rlm_perl returning attributes
Hi. I'm trying to return an attribute using the rlm_rest module. Authentication works fine but when a response is sent, an Access-Reject is generated. I'm hoping someone can point me in the right direction. *Working auth *(with no attributes in the response) (8) Cleaning up request packet ID 178 with timestamp +606 Ready to process requests (9) Received Access-Request Id 17 from 127.0.0.1:45433 to 127.0.0.1:1812 length 77 (9) User-Name = "585c208457bf8c3820c9e431@test.com" (9) User-Password = "password" (9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (9) authorize { rlm_rest (rest): Reserved connection (16) (9) rest: Expanding URI components (9) rest: EXPAND http://127.0.0.1:1337 (9) rest: --> http://127.0.0.1:1337 (9) rest: EXPAND /Radius/auth?username=%{User-Name}&password=%{User-Password} (9) rest: --> /Radius/auth?username=585c208457bf8c3820c9e431%40test.com &password=password (9) rest: Sending HTTP GET to " http://127.0.0.1:1337/Radius/auth?username=585c208457bf8c3820c9e431%40test.c... " (9) rest: Processing response header (9) rest: Status : 201 (Created) (9) rest: Type : json (application/json) rlm_rest (rest): Released connection (16) rlm_rest (rest): Need 1 more connections to reach 10 spares rlm_rest (rest): Opening additional connection (17), 1 of 30 pending slots used rlm_rest (rest): Connecting to "http://127.0.0.1:1337" (9) [rest] = ok (9) if (ok || updated) { (9) if (ok || updated) -> TRUE (9) if (ok || updated) { (9) update control { (9) Auth-Type := Rest (9) } # update control = noop (9) } # if (ok || updated) = noop (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = ok (9) } # policy filter_username = ok (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: Looking up realm "test.com" for User-Name = " 585c208457bf8c3820c9e431@test.com" (9) suffix: No such realm "test.com" (9) [suffix] = noop (9) eap: No EAP-Message, not doing EAP (9) [eap] = noop (9) [files] = noop (9) [expiration] = noop (9) [logintime] = noop (9) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (9) pap: WARNING: Authentication will fail unless a "known good" password is available (9) [pap] = noop (9) } # authorize = ok (9) Found Auth-Type = Rest (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (9) Auth-Type Rest { rlm_rest (rest): Reserved connection (15) (9) rest: Expanding URI components (9) rest: EXPAND http://127.0.0.1:1337 (9) rest: --> http://127.0.0.1:1337 (9) rest: EXPAND /Radius/auth?username=%{User-Name}&password=%{User-Password} (9) rest: --> /Radius/auth?username=585c208457bf8c3820c9e431%40test.com &password=password (9) rest: Sending HTTP GET to " http://127.0.0.1:1337/Radius/auth?username=585c208457bf8c3820c9e431%40test.c... " (9) rest: Processing response header (9) rest: Status : 201 (Created) (9) rest: Type : json (application/json) rlm_rest (rest): Released connection (15) (9) [rest] = ok (9) } # Auth-Type Rest = ok (9) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (9) post-auth { (9) update { (9) No attributes updated (9) } # update = noop (9) [exec] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) } # post-auth = noop (9) Sent Access-Accept Id 17 from 127.0.0.1:1812 to 127.0.0.1:45433 length 0 (9) Finished request Waking up in 4.9 seconds. *exactly the same auth*, except I try return some values (8) Received Access-Request Id 178 from 127.0.0.1:41930 to 127.0.0.1:1812 length 77 (8) User-Name = "585c208457bf8c3820c9e431@test.com" (8) User-Password = "password" (8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (8) authorize { rlm_rest (rest): Closing connection (13): Hit idle_timeout, was idle for 239 seconds rlm_rest (rest): You probably need to lower "min" rlm_rest (rest): Closing connection (14): Hit idle_timeout, was idle for 239 seconds rlm_rest (rest): You probably need to lower "min" rlm_rest (rest): Closing connection (12): Hit idle_timeout, was idle for 239 seconds rlm_rest (rest): You probably need to lower "min" rlm_rest (rest): 0 of 0 connections in use. You may need to increase "spare" rlm_rest (rest): Opening additional connection (15), 1 of 32 pending slots used rlm_rest (rest): Connecting to "http://127.0.0.1:1337" rlm_rest (rest): Reserved connection (15) (8) rest: Expanding URI components (8) rest: EXPAND http://127.0.0.1:1337 (8) rest: --> http://127.0.0.1:1337 (8) rest: EXPAND /Radius/auth?username=%{User-Name}&password=%{User-Password} (8) rest: --> /Radius/auth?username=585c208457bf8c3820c9e431%40test.com &password=password (8) rest: Sending HTTP GET to " http://127.0.0.1:1337/Radius/auth?username=585c208457bf8c3820c9e431%40test.c... " (8) rest: Processing response header (8) rest: Status : 201 (Created) (8) rest: Type : json (application/json) (8) rest: Parsing attribute "Mikrotik-Address-List" (8) rest: EXPAND myList (8) rest: --> myList (8) rest: Mikrotik-Address-List := "myList" rlm_rest (rest): Released connection (15) rlm_rest (rest): Need 2 more connections to reach 10 spares rlm_rest (rest): Opening additional connection (16), 1 of 31 pending slots used rlm_rest (rest): Connecting to "http://127.0.0.1:1337" (8) [rest] = updated (8) if (ok || updated) { (8) if (ok || updated) -> TRUE (8) if (ok || updated) { (8) update control { (8) Auth-Type := Rest (8) } # update control = noop (8) } # if (ok || updated) = noop (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = updated (8) } # policy filter_username = updated (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: Looking up realm "test.com" for User-Name = " 585c208457bf8c3820c9e431@test.com" (8) suffix: No such realm "test.com" (8) [suffix] = noop (8) eap: No EAP-Message, not doing EAP (8) [eap] = noop (8) [files] = noop (8) [expiration] = noop (8) [logintime] = noop (8) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (8) pap: WARNING: Authentication will fail unless a "known good" password is available (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = Rest (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (8) Auth-Type Rest { rlm_rest (rest): Reserved connection (15) (8) rest: Expanding URI components (8) rest: EXPAND http://127.0.0.1:1337 (8) rest: --> http://127.0.0.1:1337 (8) rest: EXPAND /Radius/auth?username=%{User-Name}&password=%{User-Password} (8) rest: --> /Radius/auth?username=585c208457bf8c3820c9e431%40test.com &password=password (8) rest: Sending HTTP GET to " http://127.0.0.1:1337/Radius/auth?username=585c208457bf8c3820c9e431%40test.c... " (8) rest: Processing response header (8) rest: Status : 201 (Created) (8) rest: Type : json (application/json) (8) rest: Parsing attribute "Mikrotik-Address-List" (8) rest: EXPAND myList (8) rest: --> myList (8) rest: Mikrotik-Address-List := "myList" rlm_rest (rest): Released connection (15) (8) [rest] = updated (8) } # Auth-Type Rest = updated (8) Failed to authenticate the user (8) Using Post-Auth-Type Reject (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (8) Post-Auth-Type REJECT { (8) attr_filter.access_reject: EXPAND %{User-Name} (8) attr_filter.access_reject: --> 585c208457bf8c3820c9e431@test.com (8) attr_filter.access_reject: Matched entry DEFAULT at line 11 (8) [attr_filter.access_reject] = updated (8) [eap] = noop (8) policy remove_reply_message_if_eap { (8) if (&reply:EAP-Message && &reply:Reply-Message) { (8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (8) else { (8) [noop] = noop (8) } # else = noop (8) } # policy remove_reply_message_if_eap = noop (8) } # Post-Auth-Type REJECT = updated (8) Delaying response for 1.000000 seconds Waking up in 0.2 seconds. Waking up in 0.7 seconds. (8) Sending delayed response (8) Sent Access-Reject Id 178 from 127.0.0.1:1812 to 127.0.0.1:41930 length 20 Waking up in 3.9 seconds. It seems that because rest updated the user that it now fails for some reason (8) [rest] = updated (8) } # Auth-Type Rest = updated (8) Failed to authenticate the user What do I need to change to allow this process to go through? I would appreciate any light shedding.
On 23 Dec 2016, at 17:02, Ryan De Kock <ryandekock1988@gmail.com> wrote:
Hi.
I'm trying to return an attribute using the rlm_rest module.
Yeah... I think I fixed that in a later version of the server. The state machine is picky about what gets returned from authenticate sections. You need: rest if (updated) { ok } and it should be fine... Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Hi. Sorry for the extremely late response. Did you mean like this? rest if (updated) { update control { Auth-Type := Rest } ok } I'm still facing this problem, just spun up a freeradius 3.0.13 instance On 27 December 2016 at 01:10, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 23 Dec 2016, at 17:02, Ryan De Kock <ryandekock1988@gmail.com> wrote:
Hi.
I'm trying to return an attribute using the rlm_rest module.
Yeah... I think I fixed that in a later version of the server.
The state machine is picky about what gets returned from authenticate sections.
You need:
rest if (updated) { ok }
and it should be fine...
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
nevermind, you meant in the authenticate section. All working On 30 March 2017 at 13:16, Ryan De Kock <ryandekock1988@gmail.com> wrote:
Hi.
Sorry for the extremely late response.
Did you mean like this?
rest if (updated) { update control { Auth-Type := Rest } ok }
I'm still facing this problem, just spun up a freeradius 3.0.13 instance
On 27 December 2016 at 01:10, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
On 23 Dec 2016, at 17:02, Ryan De Kock <ryandekock1988@gmail.com> wrote:
Hi.
I'm trying to return an attribute using the rlm_rest module.
Yeah... I think I fixed that in a later version of the server.
The state machine is picky about what gets returned from authenticate sections.
You need:
rest if (updated) { ok }
and it should be fine...
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list /users.html
participants (2)
-
Arran Cudbard-Bell -
Ryan De Kock