Incorrect reply rlm_python with tagged attributes

Юрий Иванов format_hub at outlook.com
Fri Feb 23 18:41:01 CET 2018 

Thank you very much for your help Alan, I did what you advised me.
But still there is some problem. I've simplified my code to demonstrate the issue:
Python function is:
def authorize(p):
    reply = (('Framed-IP-Address', '10.0.0.1'),
             ('ERX-Service-Activate:1', 'foo-local'),
             ('ERX-Service-Activate:2', 'svc-localnet(10000)'),
             ('ERX-Service-Activate:3', 'foo-string'),
             ('ERX-Service-Activate:4', 'foo-globalnet(10000)'),)
    config = (('Auth-Type', 'Accept'),
              ('Cleartext-Password', 'testing123'),)
    return (radiusd.RLM_MODULE_OK, reply, config)

Then I've test with radtest (my MAC as username):

suser at gong:~/freeradius-server-3.0.17$ radtest 0050.7966.6801 testing123 127.0.0.1 0 testing123
Sent Access-Request Id 21 from 0.0.0.0:40135 to 127.0.0.1:1812 length 84
        User-Name = "0050.7966.6801"
        User-Password = "testing123"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "testing123"
Received Access-Accept Id 21 from 127.0.0.1:1812 to 0.0.0.0:0 length 44
        Framed-IP-Address = 10.0.0.1
        ERX-Service-Activate:1 = "foo-local"
Looks good but result has only one, first, ERX-Service-Activate attribute. Other attributes are omitted.

Server works in debug mode. It prints correct attributes:
(1) Received Access-Request Id 21 from 127.0.0.1:40135 to 127.0.0.1:1812 length 84
(1)   User-Name = "0050.7966.6801"
(1)   User-Password = "testing123"
(1)   NAS-IP-Address = 127.0.1.1
(1)   NAS-Port = 0
(1)   Message-Authenticator = 0x7344c4a7491208fd2033b6ea5993d5ac
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1)   authorize {
authorize - 'reply:Framed-IP-Address' = '10.0.0.1'
authorize - 'reply:ERX-Service-Activate:1' = 'foo-local'
authorize - 'reply:ERX-Service-Activate:2' = 'svc-localnet(10000)'
authorize - 'reply:ERX-Service-Activate:3' = 'foo-string'
authorize - 'reply:ERX-Service-Activate:4' = 'foo-globalnet(10000)'
authorize - 'config:Auth-Type' = 'Accept'
authorize - 'config:Cleartext-Password' = 'testing123'
(1)     [python] = ok
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = ok
(1)     } # policy filter_username = ok
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "0050.7966.6801", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: No EAP-Message, not doing EAP
(1)     [eap] = noop
(1)     [files] = noop
(1)     [expiration] = noop
(1)     [logintime] = noop
(1) pap: WARNING: Auth-Type already set.  Not setting to PAP
(1)     [pap] = noop
(1)   } # authorize = ok
(1) Found Auth-Type = Accept
(1) Auth-Type = Accept, accepting the user
(1) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(1)   post-auth {
(1)     update {
(1)       No attributes updated
(1)     } # update = noop
(1)     [exec] = noop
(1)     policy remove_reply_message_if_eap {
(1)       if (&reply:EAP-Message && &reply:Reply-Message) {
(1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(1)       else {
(1)         [noop] = noop
(1)       } # else = noop
(1)     } # policy remove_reply_message_if_eap = noop
(1)   } # post-auth = noop
(1) Sent Access-Accept Id 21 from 127.0.0.1:1812 to 127.0.0.1:40135 length 0
(1)   Framed-IP-Address = 10.0.0.1
(1)   ERX-Service-Activate:1 = "foo-local"
(1) Finished request
Waking up in 4.9 seconds.
(1) Cleaning up request packet ID 21 with timestamp +23
Ready to process requests

When I try to understand what's going on under the hood, I start wireshark:

--------------------------------WIRESHARK to radius---------------------------------------
Frame 1: 126 bytes on wire (1008 bits), 126 bytes captured (1008 bits) on interface 0
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)
Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1
User Datagram Protocol, Src Port: 40135, Dst Port: 1812
RADIUS Protocol
    Code: Access-Request (1)
    Packet identifier: 0x15 (21)
    Length: 84
    Authenticator: 2c2542816ccc657df536c716cd40a196
    [The response to this request is in frame 2]
    Attribute Value Pairs
        AVP: l=16 t=User-Name(1): 0050.7966.6801
        AVP: l=18 t=User-Password(2): Encrypted
        AVP: l=6 t=NAS-IP-Address(4): 127.0.1.1
        AVP: l=6 t=NAS-Port(5): 0
        AVP: l=18 t=Message-Authenticator(80): 7344c4a7491208fd2033b6ea5993d5ac
--------------------------------WIRESHARK from radius---------------------------------------
Frame 2: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)
Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1
User Datagram Protocol, Src Port: 1812, Dst Port: 40135
RADIUS Protocol
    Code: Access-Accept (2)
    Packet identifier: 0x15 (21)
    Length: 44
    Authenticator: f94a4c62f88ccc5cc01b78abeacc3fda
    [This is a response to a request in frame 1]
    [Time from request: 0.000743795 seconds]
    Attribute Value Pairs
        AVP: l=6 t=Framed-IP-Address(8): 10.0.0.1
            Type: 8
            Length: 6
            Framed-IP-Address: 10.0.0.1
        AVP: l=18 t=Vendor-Specific(26) v=Juniper Networks/Unisphere(4874)
            Type: 26
            Length: 18
            Vendor ID: Juniper Networks/Unisphere (4874)
            VSA: l=12 t=Unisphere-Service-Activate(65) Tag=0x01: foo-local
                Type: 65
                Length: 12
                Tag: 0x01
                Unisphere-Service-Activate: foo-local

As you can see, reply has only two attributes.

________________________________
От: Freeradius-Users <freeradius-users-bounces+format_hub=outlook.com at lists.freeradius.org> от имени Alan DeKok <aland at deployingradius.com>
Отправлено: 23 февраля 2018 г. 16:04
Кому: FreeRadius users mailing list
Тема: Re: Incorrect reply rlm_python with tagged attributes

On Feb 23, 2018, at 8:50 AM, Юрий Иванов <format_hub at outlook.com> wrote:
>
> Incorrect reply rlm_python with tagged attributes
> I've created python authorization module. It based on example provided by vendor.
> At first glance it works well but when trying to perform testing with radtest reply is:
> ...
>    User-Password = "testing123"
>    NAS-IP-Address = 127.0.1.1
>    NAS-Port = 0
>    Message-Authenticator = 0x00
>    Cleartext-Password = "testing123"
> Received Access-Accept Id 188 from 127.0.0.1:1812 to 0.0.0.0:0 length 48
>    ERX-Service-Activate:0 = "svc-local-ipoe"
>
> There is only one ERX-Service-Activate:0 with strange zero?

  The default value for "no tag" is zero.

> Python function def authorize(p) has reply tuple:
>    reply = (('Framed-IP-Address', str(client.ipv4)),
>             ('ERX-Service-Activate:1', 'svc-local-ipoe'),
>             ('ERX-Service-Activate:2',
>              'svc-local-ipoe(%s)' % str(client.speed_localnet)),
>             ('ERX-Service-Activate:3',
>              'svc-foreign-ipoe(%s,%s)' % (str(client.speed_foreign),
>                                          str(client.speed_localnet))),)

  You want to add a third entry to each tuple, which is the operator.  Use "+=".  Otherwise attributes of the same name may over-write each other.

> Of course radius started in debug mode, and radiusd -X shows me another output:
> authorize - 'reply:Framed-IP-Address' = '10.0.0.1'
> authorize - 'reply:ERX-Service-Activate:3' = 'svc-local-ipoe'
> authorize - 'reply:ERX-Service-Activate:4' = 'svc-localnet-ipoe(110000)'
> authorize - 'reply:ERX-Service-Activate:5' = 'svc-foreignnet-ipoe(110000,110000)'
> authorize - 'config:Auth-Type' = 'Accept'
> authorize - 'config:Cleartext-Password' = 'testing123'
> How to get all ERX-Service-Activate tagged attributes, not the strange with zero.
>
> P.S. Reply in Wireshark shown only one ERX-Service-Activate attribute too in reply packet.
>
> P.P.S. Maybe I've construct reply with tag incorrectly? But I can find no additional information about this.

  You did it correctly.

  The issue is that the tag wasn't getting copied correctly.  I've updated the python module to fix this.

  Please check the v3.0.x branch on github: https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x

  You can download it, compile, and test it.  The issue should be fixed.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list