Overview
RADIUS Attribute-Value Pairs (AVPs) are the fundamental data units used in RADIUS protocol messages to convey information between the RADIUS server and clients.
Each AVP consists of a specific attribute and its corresponding value, providing a flexible way to communicate various types of information required for authentication, authorization, and accounting (AAA) processes. With WebADM Framework, the AVP returned can be dynamic values retrieved from LDAP attributes or static values.
Key Elements of RADIUS AVPs:
-
Attribute: This is a predefined identifier that specifies the type of information being communicated. Examples include User-Name, User-Password, NAS-IP-Address, and Framed-IP-Address.
-
Value: This is the actual data corresponding to the attribute. The value can be a string, integer, IP address, or other data types, depending on the attribute.
-
Type: Attributes can have different types indicating the nature of the data they hold. Common types include:
- Text (string)
- Integer (numeric)
- IP Address
- Date (time)
- Enumerated (a predefined set of values)
Common RADIUS AVPs:
- User-Name: Contains the name of the user being authenticated.
- User-Password: Contains the password of the user, usually encrypted.
- NAS-IP-Address: Specifies the IP address of the Network Access Server (NAS) that is requesting authentication.
- Framed-IP-Address: Specifies the IP address to be configured for the user during the session.
- Calling-Station-Id: Identifies the device or phone number initiating the connection.
- Called-Station-Id: Identifies the device or phone number being called.
- NAS-Port: Specifies the port on the NAS that is authenticating the user.
Usage:
-
Authentication: AVPs are used to convey credentials such as username and password from the client to the server and to transmit authentication success or failure messages.
-
Authorization: AVPs provide additional parameters such as access levels, time limits, and network policies to authorize user actions and resource usage.
-
Accounting: AVPs are used to log session details like start time, end time, data usage, and other relevant information for billing or auditing purposes.
Example:
A RADIUS Access-Request message might include the following AVPs:
User-Name: "john.doe"
User-Password: "MyPassword123"
NAS-IP-Address: "192.168.1.1"
A RADIUS Access-Accept response might include AVPs like:
Framed-IP-Address: "192.168.1.100"
Session-Timeout: 3600 (time in seconds)
Ruckus-VLAN-ID: 1
ASA-Privilege-Level: 15
WebADM Integration:
WebADM can dynamically provide values for RADIUS attributes expected by the RADIUS client. These values can be based on the client system, users, or groups accessing the client system.
This allows for highly customizable and flexible RADIUS interactions, ensuring that the necessary attribute values are supplied according to the specific context and requirements of the users and systems involved.
RCDevs provides almost all AVP dictionaries from various providers. Check the /opt/radiusd/lib/dictionaries/
folder to view the complete list of provided dictionaries.
If your provider is missing, contact RCDevs in order to add it.
For this recipe, you will need to have a WebADM, OpenOTP and Radius Bridge installed and configured.
Return AVP for an individual LDAP user
If the AVP is configured at the user level, then only that user will have that configured AVP returned after authentication.
Login on the WebADM admin portal, select the user and click on User settings
:
In Applications
menu on the left, select MFA Authentication Server
and scroll down to RADIUS Options
. Enable the checkbox on the left and click on Edit
:
We select an attribute from a dictionary. We check that Gandalf-Phone-Number-1
attribute is present in Radius Bridge:
[root@webadm1 ~]# grep -r "Gandalf-Phone-Number-1" /opt/radiusd/lib/dictionaries/
/opt/radiusd/lib/dictionaries/dictionary.gandalf:ATTRIBUTE Gandalf-Phone-Number-1 17 string
It is available, we are going to use it now from the WebADM GUI.
We add the Radius attribute name in the Attribute
and in the Value
field, we configure LDAP:mobile
. This indicate that the value is retrieved from mobile
attribute available on the user account.
A fix value can also be returned. In that case, you don't put the LDAP:
at the begining of the value
field and you jsut configure the value you want to return in the AVP.
Note that I didn't select any Client
from the dropdown list. The Client
refers to an existing Client Policy
. This means you can configure multiple AVP for your user and return the AVP only for a specific client system. When [ALL]
is selected, the AVP is returned for any RADIUS client system.
Click Apply.
Click Apply.
[root@localhost ~]# /opt/radiusd/bin/radtest Administrator
Enter password: ******
(0) -: Expected Access-Accept got Access-Challenge
Result: Challenge
Session: 32773731486f443674624f393349416a
Enter your TOKEN password: 381469
Result: Success
Sent Access-Request Id 177 from 0.0.0.0:51646 to 127.0.0.1:1812 length 71 User-Name: "Administrator"
User-Password: "381469"
State: 0x32773731486f443674624f393349416a NAS-Identifier: "Radtest"
Cleartext-Password: "381469"
Received Access-Accept Id 177 from 127.0.0.1:1812 to 0.0.0.0:0 length 63 Reply-Message: "Authentication success"
Gandalf-Phone-Number-1: "123 456 789"
We can see our AVP well returned to the Radius client.
Return AVP for all members of a group
If the AVP is configured at the group level, then all members of that group will have the configured AVP returned after their authentication.
To configure it, select the group through WebADM:
Click on Activate Group
and proceed with the activation.
Once the group is activated, click on the Group Settings
button.
In Applications
menu on the left, select MFA Authentication Server
and scroll down to RADIUS Options
. Enable the checkbox on the left and click on Edit
:
We are going to return fix and dynamic AVP for all members of that group when they authenticate on Cisco ASA system.
We add the attributes name and values:
You can notice in this example that we are configuring two values in ASA-Group-Policy
RADIUS attribute.
The first value is dynamic and is retrieved from the memberof
LDAP attribute available from the user account.
The user john.doe
in the below example is part of Domain User
group only.
The second value is static; it simply sends the value configured.
The last AVP, ASA-Privilege-Level = 15
, is a fix value which provide the privilege level on ASA. This is just an example and of course ASA-Privilege-Level = 15
should not be configured on Domain Users
group.
We apply twice and we try with radtest:
[root@webadm1 ~]# /opt/radiusd/bin/radtest john.doe
Enter password: ******
(0) -: Expected Access-Accept got Access-Challenge
Result: Challenge
Session: 705179694d59693771534a6b536e4f65radius returned attributes
Enter your TOKEN password: 090807
Result: Success
Sent Access-Request Id 32 from 0.0.0.0:57454 to 127.0.0.1:1812 length 71 User-Name: "john.doe"
User-Password: "090807"
State: 0x705179694d59693771534a6b536e4f65 NAS-Identifier: "ASA"
Cleartext-Password: "090807"
Received Access-Accept Id 32 from 127.0.0.1:1812 to 0.0.0.0:0 length 55 Reply-Message: "Authentication success"
ASA-Group-Policy: "VPNUser"
ASA-Group-Policy: "CN=Domain Users,CN=Users,DC=rcdevsdocs,DC=com"
ASA-Privilege-Level: "15"
As can see the different AVP are returned to the Radius client.
Troubleshooting of AVP
Run the Debug mode of Radius Bridge
For troubleshooting purposes, you can start Radius Bridge in debug mode with the following commands:
First the service needs to be stopped:
/opt/radiusd/bin/radiusd stop
Then you can start it with the debug argument:
/opt/radiusd/bin/radiusd debug
Proceed with your authentication request from your Radius client system, and you will have the debug output in your terminal.
To stop the debug mode, just press the CTRL+C commands.
Don't forget to start Radius Bridge service after.
/opt/radiusd/bin/radiusd start
or with systemctl:
systemctl start radiusd
Invalid RADIUS AVP
Radius AVPs must comply with the RADIUS dictionaries stored in /opt/radiusd/lib/dictionaries/
. If they do not, the authentication will fail.
In the example below, RADIUS Bridge receives return attribute ASA-VLAN="string"
, which is not correct as the attribute is defined as integer.
[root@rcvm8 ~]# /opt/radiusd/bin/radiusd debug
...
rlm_openotp: OpenOTP authentication succeeded
rlm_openotp: Reply Data: ASA-VLAN="string"
rlm_openotp: Invalid Reply Data (invalid value-pairs format or attribute not in dictionary)
(3) [openotp] = fail
(3) } # Auth-Type OTP = fail
(3) Failed to authenticate the user
(3) Using Post-Auth-Type Reject
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) Login incorrect: [john.doe] (from client any port 0)
(3) Sent Access-Reject Id 52 from 127.0.0.1:1812 to 127.0.0.1:34295 length 0
(3) Finished request
Check OpenOTP logs to see if AVP are returned
In /opt/webadm/logs/webadm.log
, you can see if Radius AVP are well returned by OpenOTP after a successful authentication:
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] New openotpSimpleLogin SOAP request
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] > Username: john.doe
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] > Password: xxxxxxxx
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] > Client ID: RadTest
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] > Options: RADIUS,-U2F
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] Registered openotpSimpleLogin request
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] Resolved LDAP user: CN=John doe,CN=Users,DC=rcdevsdocs,DC=com
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] Resolved LDAP groups: domain users
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] Started transaction lock for user
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] Found user fullname: john.doe
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] Found 1 user emails: john.doe@rcdevsdocs.com
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] Found 47 user settings: LoginMode=LDAPOTP,OTPType=TOKEN,PushLogin=Yes,LockTimer=0,MaxTries=3,BlockTime=0,ChallengeMode=Yes,ChallengeTimeout=90,OTPLength=6,MobileTimeout=30,EnableLogin=Yes,SelfRegister=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,DeviceType=FIDO2,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,PrefetchExpire=10,LastOTPTime=300,ListChallengeMode=ShowID,ReplyData=[1 Items]
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] Found 10 user data: LastOTP,TokenType,TokenKey,TokenState,TokenID,TokenSerial,Device1Type,Device1Name,Device1Data,Device1State
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] Last OTP expired 2020-04-17 18:29:43
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] Found 1 registered OTP token (TOTP)
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] Requested login factors: LDAP & OTP
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] LDAP password Ok
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:4JKBFJ4C] Authentication challenge required
[2020-04-17 18:50:46] [192.168.3.64] [OpenOTP:4JKBFJ4C] Sent push notification for token #1
[2020-04-17 18:50:46] [192.168.3.64] [OpenOTP:4JKBFJ4C] Waiting 27 seconds for mobile response
[2020-04-17 18:50:56] [192.168.3.56] [OpenOTP:4JKBFJ4C] Received mobile authentication response from 192.168.3.1
[2020-04-17 18:50:56] [192.168.3.56] [OpenOTP:4JKBFJ4C] > Session: cupcbM2KWdmcAxjF
[2020-04-17 18:50:56] [192.168.3.56] [OpenOTP:4JKBFJ4C] > Password: 16 Bytes
[2020-04-17 18:50:56] [192.168.3.56] [OpenOTP:4JKBFJ4C] Found authentication session started 2020-04-17 18:50:45
[2020-04-17 18:50:56] [192.168.3.56] [OpenOTP:4JKBFJ4C] PUSH password Ok (token #1)
[2020-04-17 18:50:56] [192.168.3.64] [OpenOTP:4JKBFJ4C] Returning 6 RADIUS reply attributes
[2020-04-17 18:50:56] [192.168.3.64] [OpenOTP:4JKBFJ4C] Updated user data
[2020-04-17 18:50:56] [192.168.3.64] [OpenOTP:4JKBFJ4C] Sent login success response
Here, it has been returned by OpenOTP:
[2020-04-17 18:50:56] [192.168.3.64] [OpenOTP:4JKBFJ4C] Returning 6 RADIUS reply attributes