How do I get every userid passed to an rlm_python module

Jim Whitescarver jimscarver at gmail.com
Wed Feb 10 02:35:33 CET 2016 

Thanks Matthew,

bob is the test user given a password in radiusd.conf

for jim the password is arbitrary as I am not checking it at this point in
the python.  The authentication will be done out-of-band by the plugin.
Before trying my script I want to get the example script to just always
authenticate.  Then I will add the code for out-of-band authentication.

I see ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject

I included python in the authorize section per the instructions but it is
not in the authenticate section of sites-enabled/default,  I suspect that
may be an issue but I do not know where/how to put it.

Here is the log for bob, the test user that comes in the distribution.

(1) Received Access-Request Id 69 from 127.0.0.1:57346 to 127.0.0.1:1812
length 73
(1)   User-Name = "bob"
(1)   User-Password = "hello"
(1)   NAS-IP-Address = 10.34.1.18
(1)   NAS-Port = 0
(1)   Message-Authenticator = 0x606c75f1100af274fbdc56b2c95fea3e
(1) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
*** authorize ***

*** radlog call in authorize ***

(('User-Name', '"bob"'), ('User-Password', '"hello"'), ('NAS-IP-Address',
'10.34.1.18'), ('NAS-Port', '0'), ('Message-Authenticator',
'0x606c75f1100af274fbdc56b2c95fea3e'), ('Event-Timestamp', '"Feb 10 2016
01:26:31 UTC"'))
(1)     [python] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "bob", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: No EAP-Message, not doing EAP
(1)     [eap] = noop
(1) files: users: Matched entry bob at line 87
(1) files: EXPAND Hello, %{User-Name}
(1) files:    --> Hello, bob
(1)     [files] = ok
(1)     [expiration] = noop
(1)     [logintime] = noop
(1)     [pap] = updated
(1)   } # authorize = updated
(1) Found Auth-Type = PAP
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1)   Auth-Type PAP {
(1) pap: Login attempt with password
(1) pap: Comparing with "known good" Cleartext-Password
(1) pap: User authenticated successfully
(1)     [pap] = ok
(1)     [python] = noop
(1)   } # Auth-Type PAP = ok
(1) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
(1)   post-auth {
(1)     update {
(1)       No attributes updated
(1)     } # update = noop
(1)     [exec] = noop
(1)     policy remove_reply_message_if_eap {
(1)       if (&reply:EAP-Message && &reply:Reply-Message) {
(1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(1)       else {
(1)         [noop] = noop
(1)       } # else = noop
(1)     } # policy remove_reply_message_if_eap = noop
(1)   } # post-auth = noop
(1) Sent Access-Accept Id 69 from 127.0.0.1:1812 to 127.0.0.1:57346 length 0
(1)   Reply-Message = "Hello, bob"
(1) Finished request
Waking up in 4.9 seconds.
(1) Cleaning up request packet ID 69 with timestamp +167


On Tue, Feb 9, 2016 at 7:38 PM, Matthew Newton <mcn4 at leicester.ac.uk> wrote:

> On Tue, Feb 09, 2016 at 07:26:40PM -0500, Jim Whitescarver wrote:
> > (1) Received Access-Request Id 91 from 127.0.0.1:34005 to 127.0.0.1:1812
> > length 73
> > (1)   User-Name = "jim"
> > (1)   User-Password = "hello"
> > (1)   NAS-IP-Address = 10.34.1.18
> > (1)   NAS-Port = 0
> > (1)   Message-Authenticator = 0xb4ac20cbafab1dcf538ee25e1c505725
> > (1) # Executing section authorize from file
> > (('User-Name', '"jim"'), ('User-Password', '"hello"'), ('NAS-IP-Address',
> > '10.34.1.18'), ('NAS-Port', '0'), ('Message-Authenticator',
> > '0xb4ac20cbafab1dcf538ee25e1c505725'), ('Event-Timestamp', '"Feb 10 2016
> > 00:21:12 UTC"'))
> > (1)     [python] = ok
>
> That calls python (which does nothing afaict).
>
> > (1) pap: WARNING: No "known good" password found for the user.  Not
> setting
> > Auth-Type
> > (1) pap: WARNING: Authentication will fail unless a "known good" password
> > is available
>
> OK...
>
> What does the debug output for bob look like? Where does it get
> the password from?
>
> Mathtew
>
>
> --
> Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list