There is no password checking ever. The password field will be used for a device name for out-of band device and biometric authentication done from python. I've tried using authorize { python update control { Auth-Type := example } } and authenticate {authenticate { Auth-Type example { python } } but I cannot get past authorize. I want authorize to always succeed! In example.py I have tried return (radiusd.RLM_MODULE_UPDATED, (), (('Auth-Type', 'Accept'),)) return (radiusd.RLM_MODULE_UPDATED, (), (('Auth-Type', 'example'),)) return radiusd.RLM_MODULE_OK plus a few variation of reply = ( ('Reply-Message', 'Hello from rlm_python'), ) config = ( ('Auth-Type', 'python'), ) return (radiusd.RLM_MODULE_OK, reply, config) But I always get pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (2) pap: WARNING: Authentication will fail unless a "known good" password is available How can I get past that? There is never a "known good" password. Passwords are not used. Somehow four years ago we got it to work. We are not using ANY other authentication other than python. This should be easy I would think. I just do not know what I am doing and am afraid to touch anything as I learned four years ago that the configuration is very brittle. Thanks all for your responses. Today is my last day and if I cannot make this work I may never work again :-( I could pay a small consulting fee, say $30, if someone is willing to fix this for me. Jim *** radlog call in authorize *** (('User-Name', '"jim"'), ('User-Password', '"hello"'), ('NAS-IP-Address', '10.34.1.18'), ('NAS-Port', '0'), ('Message-Authenticator', '0x77b36c156957edc5c334369876516264'), ('Event-Timestamp', '"Feb 10 2016 14:37:07 UTC"')) (1) [python] = ok (1) update control { (1) Auth-Type := saferadius (1) } # update control = noop (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "jim", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: No EAP-Message, not doing EAP (1) [eap] = noop (1) [files] = noop (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (1) pap: WARNING: Authentication will fail unless a "known good" password is available (1) [pap] = noop (1) } # authorize = ok (1) Found Auth-Type = saferadius (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) Auth-Type saferadius { (1) [python] = noop (1) } # Auth-Type saferadius = noop (1) Failed to authenticate the user (1) Using Post-Auth-Type Reject (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject: EXPAND %{User-Name} (1) attr_filter.access_reject: --> jim (1) attr_filter.access_reject: Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) [eap] = noop (1) policy remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) { (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else { (1) [noop] = noop (1) } # else = noop (1) } # policy remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (1) Sending delayed response (1) Sent Access-Reject Id 2 from 127.0.0.1:1812 to 127.0.0.1:48933 length 20 Waking up in 3.9 seconds. (1) Cleaning up request packet ID 2 with timestamp +3119 Ready to process requests On Wed, Feb 10, 2016 at 4:06 AM, Herwin Weststrate <herwin@quarantainenet.nl
wrote:
On 10-02-16 02:53, Matthew Newton wrote:
As for how to actually change attributes in python, I've never done it I'm afraid. From one of the example files it looks like you might want something like
return (radiusd.RLM_MODULE_UPDATED, (), (('Auth-Type', 'Accept'),))
at the end of your authorize function. To return the correct password you could try
return (radiusd.RLM_MODULE_UPDATED, (), (('Cleartext-Password', 'thingy'),))
I recently updated the wiki page for rlm_python,
http://wiki.freeradius.org/modules/Rlm_python#python-module-for-freeradius_e... actually contains an example of returning a Cleartext-Password.
I wouldn't put python in authorize unless you really know what you're doing.
I agree to this. Python has to fetch the passwords somehow, it's very likely that there is an existing module for FreeRADIUS that can do that out of the box.
-- Herwin Weststrate
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html