Starting with ephemeral_auth release 0.2.11, you may authenticate users to the local user database. This will happen AFTER an attempt to authenticate with Ephemeral Auth and ONLY if the following options are defined in the ephemeral_config data group.
- RADIUS_APMAUTH - integer - optional - Enable authenticating RADIUS users, using an auxiliary APM policy. Requires policy to be specified in RADIUS_APMAUTH_POLICY below.
- RADIUS_APMAUTH_POLICY - string - optional - Specify auxiliary APM policy for authenticating RADIUS users.
-
Local DB Instance Configured and populated with at least one user
-
Separate APM Policy referencing the Local DB Instance
-
Configuration of the ephemeral_config data group with RADIUS_APMAUTH := 1 and RADIUS_APMAUTH_POLICY := policy_name Note: "/Common/" prefix is required
# tail -f /var/log/apm
Mar 20 13:44:12 pua-13-hf2 notice tmm3[31526]: 01490567:5: UNKNOWN_PROFILE:Common: RADIUS_PROXY: 192.168.99.81 Valid packet received from 192.168.99.81.
Mar 20 13:44:12 pua-13-hf2 notice tmm3[31526]: 01490530:5: (null):Common:252f6b65: New session from client IP 192.168.99.81 (ST=/CC=/C=) at VIP 192.168.20.230 Listener /Common/radius_vip (Reputation=Unknown) created by iRule /Common/ephemeral_auth_plugin/radius_proxy
Mar 20 13:44:12 pua-13-hf2 notice tmm3[31526]: 01490567:5: /Common/localAuth:Common:252f6b65: RADIUS_PROXY: 192.168.99.81 Attempting authentication to APM policy for user radiususer
Mar 20 13:44:12 pua-13-hf2 notice tmm3[31526]: 01490567:5: /Common/localAuth:Common:252f6b65: RADIUS_PROXY: 192.168.99.81 APM policy Accept user radiususer
Mar 20 13:44:12 pua-13-hf2 notice tmm3[31526]: 01490567:5: /Common/localAuth:Common:252f6b65: RADIUS_PROXY: 192.168.99.81 ATTRIBUTE SUPPORT ENABLED
Mar 20 13:44:12 pua-13-hf2 notice tmm3[31526]: 01490567:5: /Common/localAuth:Common:252f6b65: RADIUS_PROXY: 192.168.99.81 hostGroups for 192.168.99.81 = CN=RouterEnable,CN=Users,DC=mydomain,DC=local:15 CN=RouterView,CN=Users,DC=mydomain,DC=local:1
Mar 20 13:44:12 pua-13-hf2 notice tmm3[31526]: 01490567:5: /Common/localAuth:Common:252f6b65: RADIUS_PROXY: 192.168.99.81 userGroups: enable
Mar 20 13:44:12 pua-13-hf2 notice tmm3[31526]: 01490567:5: /Common/localAuth:Common:252f6b65: RADIUS_PROXY: 192.168.99.81 radiusClientType: DEFAULT
Mar 20 13:44:12 pua-13-hf2 notice tmm3[31526]: 01490567:5: /Common/localAuth:Common:252f6b65: RADIUS_PROXY: 192.168.99.81 radiusClientType: [['Vendor-Specific', 9, [['Cisco-AVPair', 'shell:priv-lvl=<<<VALUE>>>']]]]
Mar 20 13:44:12 pua-13-hf2 notice tmm3[31526]: 01490567:5: /Common/localAuth:Common:252f6b65: RADIUS_PROXY: 192.168.99.81 level:
Mar 20 13:44:12 pua-13-hf2 notice tmm3[31526]: 01490567:5: /Common/localAuth:Common:252f6b65: RADIUS_PROXY: 192.168.99.81 level-now:0
Mar 20 13:44:12 pua-13-hf2 notice tmm3[31526]: 01490567:5: /Common/localAuth:Common:252f6b65: RADIUS_PROXY: 192.168.99.81 Access-Accept for radiususer from 192.168.99.81
Mar 20 13:44:12 pua-13-hf2 notice tmm3[31526]: 01490567:5: /Common/localAuth:Common:252f6b65: RADIUS_PROXY: 192.168.99.81 Access-Accept for "radiususer" from client macbook-pro.billchurch.me to host 192.168.99.81
# tail -f /var/log/apm
Mar 20 13:47:24 pua-13-hf2 notice tmm2[31526]: 01490567:5: UNKNOWN_PROFILE:Common: RADIUS_PROXY: 192.168.99.81 Valid packet received from 192.168.99.81.
Mar 20 13:47:24 pua-13-hf2 notice tmm2[31526]: 01490530:5: (null):Common:e2389cd5: New session from client IP 192.168.99.81 (ST=/CC=/C=) at VIP 192.168.20.230 Listener /Common/radius_vip (Reputation=Unknown) created by iRule /Common/ephemeral_auth_plugin/radius_proxy
Mar 20 13:47:24 pua-13-hf2 notice tmm2[31526]: 01490567:5: /Common/localAuth:Common:e2389cd5: RADIUS_PROXY: 192.168.99.81 Attempting authentication to APM policy for user radiususer
Mar 20 13:47:24 pua-13-hf2 notice tmm2[31526]: 01490567:5: /Common/localAuth:Common:e2389cd5: RADIUS_PROXY: 192.168.99.81 APM policy Deny user radiususer
Mar 20 13:47:24 pua-13-hf2 notice tmm2[31526]: 01490567:5: /Common/localAuth:Common:e2389cd5: RADIUS_PROXY: 192.168.99.81 Access-Reject for radiususer from 192.168.99.81 APM authentication method failed: deny
Mar 20 13:47:24 pua-13-hf2 notice tmm2[31526]: 01490567:5: /Common/localAuth:Common:e2389cd5: RADIUS_PROXY: 192.168.99.81 Access-Reject for "radiususer" from client macbook-pro.billchurch.me to host 192.168.99.81
# tail -f /var/log/apm
Mar 20 14:24:07 pua-13-hf2 notice tmm3[31526]: 01490567:5: UNKNOWN_PROFILE:Common: RADIUS_PROXY: 192.168.99.81 Valid packet received from 192.168.99.81.
Mar 20 14:24:07 pua-13-hf2 notice tmm3[31526]: 01490530:5: (null):Common:be9d531e: New session from client IP 192.168.99.81 (ST=/CC=/C=) at VIP 192.168.20.230 Listener /Common/radius_vip (Reputation=Unknown) created by iRule /Common/ephemeral_auth_plugin/radius_proxy
Mar 20 14:24:07 pua-13-hf2 notice tmm3[31526]: 01490567:5: /Common/localAuth:Common:be9d531e: RADIUS_PROXY: 192.168.99.81 Attempting authentication to APM policy for user radiususer
Mar 20 14:24:07 pua-13-hf2 notice apmd[6059]: 01490000:5: modules/LocaldbStore/LocaldbStoreAgent.cpp func: "localdblib_log_callback()" line: 11 Msg: Login for user radiususer, instance /Common/radius_users rejected - Account locked out.
Mar 20 14:24:07 pua-13-hf2 notice tmm3[31526]: 01490567:5: /Common/localAuth:Common:be9d531e: RADIUS_PROXY: 192.168.99.81 APM policy Deny user radiususer
Mar 20 14:24:07 pua-13-hf2 notice tmm3[31526]: 01490567:5: /Common/localAuth:Common:be9d531e: RADIUS_PROXY: 192.168.99.81 Access-Reject for radiususer from 192.168.99.81 APM authentication method failed: deny lockout
Mar 20 14:24:07 pua-13-hf2 notice tmm3[31526]: 01490567:5: /Common/localAuth:Common:be9d531e: RADIUS_PROXY: 192.168.99.81 Access-Reject for "radiususer" from client macbook-pro.billchurch.me to host 192.168.99.81
While, not documented here. The LocalDB Auth instance in this APM policy may be replaced with ANY APM auth process that can take a username and password.