Re: session {} not running second module
Hello all, I've been using FreeRadius for years, but have only started to try developing for it using Python. I've hit an issue with Simultaneous Users. I am trying to run two modules in the session {} but only the first module is running and then is exiting out. I have written my own python module, and if it is called the SQL module is no longer called after it. The python module checks to see if it's a mac authentication request, and alters the user-name that was passed through. It doesn't seem to make a difference whether I return OK, fail, updated or handled from the python module it simply marks the section as 'ok' and gives me access. Here is my session section from the config where I have tried to use the 'group' session { # # Run the simultanious users check through python first to see if the mac address needs updating. # group { python { fail = 1 } if(config:User-Name) { update request { User-Name := config:User-Name } } sql } } Here is an 'ok' output from python which goes on to send a accept-accept. (0) session { *** Supafi Python Sim User Check *** Updated the username! checksimul - 'config:User-Name' = 'matt.nelson@silverark.co.uk' (0) [python] = ok (0) } # session = ok Here is a session in a group which returns fail, but which doesn’t call the sql modules afterwards (0) session { (0) group { *** Supafi Python Sim User Check *** Updated the username! checksimul - 'config:User-Name' = 'matt.nelson@silverark.co.uk' (0) [python] = fail (0) if (config:User-Name) { (0) if (config:User-Name) -> TRUE (0) if (config:User-Name) { (0) update request { (0) User-Name := config:User-Name -> 'matt.nelson@silverark.co.uk' (0) } # update request = noop (0) } # if (config:User-Name) = noop (0) } # group = noop (0) } # session = noop The SQL module does work correctly for simultaneous users, but if I stick my python one in from of it is stops working. The above works fine in the 'authorize' and 'accounting' sections. In those it lets me update the username and then it continues into the other modules. I can provide my python code if needed, but I suspect it's something simple that I'm missing! So my two questions are: 1. How do I get the SQL module to run after calling Python 2. How can I get the session section to return a reject from result of the python module, as I've tested all the return codes and they all just allow access. Thanks for your help. Kind Regards, Matt
Hello All, Please disregard my last email. I think I've solved it. The debugging showed me the update in the session code I posted returned noop, so noop must equal return! I added noop=1 and it kept me in the group. Just took a while to get my head around how the group bit works. Didn't realise the update request returned a code too, it must be numeric rather than return in the accounting section that's why it kept me in there. if(config:User-Name) { noop=1 update request { User-Name := config:User-Name } } Thanks, Matt
On Mar 16, 2017, at 3:36 PM, Matt Nelson - Silverark <matt.nelson@silverark.co.uk> wrote:
Hello All,
Please disregard my last email. I think I've solved it. The debugging showed me the update in the session code I posted returned noop, so noop must equal return! I added noop=1 and it kept me in the group. Just took a while to get my head around how the group bit works. Didn't realise the update request returned a code too, it must be numeric rather than return in the accounting section that's why it kept me in there.
if(config:User-Name) { noop=1
Don't do that. It's not supported, and was never intended to work. You're using a VERY old version of the server. When you upgrade, this incorrect configuration will stop working. Alan DeKok.
Thanks Alan
Don't do that. It's not supported, and was never intended to work. You're using a VERY old version of the server. When you upgrade, this incorrect configuration will stop working.
I'm using the latest stable version and was just following instruction on the wiki: https://wiki.freeradius.org/config/Fail-over [root@host2 etc]# radiusd -X FreeRADIUS Version 3.0.13 I've just put the python code at the end of the authentication section instead, so the user-name gets updated after the auth bit is done but before the session section. It works without any issues and I don't have to use a group or anything additional. Can you advise what I would need to do if I wanted this to work in the session section? This is a fresh install of 3.0.13, with a fresh config. Kind Regards, Matt On 16/03/2017 19:41, Alan DeKok wrote:
On Mar 16, 2017, at 3:36 PM, Matt Nelson - Silverark <matt.nelson@silverark.co.uk> wrote:
Hello All,
Please disregard my last email. I think I've solved it. The debugging showed me the update in the session code I posted returned noop, so noop must equal return! I added noop=1 and it kept me in the group. Just took a while to get my head around how the group bit works. Didn't realise the update request returned a code too, it must be numeric rather than return in the accounting section that's why it kept me in there.
if(config:User-Name) { noop=1
Don't do that. It's not supported, and was never intended to work.
You're using a VERY old version of the server. When you upgrade, this incorrect configuration will stop working.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
On Mar 17, 2017, at 6:16 AM, Matt Nelson - Silverark <matt.nelson@silverark.co.uk> wrote:
I'm using the latest stable version and was just following instruction on the wiki: https://wiki.freeradius.org/config/Fail-over
That documentation says you can use fail-over for modules. It does *not* say you can put "noop = 1" inside of an "if" statement.
I've just put the python code at the end of the authentication section instead, so the user-name gets updated after the auth bit is done but before the session section. It works without any issues and I don't have to use a group or anything additional. Can you advise what I would need to do if I wanted this to work in the session section?
See: http://networkradius.com/doc/FreeRADIUS-Technical-Guide.pdf There's documentation for the "session" section, and how it works. Most "ok / noop / whatever" module codes result in the section returning. To be honest, the "session" section hasn't had a lot of attention in the past 10 years or so. You're probably better off just putting the logic into the "authorize" or "post-auth" sections. Alan DeKok.
participants (2)
-
Alan DeKok -
Matt Nelson - Silverark