Overview

RADIUS Attribute-Value Pairs (AVPs) are the fundamental data units used in RADIUS protocol messages to convey information between the RADIUS server and clients.
Each AVP consists of a specific attribute and its corresponding value, providing a flexible way to communicate various types of information required for authentication, authorization, and accounting (AAA) processes. With WebADM Framework, the AVP returned can be dynamic values retrieved from LDAP attributes or static values.

Key Elements of RADIUS AVPs:

  1. Attribute: This is a predefined identifier that specifies the type of information being communicated. Examples include User-Name, User-Password, NAS-IP-Address, and Framed-IP-Address.

  2. Value: This is the actual data corresponding to the attribute. The value can be a string, integer, IP address, or other data types, depending on the attribute.

  3. Type: Attributes can have different types indicating the nature of the data they hold. Common types include:

  • Text (string)
  • Integer (numeric)
  • IP Address
  • Date (time)
  • Enumerated (a predefined set of values)

Common RADIUS AVPs:

  • User-Name: Contains the name of the user being authenticated.
  • User-Password: Contains the password of the user, usually encrypted.
  • NAS-IP-Address: Specifies the IP address of the Network Access Server (NAS) that is requesting authentication.
  • Framed-IP-Address: Specifies the IP address to be configured for the user during the session.
  • Calling-Station-Id: Identifies the device or phone number initiating the connection.
  • Called-Station-Id: Identifies the device or phone number being called.
  • NAS-Port: Specifies the port on the NAS that is authenticating the user.

Usage:

  • Authentication: AVPs are used to convey credentials such as username and password from the client to the server and to transmit authentication success or failure messages.

  • Authorization: AVPs provide additional parameters such as access levels, time limits, and network policies to authorize user actions and resource usage.

  • Accounting: AVPs are used to log session details like start time, end time, data usage, and other relevant information for billing or auditing purposes.

Example:
A RADIUS Access-Request message might include the following AVPs:

User-Name: "john.doe"
User-Password: "MyPassword123"
NAS-IP-Address: "192.168.1.1"

A RADIUS Access-Accept response might include AVPs like:

Framed-IP-Address: "192.168.1.100"
Session-Timeout: 3600 (time in seconds)
Ruckus-VLAN-ID: 1
ASA-Privilege-Level: 15

WebADM Integration:

WebADM can dynamically provide values for RADIUS attributes expected by the RADIUS client. These values can be based on the client system, users, or groups accessing the client system.
This allows for highly customizable and flexible RADIUS interactions, ensuring that the necessary attribute values are supplied according to the specific context and requirements of the users and systems involved.

RCDevs provides almost all AVP dictionaries from various providers. Check the /opt/radiusd/lib/dictionaries/ folder to view the complete list of provided dictionaries.
If your provider is missing, contact RCDevs in order to add it.

For this recipe, you will need to have a WebADM, OpenOTP and Radius Bridge installed and configured.

Return AVP for an individual LDAP user

If the AVP is configured at the user level, then only that user will have that configured AVP returned after authentication.

Login on the WebADM admin portal, select the user and click on User settings:

webadm

In Applications menu on the left, select MFA Authentication Server and scroll down to RADIUS Options. Enable the checkbox on the left and click on Edit:

webadm

We select an attribute from a dictionary. We check that Gandalf-Phone-Number-1 attribute is present in Radius Bridge:

[root@webadm1 ~]# grep -r "Gandalf-Phone-Number-1" /opt/radiusd/lib/dictionaries/
/opt/radiusd/lib/dictionaries/dictionary.gandalf:ATTRIBUTE	Gandalf-Phone-Number-1			17	string

It is available, we are going to use it now from the WebADM GUI.
We add the Radius attribute name in the Attribute and in the Value field, we configure LDAP:mobile. This indicate that the value is retrieved from mobile attribute available on the user account.
A fix value can also be returned. In that case, you don't put the LDAP: at the begining of the value field and you jsut configure the value you want to return in the AVP.

webadm

Note that I didn't select any Client from the dropdown list. The Client refers to an existing Client Policy. This means you can configure multiple AVP for your user and return the AVP only for a specific client system. When [ALL] is selected, the AVP is returned for any RADIUS client system.

Click Apply.

webadm

Click Apply.

[root@localhost ~]# /opt/radiusd/bin/radtest Administrator
Enter password: ******
(0) -: Expected Access-Accept got Access-Challenge
Result: Challenge
Session: 32773731486f443674624f393349416a
Enter your TOKEN password: 381469
Result: Success
Sent Access-Request Id 177 from 0.0.0.0:51646 to 127.0.0.1:1812 length 71 User-Name: "Administrator"
User-Password: "381469"
State: 0x32773731486f443674624f393349416a NAS-Identifier: "Radtest"
Cleartext-Password: "381469"
Received Access-Accept Id 177 from 127.0.0.1:1812 to 0.0.0.0:0 length 63 Reply-Message: "Authentication success"
Gandalf-Phone-Number-1: "123 456 789"

We can see our AVP well returned to the Radius client.

Return AVP for all members of a group

If the AVP is configured at the group level, then all members of that group will have the configured AVP returned after their authentication.

To configure it, select the group through WebADM:

webadm

Click on Activate Group and proceed with the activation.

webadm

Once the group is activated, click on the Group Settings button.
In Applications menu on the left, select MFA Authentication Server and scroll down to RADIUS Options. Enable the checkbox on the left and click on Edit:

webadm

We are going to return fix and dynamic AVP for all members of that group when they authenticate on Cisco ASA system.

We add the attributes name and values:

webadm

You can notice in this example that we are configuring two values in ASA-Group-Policy RADIUS attribute.
The first value is dynamic and is retrieved from the memberof LDAP attribute available from the user account.
The user john.doe in the below example is part of Domain User group only.
The second value is static; it simply sends the value configured.
The last AVP, ASA-Privilege-Level = 15, is a fix value which provide the privilege level on ASA. This is just an example and of course ASA-Privilege-Level = 15 should not be configured on Domain Users group.

We apply twice and we try with radtest:

[root@webadm1 ~]# /opt/radiusd/bin/radtest john.doe
Enter password: ******
(0) -: Expected Access-Accept got Access-Challenge
Result: Challenge
Session: 705179694d59693771534a6b536e4f65radius returned attributes
Enter your TOKEN password: 090807
Result: Success
Sent Access-Request Id 32 from 0.0.0.0:57454 to 127.0.0.1:1812 length 71 User-Name: "john.doe"
User-Password: "090807"
State: 0x705179694d59693771534a6b536e4f65 NAS-Identifier: "ASA"
Cleartext-Password: "090807"
Received Access-Accept Id 32 from 127.0.0.1:1812 to 0.0.0.0:0 length 55 Reply-Message: "Authentication success"
ASA-Group-Policy: "VPNUser"
ASA-Group-Policy: "CN=Domain Users,CN=Users,DC=rcdevsdocs,DC=com"
ASA-Privilege-Level: "15"

As can see the different AVP are returned to the Radius client.

Troubleshooting of AVP

Run the Debug mode of Radius Bridge

For troubleshooting purposes, you can start Radius Bridge in debug mode with the following commands:

First the service needs to be stopped:

/opt/radiusd/bin/radiusd stop

Then you can start it with the debug argument:

/opt/radiusd/bin/radiusd debug

Proceed with your authentication request from your Radius client system, and you will have the debug output in your terminal.

To stop the debug mode, just press the CTRL+C commands.
Don't forget to start Radius Bridge service after.

/opt/radiusd/bin/radiusd start

or with systemctl:

systemctl start radiusd

Invalid RADIUS AVP

Radius AVPs must comply with the RADIUS dictionaries stored in /opt/radiusd/lib/dictionaries/. If they do not, the authentication will fail.
In the example below, RADIUS Bridge receives return attribute ASA-VLAN="string", which is not correct as the attribute is defined as integer.

[root@rcvm8 ~]# /opt/radiusd/bin/radiusd debug
...
rlm_openotp: OpenOTP authentication succeeded

rlm_openotp: Reply Data: ASA-VLAN="string"
rlm_openotp: Invalid Reply Data (invalid value-pairs format or attribute not in dictionary)

(3)     [openotp] = fail
(3)   } # Auth-Type OTP = fail
(3) Failed to authenticate the user
(3) Using Post-Auth-Type Reject
(3) Post-Auth-Type sub-section not found.  Ignoring.
(3) Login incorrect: [john.doe] (from client any port 0)
(3) Sent Access-Reject Id 52 from 127.0.0.1:1812 to 127.0.0.1:34295 length 0
(3) Finished request

Check OpenOTP logs to see if AVP are returned

In /opt/webadm/logs/webadm.log, you can see if Radius AVP are well returned by OpenOTP after a successful authentication:

[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] New openotpSimpleLogin SOAP request
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] > Username: john.doe
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] > Password: xxxxxxxx
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] > Client ID: RadTest
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] > Options: RADIUS,-U2F
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] Registered openotpSimpleLogin request
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] Resolved LDAP user: CN=John doe,CN=Users,DC=rcdevsdocs,DC=com
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] Resolved LDAP groups: domain users
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] Started transaction lock for user
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] Found user fullname: john.doe
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] Found 1 user emails: john.doe@rcdevsdocs.com
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] Found 47 user settings: LoginMode=LDAPOTP,OTPType=TOKEN,PushLogin=Yes,LockTimer=0,MaxTries=3,BlockTime=0,ChallengeMode=Yes,ChallengeTimeout=90,OTPLength=6,MobileTimeout=30,EnableLogin=Yes,SelfRegister=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,DeviceType=FIDO2,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,PrefetchExpire=10,LastOTPTime=300,ListChallengeMode=ShowID,ReplyData=[1 Items]
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] Found 10 user data: LastOTP,TokenType,TokenKey,TokenState,TokenID,TokenSerial,Device1Type,Device1Name,Device1Data,Device1State
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] Last OTP expired 2020-04-17 18:29:43
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] Found 1 registered OTP token (TOTP)
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] Requested login factors: LDAP & OTP
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] LDAP password Ok
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] Authentication challenge required
[2020-04-17 18:50:46] [192.168.3.64] [OpenOTP:4JKBFJ4C] Sent push notification for token #1
[2020-04-17 18:50:46] [192.168.3.64] [OpenOTP:4JKBFJ4C] Waiting 27 seconds for mobile response
[2020-04-17 18:50:56] [192.168.3.56] [OpenOTP:4JKBFJ4C] Received mobile authentication response from 192.168.3.1
[2020-04-17 18:50:56] [192.168.3.56] [OpenOTP:4JKBFJ4C] > Session: cupcbM2KWdmcAxjF
[2020-04-17 18:50:56] [192.168.3.56] [OpenOTP:4JKBFJ4C] > Password: 16 Bytes
[2020-04-17 18:50:56] [192.168.3.56] [OpenOTP:4JKBFJ4C] Found authentication session started 2020-04-17 18:50:45
[2020-04-17 18:50:56] [192.168.3.56] [OpenOTP:4JKBFJ4C] PUSH password Ok (token #1)
[2020-04-17 18:50:56] [192.168.3.64] [OpenOTP:4JKBFJ4C] Returning 6 RADIUS reply attributes
[2020-04-17 18:50:56] [192.168.3.64] [OpenOTP:4JKBFJ4C] Updated user data
[2020-04-17 18:50:56] [192.168.3.64] [OpenOTP:4JKBFJ4C] Sent login success response

Here, it has been returned by OpenOTP:

[2020-04-17 18:50:56] [192.168.3.64] [OpenOTP:4JKBFJ4C] Returning 6 RADIUS reply attributes