rlm_python and the Tunnel-Private-Group-Id attribute

Thu Feb 10 10:24:53 CET 2011

Not sure if there isn't another forum or mailing list for rlm_python
specifically, but...

I have been using freeradius for a while now with great results, thanks!

We are using a very simple configuration to authenticate users against LDAP
(eDirectory) and that part works great! I am trying to add a component that
will return the necessary attributes to allow for dynamic VLANs

I was able to get this working using the /etc/raddb/users file, however do
to the size of the organization, this is very messy. I have started using
python to extract this information from another database and return the
information.

All my testing seems to indicate it should work, but it is not.  I believe
the problem is in how rlm_python returns the "Tunnel-Private-Group-Id"
attribute.

My users file (which works) looks like this:

    # Generic LDAP return attributes
    DEFAULT Auth-Type == "LDAP"
        Class = "Staff",
        Service-Type = Login,
        Tunnel-Medium-Type = IEEE-802,
        Tunnel-Type = VLAN,
        Tunnel-Private-Group-ID = 99,
        Fall-Through = Yes

    brandtb
        Reply-Message += "You are a member of the IT Group",
        Class := "CACS:0/ebf42/ac8c8e6/administrator",
        Tunnel-Private-Group-ID := 150,
        Alcatel-Lucent-Asa-Access = "all",
        Fall-Through = No

Below are the two snipets of the debugs.  The first is from the old(working)
system which uses the users file and the second is from the new system using
the rlm_python module:

    Sending Access-Challenge of id 172 to 10.200.113.99 port 18699
        Class :=
0x434143533a302f65626634322f616338633865362f61646d696e6973747261746f72
        Service-Type = Login-User
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Type:0 = VLAN
        Tunnel-Private-Group-Id:0 := "150"
        Reply-Message += "You are a member of the IT Group"
        EAP-Message = 0x010200061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc146d1a4c144c80f46bec9bc87d3208b
    Finished request 0.

    -----

    Sending Access-Challenge of id 130 to 10.200.113.99 port 18673
        Reply-Message = "You are a member of the IT Group"
        Tunnel-Type:0 = VLAN
        Class = 0x4f50575374616666
        Class =
0x434143533a302f65626634322f616338633865362f61646d696e6973747261746f72
        Tunnel-Medium-Type:0 = IEEE-802
        Service-Type = Login-User
        Tunnel-Private-Group-Id:0 = "150"
        EAP-Message = 0x010200061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x8cd4aac48cd6b3a6430ea766ccfa9b91
    Finished request 0.

The debug output looks for the most part identical!

Now, initially when using the users file, I had the same problem I am having
now, where the wireless access point was getting the attributes but was not
putting me in the correct VLAN.  The problem turned out that I was passing a
string to the "Tunnel-Private-Group-Id" attribute instead of an integer.
Once I removed the quotes from the VLAN ID everything was working perfectly.

Thinking that the problem was that within Python I was storing the
"Tunnel-Private-Group-Id" attribute as a string I changed it to an integer,
however I got immediately got the error:

    return tuple must be (str,str)

I don't know who to get around this and I have not been able to find too
many examples of how to use the rlm_python module. Any help would be greatly
appreciated.

Thanks
Bob Brandt

-- 
What's the point of having a rapier wit if I can't use it to stab people? -
Jeph Jacques
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110210/10e1866c/attachment.html>