Thanks Matthew, bob is the test user given a password in radiusd.conf for jim the password is arbitrary as I am not checking it at this point in the python. The authentication will be done out-of-band by the plugin. Before trying my script I want to get the example script to just always authenticate. Then I will add the code for out-of-band authentication. I see ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject I included python in the authorize section per the instructions but it is not in the authenticate section of sites-enabled/default, I suspect that may be an issue but I do not know where/how to put it. Here is the log for bob, the test user that comes in the distribution. (1) Received Access-Request Id 69 from 127.0.0.1:57346 to 127.0.0.1:1812 length 73 (1) User-Name = "bob" (1) User-Password = "hello" (1) NAS-IP-Address = 10.34.1.18 (1) NAS-Port = 0 (1) Message-Authenticator = 0x606c75f1100af274fbdc56b2c95fea3e (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok *** authorize *** *** radlog call in authorize *** (('User-Name', '"bob"'), ('User-Password', '"hello"'), ('NAS-IP-Address', '10.34.1.18'), ('NAS-Port', '0'), ('Message-Authenticator', '0x606c75f1100af274fbdc56b2c95fea3e'), ('Event-Timestamp', '"Feb 10 2016 01:26:31 UTC"')) (1) [python] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "bob", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: No EAP-Message, not doing EAP (1) [eap] = noop (1) files: users: Matched entry bob at line 87 (1) files: EXPAND Hello, %{User-Name} (1) files: --> Hello, bob (1) [files] = ok (1) [expiration] = noop (1) [logintime] = noop (1) [pap] = updated (1) } # authorize = updated (1) Found Auth-Type = PAP (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) Auth-Type PAP { (1) pap: Login attempt with password (1) pap: Comparing with "known good" Cleartext-Password (1) pap: User authenticated successfully (1) [pap] = ok (1) [python] = noop (1) } # Auth-Type PAP = ok (1) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (1) post-auth { (1) update { (1) No attributes updated (1) } # update = noop (1) [exec] = noop (1) policy remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) { (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else { (1) [noop] = noop (1) } # else = noop (1) } # policy remove_reply_message_if_eap = noop (1) } # post-auth = noop (1) Sent Access-Accept Id 69 from 127.0.0.1:1812 to 127.0.0.1:57346 length 0 (1) Reply-Message = "Hello, bob" (1) Finished request Waking up in 4.9 seconds. (1) Cleaning up request packet ID 69 with timestamp +167 On Tue, Feb 9, 2016 at 7:38 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Tue, Feb 09, 2016 at 07:26:40PM -0500, Jim Whitescarver wrote:
(1) Received Access-Request Id 91 from 127.0.0.1:34005 to 127.0.0.1:1812 length 73 (1) User-Name = "jim" (1) User-Password = "hello" (1) NAS-IP-Address = 10.34.1.18 (1) NAS-Port = 0 (1) Message-Authenticator = 0xb4ac20cbafab1dcf538ee25e1c505725 (1) # Executing section authorize from file (('User-Name', '"jim"'), ('User-Password', '"hello"'), ('NAS-IP-Address', '10.34.1.18'), ('NAS-Port', '0'), ('Message-Authenticator', '0xb4ac20cbafab1dcf538ee25e1c505725'), ('Event-Timestamp', '"Feb 10 2016 00:21:12 UTC"')) (1) [python] = ok
That calls python (which does nothing afaict).
(1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (1) pap: WARNING: Authentication will fail unless a "known good" password is available
OK...
What does the debug output for bob look like? Where does it get the password from?
Mathtew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html