Re: Problem with F5 BigIP accouting : hexadecimal attribute
NAS-IP-Address = *[IP address unknown, not corresponding to NAS interfaces] * Did you added your F5 IP address to NAS Table ? Regards Suman * On Mon, Oct 17, 2011 at 4:56 PM, Vincent, Fabien fabien.vinc...@coreye.frwrote: Dear all, ** ** I’m using Radius for authenticating admin users on different network equipments. “group authorize {...}” works fine with rlm_ldap and group management. ** ** But I have some problem for accounting on F5 BigIP LTM / GTM. ** ** In fact, my radius accounting server is receiving accounting-request like this : ** ** Accounting-Request packet from host 10.10.10.10 port 36875, id=29, length=281 NAS-IP-Address = *[IP address unknown, not corresponding to NAS interfaces]* F5-Attr-14 = *[Hexa decimal output starting with 0x …]* WARNING: Empty section. Using default return values. +- entering group accounting {...} [sql] expand: packet has no accounting status type. [user '%{User-Name}', nas '%{NAS-IP-Address}'] - packet has no accounting status type. [user '', nas '*[nas IP unknown]*'] [sql] packet has no accounting status type. [user '', nas '*[nas IP unknown]*'] ++[sql] returns invalid Finished request 37. Cleaning up request 37 ID ** ** Did someone here already use accounting with F5 BigIP LTM or GTM ? I’m looking to make this working by changing audit_forward TCL script provided with F5 (syslog-ng) but I wasn’t able to produce something different … ** ** I also tried to edit the dictionnary for F5 in * /usr/share/freeradius/dictionary.f5* *ATTRIBUTE F5-LTM-User-Info-1 12 string* *ATTRIBUTE F5-LTM-User-Info-2 13 string* *++ ATTRIBUTE F5-Attr-14 14 octets* ** ** Thanks in advance for your help ! ** ** *Fabien VINCENT* fabien.vinc...@coreye.fr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with F5 BigIP accouting : hexadecimal attribute
NAS-IP-Address = [IP address unknown, not corresponding to NAS interfaces] * Did you added your F5 IP address to NAS Table ? Yes I have added the F5 IP address, authorize works fine using the SQL NAS Table, but the IP returned by the F5 Accounting packet isn't a valid Self IPs of the corresponding F5. I think it's return by the F5 in hexa (as the F5-Attr-14), that's why I request help about this strange behavior . Regards Suman On Mon, Oct 17, 2011 at 4:56 PM, Vincent, Fabien fabien.vinc...@coreye.fr wrote: Dear all, I'm using Radius for authenticating admin users on different network equipments. group authorize {...} works fine with rlm_ldap and group management. But I have some problem for accounting on F5 BigIP LTM / GTM. In fact, my radius accounting server is receiving accounting-request like this : Accounting-Request packet from host 10.10.10.10 port 36875, id=29, length=281 NAS-IP-Address = [IP address unknown, not corresponding to NAS interfaces] F5-Attr-14 = [Hexa decimal output starting with 0x .] WARNING: Empty section. Using default return values. +- entering group accounting {...} [sql] expand: packet has no accounting status type. [user '%{User-Name}', nas '%{NAS-IP-Address}'] - packet has no accounting status type. [user '', nas '[nas IP unknown]'] [sql] packet has no accounting status type. [user '', nas '[nas IP unknown]'] ++[sql] returns invalid Finished request 37. Cleaning up request 37 ID Did someone here already use accounting with F5 BigIP LTM or GTM ? I'm looking to make this working by changing audit_forward TCL script provided with F5 (syslog-ng) but I wasn't able to produce something different . I also tried to edit the dictionnary for F5 in /usr/share/freeradius/dictionary.f5 ATTRIBUTE F5-LTM-User-Info-1 12 string ATTRIBUTE F5-LTM-User-Info-2 13 string ++ ATTRIBUTE F5-Attr-14 14 octets Thanks in advance for your help ! Fabien VINCENT mailto:fabien.vinc...@coreye.fr fabien.vinc...@coreye.fr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ce message a ete verifie par MailScanner. smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with F5 BigIP accouting : hexadecimal attribute
Vincent, Fabien wrote:\ /Yes I have added the F5 IP address, authorize works fine using the SQL NAS Table, but the IP returned by the F5 Accounting packet isn’t a valid Self IPs of the corresponding F5…/ The NAS-IP-Address attribute can be ANYTHING. It has little or no correspondence to the IP address of the NAS. The reasons why aren't complicated, but aren't important here. /I think it’s return by the F5 in hexa (as the F5-Attr-14), that’s why I request help about this strange behavior …/ Go ask F5 what their attributes mean. If we knew, they would be in the dictionary file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with F5 BigIP accouting : hexadecimal attribute
On 17/10/11 12:26, Vincent, Fabien wrote: F5-Attr-14 = /[Hexa decimal output starting with 0x …]/ This happens when an unknown attribute is found. The attribute is assumed to be type octets and is rendered at hex. */++ ATTRIBUTE F5-Attr-14 14 octets/* This won't help at all. This is ALREADY what FreeRADIUS assumes for unknown attributes. Try: ATTRIBUTE F5-Attr-14 14 string ...and see if it's readable. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with F5 BigIP accouting : hexadecimal attribute
Thanks for your replies/help. I set in the dictionary.f5 the following value : ATTRIBUTE F5-Acct 14 string First for the F5 NAS-IP-Address, it's equal to 127.1.1.1, which I suspect a strange behavior of the F5 syslog-ng / audit forwarder. But this is not a problem, I will find how to set it through tmsh or bigpipe shells. Now, I have the correct output in F5-Acct attribute I've set in the dictionary. Thanks all for your help ! If you have any experience with F5 BigIP LTM/GTM accounting, please share your feedbacks with me (in private of course). For the specific VSA provided here, is it possible to add by default in FreeRadius repo ? Fabien VINCENT Ingénieur Réseaux Sécurité / ASSR Produits Niveau 3 - Infrastructure Produits -Message d'origine- De : freeradius-users-bounces+fabien.vincent=coreye...@lists.freeradius.org [mailto:freeradius-users-bounces+fabien.vincent=coreye.fr@lists.freeradius.o rg] De la part de Phil Mayers Envoyé : lundi 17 octobre 2011 16:51 À : freeradius-users@lists.freeradius.org Objet : Re: Problem with F5 BigIP accouting : hexadecimal attribute On 17/10/11 12:26, Vincent, Fabien wrote: F5-Attr-14 = /[Hexa decimal output starting with 0x ]/ This happens when an unknown attribute is found. The attribute is assumed to be type octets and is rendered at hex. */++ ATTRIBUTE F5-Attr-14 14 octets/* This won't help at all. This is ALREADY what FreeRADIUS assumes for unknown attributes. Try: ATTRIBUTE F5-Attr-14 14 string ...and see if it's readable. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ce message a ete verifie par MailScanner. smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with F5 BigIP accouting : hexadecimal attribute
Thanks, but I won't transfer until closer to the expiration date, so please lock it up again. also wanted to make sure somebody was on watch, hadn't been in contact since Don died. Len -- Original Message -- From: Phil Mayers p.may...@imperial.ac.uk Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Mon, 17 Oct 2011 15:51:28 +0100 On 17/10/11 12:26, Vincent, Fabien wrote: F5-Attr-14 = /[Hexa decimal output starting with 0x ]/ This happens when an unknown attribute is found. The attribute is assumed to be type octets and is rendered at hex. */++ ATTRIBUTE F5-Attr-14 14 octets/* This won't help at all. This is ALREADY what FreeRADIUS assumes for unknown attributes. Try: ATTRIBUTE F5-Attr-14 14 string ...and see if it's readable. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with F5 BigIP accouting : hexadecimal attribute
Hi, add that to the following: VENDOR F5 3375 BEGIN-VENDOR F5 ATTRIBUTE F5-LTM-User-Role 1 integer ATTRIBUTE F5-LTM-User-Role-Universal 2 integer# enable/disable ATTRIBUTE F5-LTM-User-Partition3 string ATTRIBUTE F5-LTM-User-Console 4 integer# enable/disable ATTRIBUTE F5-LTM-User-Shell5 string # supported values are disable, tmsh, and bpsh ATTRIBUTE F5-LTM-User-Context-1 10 integer ATTRIBUTE F5-LTM-User-Context-2 11 integer ATTRIBUTE F5-LTM-User-Info-1 12 string ATTRIBUTE F5-LTM-User-Info-2 13 string VALUEF5-LTM-User-Role Administrator 0 VALUEF5-LTM-User-Role Resource-Admin20 VALUEF5-LTM-User-Role User-Manager 40 VALUEF5-LTM-User-Role Manager 100 VALUEF5-LTM-User-Role App-Editor 300 VALUEF5-LTM-User-Role Operator 400 VALUEF5-LTM-User-Role Guest700 VALUEF5-LTM-User-Role Policy-Editor800 VALUEF5-LTM-User-Role No-Access900 VALUEF5-LTM-User-Role-Universal Disabled 0 VALUEF5-LTM-User-Role-Universal Enabled1 VALUEF5-LTM-User-ConsoleDisabled 0 VALUEF5-LTM-User-ConsoleEnabled1 END-VENDOR F5 then it can go in the distro? PS when dealing with vendor kit I tend to actually ask the vendor what their kit is doing...what the RADIUS stuff is...what issues you may have with eg accounting (F5, like other vendors, have some very active user-forums where all sorts of things get discussed). alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html