rlm_python and the Tunnel-Private-Group-Id attribute
Bob Brandt
bob at brandt.ie
Fri Feb 11 16:12:33 CET 2011
Just to close out this thread with a solution...
Turns out that neither rlm_python nor freeradius were the problem.
They are working perfectly. The problem was my idiot wireless
administrator! Once I beat the password out of him and properly
configured the wireless switch, everything started working!
Sorry for the hassle.
Bob
On Thu, Feb 10, 2011 at 8:47 PM, Brett Littrell <Blittrell at musd.org> wrote:
>
> Hi Bob,
>
> I do have this running successfully with eDir. I am guessing you are using the eDir Radius schema extensions? Also, if you are using Cisco equipment, you have to send the vlan name, not the ID. Not sure if other switches require the ID.
>
> Brett Littrell
> Network Manager
> MUSD
> CISSP, CCSP, CCVP, MCNE
>
> >>> On Thursday, February 10, 2011 at 1:24 AM, in message <AANLkTi=wZUiMZ+65y3-qzvzDpcvdwp8F4Fhht-B+-9+f at mail.gmail.com>, Bob Brandt <bob at brandt.ie> wrote:
> Not sure if there isn't another forum or mailing list for rlm_python specifically, but...
>
> I have been using freeradius for a while now with great results, thanks!
>
> We are using a very simple configuration to authenticate users against LDAP (eDirectory) and that part works great! I am trying to add a component that will return the necessary attributes to allow for dynamic VLANs
>
> I was able to get this working using the /etc/raddb/users file, however do to the size of the organization, this is very messy. I have started using python to extract this information from another database and return the information.
>
> All my testing seems to indicate it should work, but it is not. I believe the problem is in how rlm_python returns the "Tunnel-Private-Group-Id" attribute.
>
> My users file (which works) looks like this:
>
> # Generic LDAP return attributes
> DEFAULT Auth-Type == "LDAP"
> Class = "Staff",
> Service-Type = Login,
> Tunnel-Medium-Type = IEEE-802,
> Tunnel-Type = VLAN,
> Tunnel-Private-Group-ID = 99,
> Fall-Through = Yes
>
> brandtb
> Reply-Message += "You are a member of the IT Group",
> Class := "CACS:0/ebf42/ac8c8e6/administrator",
> Tunnel-Private-Group-ID := 150,
> Alcatel-Lucent-Asa-Access = "all",
> Fall-Through = No
>
> Below are the two snipets of the debugs. The first is from the old(working) system which uses the users file and the second is from the new system using the rlm_python module:
>
> Sending Access-Challenge of id 172 to 10.200.113.99 port 18699
> Class := 0x434143533a302f65626634322f616338633865362f61646d696e6973747261746f72
> Service-Type = Login-User
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Type:0 = VLAN
> Tunnel-Private-Group-Id:0 := "150"
> Reply-Message += "You are a member of the IT Group"
> EAP-Message = 0x010200061920
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xc146d1a4c144c80f46bec9bc87d3208b
> Finished request 0.
>
> -----
>
> Sending Access-Challenge of id 130 to 10.200.113.99 port 18673
> Reply-Message = "You are a member of the IT Group"
> Tunnel-Type:0 = VLAN
> Class = 0x4f50575374616666
> Class = 0x434143533a302f65626634322f616338633865362f61646d696e6973747261746f72
> Tunnel-Medium-Type:0 = IEEE-802
> Service-Type = Login-User
> Tunnel-Private-Group-Id:0 = "150"
> EAP-Message = 0x010200061920
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x8cd4aac48cd6b3a6430ea766ccfa9b91
> Finished request 0.
>
> The debug output looks for the most part identical!
>
> Now, initially when using the users file, I had the same problem I am having now, where the wireless access point was getting the attributes but was not putting me in the correct VLAN. The problem turned out that I was passing a string to the "Tunnel-Private-Group-Id" attribute instead of an integer. Once I removed the quotes from the VLAN ID everything was working perfectly.
>
> Thinking that the problem was that within Python I was storing the "Tunnel-Private-Group-Id" attribute as a string I changed it to an integer, however I got immediately got the error:
>
> return tuple must be (str,str)
>
> I don't know who to get around this and I have not been able to find too many examples of how to use the rlm_python module. Any help would be greatly appreciated.
>
> Thanks
> Bob Brandt
>
>
>
>
> --
> What's the point of having a rapier wit if I can't use it to stab people? - Jeph Jacques
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
What's the point of having a rapier wit if I can't use it to stab
people? - Jeph Jacques
More information about the Freeradius-Users
mailing list