

As you can see, I need to send Vendor Specific Attribute : Juniper-Local-User-Name := "class2" which is associated with group of availalble commands on device.

On OpenLDAP I edited the schema and added

attributetype ( NAME 'radiusJuniperLocalUserName'
DESC 'Juniper Auth Class'
EQUALITY caseExactIA5Match

objectclass ( NAME 'radiusprofile'
DESC 'Abstraction of an account with RADIUS attributes'
MAY radiusJuniperLocalUserName )

Then I've added theese items to my test user "pech".

On freeradius server I've edited:

1. ldap.attrmap
checkItem Juniper-Local-User-Name radiusJuniperLocalUserName
replyItem Juniper-Local-User-Name radiusJuniperLocalUserName

2. modules/ldap
ldap {
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "10.10.x.y"
identity = "cn=sa,dc=viphone,dc=eu"
password = testtest
basedn = "dc=viphone,dc=eu"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
#base_filter = "(objectclass=radiusprofile)"

Now when I try to authenticate LDAP user "pech" I'll get:

rad_recv: Access-Request packet from host port 60647, id=85, length=69
User-Name = "pech"
User-Password = "securepassword"
NAS-Identifier = "ar-srx100-default"
NAS-IP-Address =
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "pech", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "securepassword"
[pap] Using CRYPT encryption.
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 85 to port 60647
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 85 with timestamp +17
Ready to process requests.

So the user is authenticated but no Juniper-Local-User-Name attribute have been sent.

Thank you very much for your help.

