rlm_python and the Tunnel-Private-Group-Id attribute

Brett Littrell Blittrell at musd.org
Thu Feb 10 21:47:39 CET 2011


Hi Bob,
 
    I do have this running successfully with eDir.  I am guessing you are using the eDir Radius schema extensions?  Also, if you are using Cisco equipment, you have to send the vlan name, not the ID.  Not sure if other switches require the ID.
 
Brett Littrell
Network Manager
MUSD
CISSP, CCSP, CCVP, MCNE


>>> On Thursday, February 10, 2011 at 1:24 AM, in message <AANLkTi=wZUiMZ+65y3-qzvzDpcvdwp8F4Fhht-B+-9+f at mail.gmail.com>, Bob Brandt <bob at brandt.ie> wrote:

Not sure if there isn't another forum or mailing list for rlm_python specifically, but...

I have been using freeradius for a while now with great results, thanks!

We are using a very simple configuration to authenticate users against LDAP (eDirectory) and that part works great! I am trying to add a component that will return the necessary attributes to allow for dynamic VLANs

I was able to get this working using the /etc/raddb/users file, however do to the size of the organization, this is very messy. I have started using python to extract this information from another database and return the information.

All my testing seems to indicate it should work, but it is not. I believe the problem is in how rlm_python returns the "Tunnel-Private-Group-Id" attribute.

My users file (which works) looks like this:

# Generic LDAP return attributes 
DEFAULT Auth-Type == "LDAP" 
Class = "Staff", 
Service-Type = Login, 
Tunnel-Medium-Type = IEEE-802, 
Tunnel-Type = VLAN, 
Tunnel-Private-Group-ID = 99, 
Fall-Through = Yes 

brandtb
Reply-Message += "You are a member of the IT Group",
Class := "CACS:0/ebf42/ac8c8e6/administrator",
Tunnel-Private-Group-ID := 150,
Alcatel-Lucent-Asa-Access = "all",
Fall-Through = No

Below are the two snipets of the debugs. The first is from the old(working) system which uses the users file and the second is from the new system using the rlm_python module:

Sending Access-Challenge of id 172 to 10.200.113.99 port 18699
Class := 0x434143533a302f65626634322f616338633865362f61646d696e6973747261746f72
Service-Type = Login-User
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
Tunnel-Private-Group-Id:0 := "150"
Reply-Message += "You are a member of the IT Group"
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc146d1a4c144c80f46bec9bc87d3208b
Finished request 0.

-----

Sending Access-Challenge of id 130 to 10.200.113.99 port 18673
Reply-Message = "You are a member of the IT Group"
Tunnel-Type:0 = VLAN
Class = 0x4f50575374616666
Class = 0x434143533a302f65626634322f616338633865362f61646d696e6973747261746f72
Tunnel-Medium-Type:0 = IEEE-802
Service-Type = Login-User
Tunnel-Private-Group-Id:0 = "150"
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8cd4aac48cd6b3a6430ea766ccfa9b91
Finished request 0.

The debug output looks for the most part identical! 

Now, initially when using the users file, I had the same problem I am having now, where the wireless access point was getting the attributes but was not putting me in the correct VLAN. The problem turned out that I was passing a string to the "Tunnel-Private-Group-Id" attribute instead of an integer. Once I removed the quotes from the VLAN ID everything was working perfectly.

Thinking that the problem was that within Python I was storing the "Tunnel-Private-Group-Id" attribute as a string I changed it to an integer, however I got immediately got the error:

return tuple must be (str,str)

I don't know who to get around this and I have not been able to find too many examples of how to use the rlm_python module. Any help would be greatly appreciated.

Thanks
Bob Brandt




-- 
What's the point of having a rapier wit if I can't use it to stab people? - Jeph Jacques
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110210/2d92e66c/attachment.html>


More information about the Freeradius-Users mailing list