We are running FreeRADIUS Version 3.0.11 with rlm_python. We followed all instructions installing the module. python is in the config and the module is configured to call the script. We just want all requests to pass to the python script for approval. The test user bob works fine with his password. Any other user fails as if the python module is not being called. How can I get it to call the module for all users? Any tips on debugging this? It worked four years ago but I had help with the configuration then and do not have access to the old configuration. I am desperate as I need this working tomorrow. I will be eternally greatfull for any assistance. The example.py should pass everyone I think. #! /usr/bin/env python # # Python module example file # Miguel A.L. Paraz <mparaz@mparaz.com> # # $Id: dd5b0b88243ea2919634d1ae519f5825f0560c93 $ import radiusd def instantiate(p): print "*** instantiate ***" print p def authorize(p): print "*** authorize ***" print radiusd.radlog(radiusd.L_INFO, '*** radlog call in authorize ***') print print p return radiusd.RLM_MODULE_OK def preacct(p): print "*** preacct ***" print p return radiusd.RLM_MODULE_OK def accounting(p): print "*** accounting ***" radiusd.radlog(radiusd.L_INFO, '*** radlog call in accounting (0) ***') print print p return radiusd.RLM_MODULE_OK def pre_proxy(p): print "*** pre_proxy ***" print p return radiusd.RLM_MODULE_OK def post_proxy(p): print "*** post_proxy ***" print p return radiusd.RLM_MODULE_OK def post_auth(p): print "*** post_auth ***" print p return radiusd.RLM_MODULE_OK def recv_coa(p): print "*** recv_coa ***" print p return radiusd.RLM_MODULE_OK def send_coa(p): print "*** send_coa ***" print p return radiusd.RLM_MODULE_OK def detach(): print "*** goodbye from example.py ***" return radiusd.RLM_MODULE_OK Sent Access-Request Id 200 from 0.0.0.0:44895 to 127.0.0.1:1812 length 73 User-Name = "bob" User-Password = "hello" NAS-IP-Address = 10.34.1.18 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "hello" Received Access-Accept Id 200 from 127.0.0.1:1812 to 0.0.0.0:0 length 32 Reply-Message = "Hello, bob" root@abs-radius1-san3-qa:/usr/local/etc/raddb# radtest -x jim hello 127.0.0.1 0 testing123 Sent Access-Request Id 91 from 0.0.0.0:34005 to 127.0.0.1:1812 length 73 User-Name = "jim" User-Password = "hello" NAS-IP-Address = 10.34.1.18 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "hello" Received Access-Reject Id 91 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject server log (1) Received Access-Request Id 91 from 127.0.0.1:34005 to 127.0.0.1:1812 length 73 (1) User-Name = "jim" (1) User-Password = "hello" (1) NAS-IP-Address = 10.34.1.18 (1) NAS-Port = 0 (1) Message-Authenticator = 0xb4ac20cbafab1dcf538ee25e1c505725 (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok *** authorize *** *** radlog call in authorize *** (('User-Name', '"jim"'), ('User-Password', '"hello"'), ('NAS-IP-Address', '10.34.1.18'), ('NAS-Port', '0'), ('Message-Authenticator', '0xb4ac20cbafab1dcf538ee25e1c505725'), ('Event-Timestamp', '"Feb 10 2016 00:21:12 UTC"')) (1) [python] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "jim", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: No EAP-Message, not doing EAP (1) [eap] = noop (1) [files] = noop (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (1) pap: WARNING: Authentication will fail unless a "known good" password is available (1) [pap] = noop (1) } # authorize = ok (1) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (1) Failed to authenticate the user (1) Using Post-Auth-Type Reject (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject: EXPAND %{User-Name} (1) attr_filter.access_reject: --> jim (1) attr_filter.access_reject: Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) [eap] = noop (1) policy remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) { (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else { (1) [noop] = noop (1) } # else = noop (1) } # policy remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (1) Sending delayed response (1) Sent Access-Reject Id 91 from 127.0.0.1:1812 to 127.0.0.1:34005 length 20 Waking up in 3.9 seconds. (1) Cleaning up request packet ID 91 with timestamp +61 Ready to process requests Thanks in advance, Jim