How do I get every userid passed to an rlm_python module
We are running FreeRADIUS Version 3.0.11 with rlm_python. We followed all instructions installing the module. python is in the config and the module is configured to call the script. We just want all requests to pass to the python script for approval. The test user bob works fine with his password. Any other user fails as if the python module is not being called. How can I get it to call the module for all users? Any tips on debugging this? It worked four years ago but I had help with the configuration then and do not have access to the old configuration. I am desperate as I need this working tomorrow. I will be eternally greatfull for any assistance. The example.py should pass everyone I think. #! /usr/bin/env python # # Python module example file # Miguel A.L. Paraz <mparaz@mparaz.com> # # $Id: dd5b0b88243ea2919634d1ae519f5825f0560c93 $ import radiusd def instantiate(p): print "*** instantiate ***" print p def authorize(p): print "*** authorize ***" print radiusd.radlog(radiusd.L_INFO, '*** radlog call in authorize ***') print print p return radiusd.RLM_MODULE_OK def preacct(p): print "*** preacct ***" print p return radiusd.RLM_MODULE_OK def accounting(p): print "*** accounting ***" radiusd.radlog(radiusd.L_INFO, '*** radlog call in accounting (0) ***') print print p return radiusd.RLM_MODULE_OK def pre_proxy(p): print "*** pre_proxy ***" print p return radiusd.RLM_MODULE_OK def post_proxy(p): print "*** post_proxy ***" print p return radiusd.RLM_MODULE_OK def post_auth(p): print "*** post_auth ***" print p return radiusd.RLM_MODULE_OK def recv_coa(p): print "*** recv_coa ***" print p return radiusd.RLM_MODULE_OK def send_coa(p): print "*** send_coa ***" print p return radiusd.RLM_MODULE_OK def detach(): print "*** goodbye from example.py ***" return radiusd.RLM_MODULE_OK Sent Access-Request Id 200 from 0.0.0.0:44895 to 127.0.0.1:1812 length 73 User-Name = "bob" User-Password = "hello" NAS-IP-Address = 10.34.1.18 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "hello" Received Access-Accept Id 200 from 127.0.0.1:1812 to 0.0.0.0:0 length 32 Reply-Message = "Hello, bob" root@abs-radius1-san3-qa:/usr/local/etc/raddb# radtest -x jim hello 127.0.0.1 0 testing123 Sent Access-Request Id 91 from 0.0.0.0:34005 to 127.0.0.1:1812 length 73 User-Name = "jim" User-Password = "hello" NAS-IP-Address = 10.34.1.18 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "hello" Received Access-Reject Id 91 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject server log (1) Received Access-Request Id 91 from 127.0.0.1:34005 to 127.0.0.1:1812 length 73 (1) User-Name = "jim" (1) User-Password = "hello" (1) NAS-IP-Address = 10.34.1.18 (1) NAS-Port = 0 (1) Message-Authenticator = 0xb4ac20cbafab1dcf538ee25e1c505725 (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok *** authorize *** *** radlog call in authorize *** (('User-Name', '"jim"'), ('User-Password', '"hello"'), ('NAS-IP-Address', '10.34.1.18'), ('NAS-Port', '0'), ('Message-Authenticator', '0xb4ac20cbafab1dcf538ee25e1c505725'), ('Event-Timestamp', '"Feb 10 2016 00:21:12 UTC"')) (1) [python] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "jim", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: No EAP-Message, not doing EAP (1) [eap] = noop (1) [files] = noop (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (1) pap: WARNING: Authentication will fail unless a "known good" password is available (1) [pap] = noop (1) } # authorize = ok (1) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (1) Failed to authenticate the user (1) Using Post-Auth-Type Reject (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject: EXPAND %{User-Name} (1) attr_filter.access_reject: --> jim (1) attr_filter.access_reject: Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) [eap] = noop (1) policy remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) { (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else { (1) [noop] = noop (1) } # else = noop (1) } # policy remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (1) Sending delayed response (1) Sent Access-Reject Id 91 from 127.0.0.1:1812 to 127.0.0.1:34005 length 20 Waking up in 3.9 seconds. (1) Cleaning up request packet ID 91 with timestamp +61 Ready to process requests Thanks in advance, Jim
On Tue, Feb 09, 2016 at 07:26:40PM -0500, Jim Whitescarver wrote:
(1) Received Access-Request Id 91 from 127.0.0.1:34005 to 127.0.0.1:1812 length 73 (1) User-Name = "jim" (1) User-Password = "hello" (1) NAS-IP-Address = 10.34.1.18 (1) NAS-Port = 0 (1) Message-Authenticator = 0xb4ac20cbafab1dcf538ee25e1c505725 (1) # Executing section authorize from file (('User-Name', '"jim"'), ('User-Password', '"hello"'), ('NAS-IP-Address', '10.34.1.18'), ('NAS-Port', '0'), ('Message-Authenticator', '0xb4ac20cbafab1dcf538ee25e1c505725'), ('Event-Timestamp', '"Feb 10 2016 00:21:12 UTC"')) (1) [python] = ok
That calls python (which does nothing afaict).
(1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (1) pap: WARNING: Authentication will fail unless a "known good" password is available
OK... What does the debug output for bob look like? Where does it get the password from? Mathtew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Thanks Matthew, bob is the test user given a password in radiusd.conf for jim the password is arbitrary as I am not checking it at this point in the python. The authentication will be done out-of-band by the plugin. Before trying my script I want to get the example script to just always authenticate. Then I will add the code for out-of-band authentication. I see ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject I included python in the authorize section per the instructions but it is not in the authenticate section of sites-enabled/default, I suspect that may be an issue but I do not know where/how to put it. Here is the log for bob, the test user that comes in the distribution. (1) Received Access-Request Id 69 from 127.0.0.1:57346 to 127.0.0.1:1812 length 73 (1) User-Name = "bob" (1) User-Password = "hello" (1) NAS-IP-Address = 10.34.1.18 (1) NAS-Port = 0 (1) Message-Authenticator = 0x606c75f1100af274fbdc56b2c95fea3e (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok *** authorize *** *** radlog call in authorize *** (('User-Name', '"bob"'), ('User-Password', '"hello"'), ('NAS-IP-Address', '10.34.1.18'), ('NAS-Port', '0'), ('Message-Authenticator', '0x606c75f1100af274fbdc56b2c95fea3e'), ('Event-Timestamp', '"Feb 10 2016 01:26:31 UTC"')) (1) [python] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "bob", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: No EAP-Message, not doing EAP (1) [eap] = noop (1) files: users: Matched entry bob at line 87 (1) files: EXPAND Hello, %{User-Name} (1) files: --> Hello, bob (1) [files] = ok (1) [expiration] = noop (1) [logintime] = noop (1) [pap] = updated (1) } # authorize = updated (1) Found Auth-Type = PAP (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) Auth-Type PAP { (1) pap: Login attempt with password (1) pap: Comparing with "known good" Cleartext-Password (1) pap: User authenticated successfully (1) [pap] = ok (1) [python] = noop (1) } # Auth-Type PAP = ok (1) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (1) post-auth { (1) update { (1) No attributes updated (1) } # update = noop (1) [exec] = noop (1) policy remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) { (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else { (1) [noop] = noop (1) } # else = noop (1) } # policy remove_reply_message_if_eap = noop (1) } # post-auth = noop (1) Sent Access-Accept Id 69 from 127.0.0.1:1812 to 127.0.0.1:57346 length 0 (1) Reply-Message = "Hello, bob" (1) Finished request Waking up in 4.9 seconds. (1) Cleaning up request packet ID 69 with timestamp +167 On Tue, Feb 9, 2016 at 7:38 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Tue, Feb 09, 2016 at 07:26:40PM -0500, Jim Whitescarver wrote:
(1) Received Access-Request Id 91 from 127.0.0.1:34005 to 127.0.0.1:1812 length 73 (1) User-Name = "jim" (1) User-Password = "hello" (1) NAS-IP-Address = 10.34.1.18 (1) NAS-Port = 0 (1) Message-Authenticator = 0xb4ac20cbafab1dcf538ee25e1c505725 (1) # Executing section authorize from file (('User-Name', '"jim"'), ('User-Password', '"hello"'), ('NAS-IP-Address', '10.34.1.18'), ('NAS-Port', '0'), ('Message-Authenticator', '0xb4ac20cbafab1dcf538ee25e1c505725'), ('Event-Timestamp', '"Feb 10 2016 00:21:12 UTC"')) (1) [python] = ok
That calls python (which does nothing afaict).
(1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (1) pap: WARNING: Authentication will fail unless a "known good" password is available
OK...
What does the debug output for bob look like? Where does it get the password from?
Mathtew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Tue, Feb 09, 2016 at 08:35:33PM -0500, Jim Whitescarver wrote:
bob is the test user given a password in radiusd.conf
users OK, so that's why they succeed and jim doesn't.
for jim the password is arbitrary as I am not checking it at this point in the python. The authentication will be done out-of-band by the plugin. Before trying my script I want to get the example script to just always authenticate. Then I will add the code for out-of-band authentication.
To do that you'll have to set Auth-Type to Accept in the python module. In which case you may as well just set Cleartext-Password to something and then let pap do the authentication for you.
I see ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
Yes, nothing's setting Auth-Type as no modules matched the user.
I included python in the authorize section per the instructions but it is not in the authenticate section of sites-enabled/default, I suspect that may be an issue but I do not know where/how to put it.
I wouldn't put python in authorize unless you really know what you're doing. As for how to actually change attributes in python, I've never done it I'm afraid. From one of the example files it looks like you might want something like return (radiusd.RLM_MODULE_UPDATED, (), (('Auth-Type', 'Accept'),)) at the end of your authorize function. To return the correct password you could try return (radiusd.RLM_MODULE_UPDATED, (), (('Cleartext-Password', 'thingy'),)) Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Just trying to help. Even though this post is old, would this be relevant for you? http://chasemp.github.io/2013/09/16/freeradius-external-authentication/ Ollie Teasley Linux Administrator ISMELL.SHOES, LLC On Tue, Feb 9, 2016 at 7:53 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Tue, Feb 09, 2016 at 08:35:33PM -0500, Jim Whitescarver wrote:
bob is the test user given a password in radiusd.conf
users
OK, so that's why they succeed and jim doesn't.
for jim the password is arbitrary as I am not checking it at this point in the python. The authentication will be done out-of-band by the plugin. Before trying my script I want to get the example script to just always authenticate. Then I will add the code for out-of-band authentication.
To do that you'll have to set Auth-Type to Accept in the python module.
In which case you may as well just set Cleartext-Password to something and then let pap do the authentication for you.
I see ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
Yes, nothing's setting Auth-Type as no modules matched the user.
I included python in the authorize section per the instructions but it is not in the authenticate section of sites-enabled/default, I suspect that may be an issue but I do not know where/how to put it.
I wouldn't put python in authorize unless you really know what you're doing.
As for how to actually change attributes in python, I've never done it I'm afraid. From one of the example files it looks like you might want something like
return (radiusd.RLM_MODULE_UPDATED, (), (('Auth-Type', 'Accept'),))
at the end of your authorize function. To return the correct password you could try
return (radiusd.RLM_MODULE_UPDATED, (), (('Cleartext-Password', 'thingy'),))
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sorry, ignore that last post. Ollie Teasley Linux Administrator ISMELL.SHOES, LLC On Tue, Feb 9, 2016 at 8:01 PM, John Teasley <ollieteasley@gmail.com> wrote:
Just trying to help. Even though this post is old, would this be relevant for you?
http://chasemp.github.io/2013/09/16/freeradius-external-authentication/
Ollie Teasley Linux Administrator ISMELL.SHOES, LLC
On Tue, Feb 9, 2016 at 7:53 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Tue, Feb 09, 2016 at 08:35:33PM -0500, Jim Whitescarver wrote:
bob is the test user given a password in radiusd.conf
users
OK, so that's why they succeed and jim doesn't.
for jim the password is arbitrary as I am not checking it at this point in the python. The authentication will be done out-of-band by the plugin. Before trying my script I want to get the example script to just always authenticate. Then I will add the code for out-of-band authentication.
To do that you'll have to set Auth-Type to Accept in the python module.
In which case you may as well just set Cleartext-Password to something and then let pap do the authentication for you.
I see ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
Yes, nothing's setting Auth-Type as no modules matched the user.
I included python in the authorize section per the instructions but it is not in the authenticate section of sites-enabled/default, I suspect that may be an issue but I do not know where/how to put it.
I wouldn't put python in authorize unless you really know what you're doing.
As for how to actually change attributes in python, I've never done it I'm afraid. From one of the example files it looks like you might want something like
return (radiusd.RLM_MODULE_UPDATED, (), (('Auth-Type', 'Accept'),))
at the end of your authorize function. To return the correct password you could try
return (radiusd.RLM_MODULE_UPDATED, (), (('Cleartext-Password', 'thingy'),))
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 10-02-16 02:53, Matthew Newton wrote:
As for how to actually change attributes in python, I've never done it I'm afraid. From one of the example files it looks like you might want something like
return (radiusd.RLM_MODULE_UPDATED, (), (('Auth-Type', 'Accept'),))
at the end of your authorize function. To return the correct password you could try
return (radiusd.RLM_MODULE_UPDATED, (), (('Cleartext-Password', 'thingy'),))
I recently updated the wiki page for rlm_python, http://wiki.freeradius.org/modules/Rlm_python#python-module-for-freeradius_e... actually contains an example of returning a Cleartext-Password.
I wouldn't put python in authorize unless you really know what you're doing.
I agree to this. Python has to fetch the passwords somehow, it's very likely that there is an existing module for FreeRADIUS that can do that out of the box. -- Herwin Weststrate
There is no password checking ever. The password field will be used for a device name for out-of band device and biometric authentication done from python. I've tried using authorize { python update control { Auth-Type := example } } and authenticate {authenticate { Auth-Type example { python } } but I cannot get past authorize. I want authorize to always succeed! In example.py I have tried return (radiusd.RLM_MODULE_UPDATED, (), (('Auth-Type', 'Accept'),)) return (radiusd.RLM_MODULE_UPDATED, (), (('Auth-Type', 'example'),)) return radiusd.RLM_MODULE_OK plus a few variation of reply = ( ('Reply-Message', 'Hello from rlm_python'), ) config = ( ('Auth-Type', 'python'), ) return (radiusd.RLM_MODULE_OK, reply, config) But I always get pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (2) pap: WARNING: Authentication will fail unless a "known good" password is available How can I get past that? There is never a "known good" password. Passwords are not used. Somehow four years ago we got it to work. We are not using ANY other authentication other than python. This should be easy I would think. I just do not know what I am doing and am afraid to touch anything as I learned four years ago that the configuration is very brittle. Thanks all for your responses. Today is my last day and if I cannot make this work I may never work again :-( I could pay a small consulting fee, say $30, if someone is willing to fix this for me. Jim *** radlog call in authorize *** (('User-Name', '"jim"'), ('User-Password', '"hello"'), ('NAS-IP-Address', '10.34.1.18'), ('NAS-Port', '0'), ('Message-Authenticator', '0x77b36c156957edc5c334369876516264'), ('Event-Timestamp', '"Feb 10 2016 14:37:07 UTC"')) (1) [python] = ok (1) update control { (1) Auth-Type := saferadius (1) } # update control = noop (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "jim", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: No EAP-Message, not doing EAP (1) [eap] = noop (1) [files] = noop (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (1) pap: WARNING: Authentication will fail unless a "known good" password is available (1) [pap] = noop (1) } # authorize = ok (1) Found Auth-Type = saferadius (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) Auth-Type saferadius { (1) [python] = noop (1) } # Auth-Type saferadius = noop (1) Failed to authenticate the user (1) Using Post-Auth-Type Reject (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject: EXPAND %{User-Name} (1) attr_filter.access_reject: --> jim (1) attr_filter.access_reject: Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) [eap] = noop (1) policy remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) { (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else { (1) [noop] = noop (1) } # else = noop (1) } # policy remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (1) Sending delayed response (1) Sent Access-Reject Id 2 from 127.0.0.1:1812 to 127.0.0.1:48933 length 20 Waking up in 3.9 seconds. (1) Cleaning up request packet ID 2 with timestamp +3119 Ready to process requests On Wed, Feb 10, 2016 at 4:06 AM, Herwin Weststrate <herwin@quarantainenet.nl
wrote:
On 10-02-16 02:53, Matthew Newton wrote:
As for how to actually change attributes in python, I've never done it I'm afraid. From one of the example files it looks like you might want something like
return (radiusd.RLM_MODULE_UPDATED, (), (('Auth-Type', 'Accept'),))
at the end of your authorize function. To return the correct password you could try
return (radiusd.RLM_MODULE_UPDATED, (), (('Cleartext-Password', 'thingy'),))
I recently updated the wiki page for rlm_python,
http://wiki.freeradius.org/modules/Rlm_python#python-module-for-freeradius_e... actually contains an example of returning a Cleartext-Password.
I wouldn't put python in authorize unless you really know what you're doing.
I agree to this. Python has to fetch the passwords somehow, it's very likely that there is an existing module for FreeRADIUS that can do that out of the box.
-- Herwin Weststrate
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Feb 10, 2016, at 10:04 AM, Jim Whitescarver <jimscarver@gmail.com> wrote:
There is no password checking ever. The password field will be used for a device name for out-of band device and biometric authentication done from python.
From the point of view of the protocols involved, your module gets passed a User-Name and User-Password, and the module returns success/fail.
I've tried using authorize { python update control { Auth-Type := example } } and authenticate {authenticate {
I'm presuming that's a typo.
Auth-Type example { python } } but I cannot get past authorize. I want authorize to always succeed!
It will if you use the above configuration. There's no magic. Setting Auth-Type in "authorize" means that the give Auth-Type will be used in "authenticate".
In example.py I have tried return (radiusd.RLM_MODULE_UPDATED, (), (('Auth-Type', 'Accept'),)) return (radiusd.RLM_MODULE_UPDATED, (), (('Auth-Type', 'example'),))
Those won't work. You've got to update one of the attribute lists.
return radiusd.RLM_MODULE_OK plus a few variation of reply = ( ('Reply-Message', 'Hello from rlm_python'), ) config = ( ('Auth-Type', 'python'), ) return (radiusd.RLM_MODULE_OK, reply, config)
That won't work either. The module configuration is available in the "config" variable. You can write to it, but the writes will be discarded. From a quick look at the code, you can only set the "reply" tuple. So what you want can't be done with python. Just write some "unlang" to check for the conditions in "authorize", and set "Auth-Type := python". Your python script can run, and just return RLM_MODULE_OK, or RLM_MODULE_FAIL. Alan DeKok.
On 10-02-16 16:13, Alan DeKok wrote:
From a quick look at the code, you can only set the "reply" tuple.
reply and config, see https://github.com/FreeRADIUS/freeradius-server/blob/release_3_0_11/src/modu... -- Herwin Weststrate
On Feb 10, 2016, at 10:40 AM, Herwin Weststrate <herwin@quarantainenet.nl> wrote:
On 10-02-16 16:13, Alan DeKok wrote:
From a quick look at the code, you can only set the "reply" tuple.
reply and config, see https://github.com/FreeRADIUS/freeradius-server/blob/release_3_0_11/src/modu...
Hmm... OK. That should be fixed, though. The "config" name is used both for module configuration, and for the control list. The names should be fixed to be better / consistent. And it would be nice to be able to update all of the lists ala rlm_perl. Alan DeKok.
On Wed, Feb 10, 2016 at 10:55:53AM -0500, Alan DeKok wrote:
That should be fixed, though. The "config" name is used both for module configuration, and for the control list. The names should be fixed to be better / consistent.
And it would be nice to be able to update all of the lists ala rlm_perl.
Agreed. Is rlm_python actually stable/safe to use these days? I'm slightly surprised that it's marked as thread safe now as I thought it had big issues in that area. But maybe I'm just remembering things from v2. I've had no cause to use it myself. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 10-02-16 16:04, Jim Whitescarver wrote:
... But I always get pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (2) pap: WARNING: Authentication will fail unless a "known good" password is available
How can I get past that? There is never a "known good" password. Passwords are not used. Somehow four years ago we got it to work.
That error is caused by the pap module, not by Python. You can remove it from your config.
(1) [python] = ok (1) update control { (1) Auth-Type := saferadius (1) } # update control = noop
Here Python updated control:Auth-Type, which is good.
... (1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (1) pap: WARNING: Authentication will fail unless a "known good" password is available (1) [pap] = noop
Here pap warns you that it can't handle the authentication. It's ugly, but it doesn't break anything. Like I said: try to remove the pap from the virtual server.
(1) } # authorize = ok (1) Found Auth-Type = saferadius (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) Auth-Type saferadius { (1) [python] = noop (1) } # Auth-Type saferadius = noop (1) Failed to authenticate the user
Here it should call the authenticate method of your python module, which should return radiusd.RLM_MODULE_OK to accept the user. I've got no idea if it really does that or not, all that information is truncated from the logging snippets you've posted. -- Herwin Weststrate
I got it to work further without even disabling pap. But then I get somehow I got this wrong authenticat { Auth-Type example{ python } } But now I get Dropping packet without response because of error: Received packet from 127.0.0.1 with invalid Message-Authenticator! (Shared secret is incorrect.) Investigating how to fix that.... Thanks! Jim On Wed, Feb 10, 2016 at 10:20 AM, Herwin Weststrate < herwin@quarantainenet.nl> wrote:
On 10-02-16 16:04, Jim Whitescarver wrote:
... But I always get pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (2) pap: WARNING: Authentication will fail unless a "known good" password is available
How can I get past that? There is never a "known good" password. Passwords are not used. Somehow four years ago we got it to work.
That error is caused by the pap module, not by Python. You can remove it from your config.
(1) [python] = ok (1) update control { (1) Auth-Type := saferadius (1) } # update control = noop
Here Python updated control:Auth-Type, which is good.
... (1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (1) pap: WARNING: Authentication will fail unless a "known good" password is available (1) [pap] = noop
Here pap warns you that it can't handle the authentication. It's ugly, but it doesn't break anything. Like I said: try to remove the pap from the virtual server.
(1) } # authorize = ok (1) Found Auth-Type = saferadius (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) Auth-Type saferadius { (1) [python] = noop (1) } # Auth-Type saferadius = noop (1) Failed to authenticate the user
Here it should call the authenticate method of your python module, which should return radiusd.RLM_MODULE_OK to accept the user. I've got no idea if it really does that or not, all that information is truncated from the logging snippets you've posted.
-- Herwin Weststrate - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Feb 10, 2016, at 3:58 PM, Jim Whitescarver <jimscarver@gmail.com> wrote:
Dropping packet without response because of error: Received packet from 127.0.0.1 with invalid Message-Authenticator! (Shared secret is incorrect.)
Investigating how to fix that....
The shared secret is wrong. :) Or, the RADIUS client is buggy. Pick one. Alan DeKok.
I finally fixed the shared secret problem, but now I have no idea why is is not authenticating. All the python methods return radiusd.RLM_MODULE_OK In mods-available/python I have module = example In /sites-available/default I have authenticate { Auth-Type python { python } but I get Found Auth-Type = python (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Auth-Type python { (0) [python] = noop (0) } # Auth-Type python = noop (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject Any clues? Thanks, Jim On Wed, Feb 10, 2016 at 4:00 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Feb 10, 2016, at 3:58 PM, Jim Whitescarver <jimscarver@gmail.com> wrote:
Dropping packet without response because of error: Received packet from 127.0.0.1 with invalid Message-Authenticator! (Shared secret is incorrect.)
Investigating how to fix that....
The shared secret is wrong. :)
Or, the RADIUS client is buggy.
Pick one.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Wed, Feb 10, 2016 at 07:00:54PM -0500, Jim Whitescarver wrote:
(0) Auth-Type python { (0) [python] = noop (0) } # Auth-Type python = noop
Any clues?
Has your python code got an authenticate() function, and does it return OK? The copy you posted originally hasn't. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
I added the authenticate method to the distributed example.py def authenticate(p): print "*** authenticate ***" print p return radiusd.RLM_MODULE_OK but still getting Found Auth-Type = python (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Auth-Type python { (0) [python] = noop (0) } # Auth-Type python = noop (0) Failed to authenticate the user :-( Jim On Wed, Feb 10, 2016 at 7:38 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Wed, Feb 10, 2016 at 07:00:54PM -0500, Jim Whitescarver wrote:
(0) Auth-Type python { (0) [python] = noop (0) } # Auth-Type python = noop
Any clues?
Has your python code got an authenticate() function, and does it return OK? The copy you posted originally hasn't.
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 10 Feb 2016, at 17:38, Jim Whitescarver <jimscarver@gmail.com> wrote:
I added the authenticate method to the distributed example.py
def authenticate(p): print "*** authenticate ***" print p return radiusd.RLM_MODULE_OK
but still getting
Found Auth-Type = python (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Auth-Type python { (0) [python] = noop (0) } # Auth-Type python = noop (0) Failed to authenticate the user
Have you tried just returning 2? That's the actual C value of RLM_MODULE_OK. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On Feb 9, 2016, at 8:35 PM, Jim Whitescarver <jimscarver@gmail.com> wrote:
for jim the password is arbitrary as I am not checking it at this point in the python. The authentication will be done out-of-band by the plugin. Before trying my script I want to get the example script to just always authenticate. Then I will add the code for out-of-band authentication.
I see ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
Because you didn't tell the server how to authenticate the user. You'll need to do one of two things. Either do all the work in "authorize", and set "Auth-Type = Accept" for successful authentication, or (preferred) do the authentication in the "authenticate" section. But there, you'll also need to force "Auth-Type = my-python-script", and put the relevant configuration into "authenticate". It's best to use the sections the way they are intended.
I included python in the authorize section per the instructions but it is not in the authenticate section of sites-enabled/default, I suspect that may be an issue but I do not know where/how to put it.
Simple: authenticate { ... Auth-Type my-python-script { python } ... } And it will call the authenticate method of your python script. The downside here is that this works *only* for PAP authentication. For CHAP, MS-CHAP, EAP, etc., you really want to let FreeRADIUS authenticate the user. Alan DeKok.
participants (6)
-
Alan DeKok -
Arran Cudbard-Bell -
Herwin Weststrate -
Jim Whitescarver -
John Teasley -
Matthew Newton