rlm_python and the Tunnel-Private-Group-Id attribute
Bob Brandt
bob at brandt.ie
Thu Feb 10 10:24:53 CET 2011
Not sure if there isn't another forum or mailing list for rlm_python
specifically, but...
I have been using freeradius for a while now with great results, thanks!
We are using a very simple configuration to authenticate users against LDAP
(eDirectory) and that part works great! I am trying to add a component that
will return the necessary attributes to allow for dynamic VLANs
I was able to get this working using the /etc/raddb/users file, however do
to the size of the organization, this is very messy. I have started using
python to extract this information from another database and return the
information.
All my testing seems to indicate it should work, but it is not. I believe
the problem is in how rlm_python returns the "Tunnel-Private-Group-Id"
attribute.
My users file (which works) looks like this:
# Generic LDAP return attributes
DEFAULT Auth-Type == "LDAP"
Class = "Staff",
Service-Type = Login,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Type = VLAN,
Tunnel-Private-Group-ID = 99,
Fall-Through = Yes
brandtb
Reply-Message += "You are a member of the IT Group",
Class := "CACS:0/ebf42/ac8c8e6/administrator",
Tunnel-Private-Group-ID := 150,
Alcatel-Lucent-Asa-Access = "all",
Fall-Through = No
Below are the two snipets of the debugs. The first is from the old(working)
system which uses the users file and the second is from the new system using
the rlm_python module:
Sending Access-Challenge of id 172 to 10.200.113.99 port 18699
Class :=
0x434143533a302f65626634322f616338633865362f61646d696e6973747261746f72
Service-Type = Login-User
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
Tunnel-Private-Group-Id:0 := "150"
Reply-Message += "You are a member of the IT Group"
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc146d1a4c144c80f46bec9bc87d3208b
Finished request 0.
-----
Sending Access-Challenge of id 130 to 10.200.113.99 port 18673
Reply-Message = "You are a member of the IT Group"
Tunnel-Type:0 = VLAN
Class = 0x4f50575374616666
Class =
0x434143533a302f65626634322f616338633865362f61646d696e6973747261746f72
Tunnel-Medium-Type:0 = IEEE-802
Service-Type = Login-User
Tunnel-Private-Group-Id:0 = "150"
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8cd4aac48cd6b3a6430ea766ccfa9b91
Finished request 0.
The debug output looks for the most part identical!
Now, initially when using the users file, I had the same problem I am having
now, where the wireless access point was getting the attributes but was not
putting me in the correct VLAN. The problem turned out that I was passing a
string to the "Tunnel-Private-Group-Id" attribute instead of an integer.
Once I removed the quotes from the VLAN ID everything was working perfectly.
Thinking that the problem was that within Python I was storing the
"Tunnel-Private-Group-Id" attribute as a string I changed it to an integer,
however I got immediately got the error:
return tuple must be (str,str)
I don't know who to get around this and I have not been able to find too
many examples of how to use the rlm_python module. Any help would be greatly
appreciated.
Thanks
Bob Brandt
--
What's the point of having a rapier wit if I can't use it to stab people? -
Jeph Jacques
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110210/10e1866c/attachment.html>
More information about the Freeradius-Users
mailing list