Returning Vendor Specific Attribute in radius reply

Siddiqui Najam Najam.Siddiqui at gemalto.com
Wed Aug 23 05:02:39 CEST 2017


Hi Alan,

I did some debugging and code hits src/lib/value.c:585 and returns -1. This is confusing because we set the attribute name to Attr-26.
        case PW_TYPE_VSA:
                fr_strerror_printf("Must use 'Attr-26 = ...' instead of 'Vendor-Specific = ...'");
                return -1;

-Najam

On Aug 22, 2017, at 6:17 PM, Siddiqui Najam <Najam.Siddiqui at gemalto.com> wrote:
>
> Thanks for the response Alan.
>
> I have a backend server that can return any VSA, and the attribute is returned as a hex string. so I have to handle this dynamically.
>
> In version 2.X this was working fine. However, with 3.X (rlm_python) I am having this issue.

>  It should work.  What's the full debug output for it?
Wed Aug 23 00:44:09 2017 : Debug: (0) Received Access-Request Id 24 from 192.168.99.1:58796 to 172.17.0.5:1812 length 48
Wed Aug 23 00:44:09 2017 : Debug: (0)   User-Name = "testuser"
Wed Aug 23 00:44:09 2017 : Debug: (0)   User-Password = "testpassword"
Wed Aug 23 00:44:09 2017 : Debug: (0) session-state: No State attribute Wed Aug 23 00:44:09 2017 : Debug: (0) # Executing section authorize from file /etc/raddb/sites-enabled/default
Wed Aug 23 00:44:09 2017 : Debug: (0)   authorize {
Wed Aug 23 00:44:09 2017 : Debug: (0)     modsingle[authorize]: calling preprocess (rlm_preprocess)
Wed Aug 23 00:44:09 2017 : Debug: (0)     modsingle[authorize]: returned from preprocess (rlm_preprocess)
Wed Aug 23 00:44:09 2017 : Debug: (0)     [preprocess] = ok
Wed Aug 23 00:44:09 2017 : Debug: (0)     modsingle[authorize]: calling agent_mod (rlm_python)
Wed Aug 23 00:44:09 2017 : Debug: (0) agent_mod: Initialised new thread state 0x563921b35680 Wed Aug 23 00:44:09 2017 : Debug: (0) agent_mod: Using thread state 0x563921b35680 Wed Aug 23 00:44:09 2017 : Debug: authorize - 'config:Auth-Type' = 'agent'
Wed Aug 23 00:44:09 2017 : Debug: (0) agent_mod: ::: FROM 1 TO 0 MAX 1 Wed Aug 23 00:44:09 2017 : Debug: (0) agent_mod: ::: Examining Auth-Type Wed Aug 23 00:44:09 2017 : Debug: (0) agent_mod: ::: APPENDING Auth-Type FROM 0 TO 0 Wed Aug 23 00:44:09 2017 : Debug: (0) agent_mod: ::: TO in 0 out 0
Wed Aug 23 00:44:09 2017 : Debug: (0)     modsingle[authorize]: returned from agent_mod (rlm_python)
Wed Aug 23 00:44:09 2017 : Debug: (0)     [agent_mod] = ok
Wed Aug 23 00:44:09 2017 : Debug: (0)     modsingle[authorize]: calling chap (rlm_chap)
Wed Aug 23 00:44:09 2017 : Debug: (0)     modsingle[authorize]: returned from chap (rlm_chap)
Wed Aug 23 00:44:09 2017 : Debug: (0)     [chap] = noop
Wed Aug 23 00:44:09 2017 : Debug: (0)     modsingle[authorize]: calling mschap (rlm_mschap)
Wed Aug 23 00:44:09 2017 : Debug: (0)     modsingle[authorize]: returned from mschap (rlm_mschap)
Wed Aug 23 00:44:09 2017 : Debug: (0)     [mschap] = noop
Wed Aug 23 00:44:09 2017 : Debug: (0)     modsingle[authorize]: calling digest (rlm_digest)
Wed Aug 23 00:44:09 2017 : Debug: (0)     modsingle[authorize]: returned from digest (rlm_digest)
Wed Aug 23 00:44:09 2017 : Debug: (0)     [digest] = noop
Wed Aug 23 00:44:09 2017 : Debug: (0)     modsingle[authorize]: calling suffix (rlm_realm)
Wed Aug 23 00:44:09 2017 : Debug: (0) suffix: Checking for suffix after "@"
Wed Aug 23 00:44:09 2017 : Debug: (0) suffix: No '@' in User-Name = "testuser", looking up realm NULL Wed Aug 23 00:44:09 2017 : Debug: (0) suffix: No such realm "NULL"
Wed Aug 23 00:44:09 2017 : Debug: (0)     modsingle[authorize]: returned from suffix (rlm_realm)
Wed Aug 23 00:44:09 2017 : Debug: (0)     [suffix] = noop
Wed Aug 23 00:44:09 2017 : Debug: (0)     modsingle[authorize]: calling files (rlm_files)
Wed Aug 23 00:44:09 2017 : Debug: ^[Rr][Oo][Oo][Tt]$ Wed Aug 23 00:44:09 2017 : Debug: Parsed xlat tree:
Wed Aug 23 00:44:09 2017 : Debug: literal --> ^[Rr][Oo][Oo][Tt]$ Wed Aug 23 00:44:09 2017 : Debug: (0) files: EXPAND ^[Rr][Oo][Oo][Tt]$
Wed Aug 23 00:44:09 2017 : Debug: (0) files:    --> ^[Rr][Oo][Oo][Tt]$
Wed Aug 23 00:44:09 2017 : Debug: No matches Wed Aug 23 00:44:09 2017 : Debug: Adding 33 matches
Wed Aug 23 00:44:09 2017 : Debug: (0)     modsingle[authorize]: returned from files (rlm_files)
Wed Aug 23 00:44:09 2017 : Debug: (0)     [files] = noop
Wed Aug 23 00:44:09 2017 : Debug: (0)     modsingle[authorize]: calling expiration (rlm_expiration)
Wed Aug 23 00:44:09 2017 : Debug: (0)     modsingle[authorize]: returned from expiration (rlm_expiration)
Wed Aug 23 00:44:09 2017 : Debug: (0)     [expiration] = noop
Wed Aug 23 00:44:09 2017 : Debug: (0)     modsingle[authorize]: calling logintime (rlm_logintime)
Wed Aug 23 00:44:09 2017 : Debug: (0)     modsingle[authorize]: returned from logintime (rlm_logintime)
Wed Aug 23 00:44:09 2017 : Debug: (0)     [logintime] = noop
Wed Aug 23 00:44:09 2017 : Debug: (0)     modsingle[authorize]: calling pap (rlm_pap)
Wed Aug 23 00:44:09 2017 : WARNING: (0) pap: No "known good" password found for the user.  Not setting Auth-Type Wed Aug 23 00:44:09 2017 : WARNING: (0) pap: Authentication will fail unless a "known good" password is available
Wed Aug 23 00:44:09 2017 : Debug: (0)     modsingle[authorize]: returned from pap (rlm_pap)
Wed Aug 23 00:44:09 2017 : Debug: (0)     [pap] = noop
Wed Aug 23 00:44:09 2017 : Debug: (0)   } # authorize = ok
Wed Aug 23 00:44:09 2017 : Debug: (0) Found Auth-Type = agent Wed Aug 23 00:44:09 2017 : Debug: (0) # Executing group from file /etc/raddb/sites-enabled/default
Wed Aug 23 00:44:09 2017 : Debug: (0)   Auth-Type agent {
Wed Aug 23 00:44:09 2017 : Debug: (0)     modsingle[authenticate]: calling agent_mod (rlm_python)
Wed Aug 23 00:44:09 2017 : Debug: (0) agent_mod: Using thread state 0x563921b35680 Wed Aug 23 00:44:11 2017 : Debug: authenticate - Failed: 'reply:Attr-26' = '0x00000009010f54657374417474726962757465'
Wed Aug 23 00:44:11 2017 : Debug: (0) agent_mod: ::: FROM 1 TO 0 MAX 1 Wed Aug 23 00:44:11 2017 : Debug: (0) agent_mod: ::: Examining Vendor-Specific Wed Aug 23 00:44:11 2017 : Debug: (0) agent_mod: ::: APPENDING Vendor-Specific FROM 0 TO 0 Wed Aug 23 00:44:11 2017 : Debug: (0) agent_mod: ::: TO in 0 out 0 Wed Aug 23 00:44:11 2017 : Debug: authenticate - 'config:Auth-Type' = 'agent'
Wed Aug 23 00:44:11 2017 : Debug: (0) agent_mod: ::: FROM 1 TO 1 MAX 2 Wed Aug 23 00:44:11 2017 : Debug: (0) agent_mod: ::: Examining Auth-Type Wed Aug 23 00:44:11 2017 : Debug: (0) agent_mod: ::: TO in 1 out 1 Wed Aug 23 00:44:11 2017 : Debug: (0) agent_mod: ::: to[0] = Auth-Type
Wed Aug 23 00:44:11 2017 : Debug: (0)     modsingle[authenticate]: returned from agent_mod (rlm_python)
Wed Aug 23 00:44:11 2017 : Debug: (0)     [agent_mod] = ok
Wed Aug 23 00:44:11 2017 : Debug: (0)   } # Auth-Type agent = ok
Wed Aug 23 00:44:11 2017 : Debug: (0) # Executing section post-auth from file /etc/raddb/sites-enabled/default
Wed Aug 23 00:44:11 2017 : Debug: (0)   post-auth {
Wed Aug 23 00:44:11 2017 : Debug: (0)     modsingle[post-auth]: calling exec (rlm_exec)
Wed Aug 23 00:44:11 2017 : Debug: (0)     modsingle[post-auth]: returned from exec (rlm_exec)
Wed Aug 23 00:44:11 2017 : Debug: (0)     [exec] = noop
Wed Aug 23 00:44:11 2017 : Debug: (0)   } # post-auth = noop
Wed Aug 23 00:44:11 2017 : Auth: (0) Login OK: [testuser] (from client Radius Local port 0) Wed Aug 23 00:44:11 2017 : Debug: (0) Sent Access-Accept Id 24 from 172.17.0.5:1812 to 192.168.99.1:58796 length 0 SOFT ASSERT FAILED src/lib/value.c[1872]: 0
Wed Aug 23 00:44:11 2017 : Debug: (0)   Vendor-Specific =
Wed Aug 23 00:44:11 2017 : Debug: (0) Finished request Wed Aug 23 00:44:11 2017 : Debug: Waking up in 4.9 seconds.
Wed Aug 23 00:44:16 2017 : Debug: (0) Cleaning up request packet ID 24 with timestamp +7 Wed Aug 23 00:44:16 2017 : Info: Ready to process requests


 >And is the hex string well-formed?  i.e. is it correct for the Cisco VSA?
Yes.
The response from freeradius server version 2.2.0:
Sending Access-Accept of id 25 to 192.168.56.1 port 55685
        Attr-26 = 0x00000009010f54657374417474726962757465

In the test client (radtest) the response is:
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=204, length=53
        Framed-Protocol = PPP
        Framed-Compression = Van-Jacobson-TCP-IP
        Cisco-AVPair = "TestAttribute"



  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
________________________________
 This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.



More information about the Freeradius-Users mailing list