How to stop at pre-proxy python module with Access-Request

Ranjith T ranjith.t29 at
Wed Mar 9 15:50:08 CET 2011

 I am using freeradius 2.1.10 and python modules at different
stages(pre-proxy, post-proxy) of my RADIUS server which is running in
proxy mode.
>From the python pre-proxy module I am able to return
"radiusd.RLM_MODULE_HANDLED" which is handled at
pre-proxy section of the file "sites-available/default".

I want the server to stop at "HANDLED" and send back "Access-Accept"
back to the requested client from pre-proxy once the return is HANDLED.
Can anyone point to me how to achieve this? The following is what I have tried.

My problem is that:

if I configure "ok" from "if (handled) {" part of the pre-proxy, the
server proceeds with sending this request to
external RADIUS server for Authentication(looks like normal behavior
with module returning OK )

and if I return "handled" from "if(handled) {" part, then the server
gives the following,
(Same behavior is observed with setting "handled  = return" inside
"python{}" module.)

Ready to process requests.
rad_recv: Access-Request packet from host port 2051,
id=96, length=104
       User-Name = "ranjith"
       User-Password = "test123"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "ranjith", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "ranjith"
[suffix] Adding Realm = "NULL"
[suffix] Proxying request from user ranjith to realm NULL
[suffix] Preparing to proxy authentication request to realm "NULL"
++[suffix] returns updated
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
*** I am in authorize!!!!!!!!!!!!!!!!!! ***
*** radlog call in authorize ***
++[python] returns ok
++? if (handled)
? Evaluating (handled) -> FALSE
++? if (handled) -> FALSE
++[files] returns noop
[sql]   expand: %{User-Name} -> ranjith
[sql] sql_set_user escaped user --> 'ranjith'
rlm_sql (sql): Reserving sql socket id: 1
[sql]   expand: SELECT id, username, attribute, value, op
FROM radcheck           WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radcheck           WHERE username = 'ranjith'           ORDER BY
[sql]   expand: SELECT groupname           FROM radusergroup
WHERE username = '%{SQL-User-Name}'           ORDER BY priority ->
SELECT groupname           FROM radusergroup           WHERE username
= 'ranjith'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 1
[sql] User ranjith not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
# Executing section pre-proxy from file /etc/raddb/sites-enabled/default
+- entering group pre-proxy {...}
*** radlog call in pre_proxy_ranjith !!!!!!!!!!!!!!!***
*** pre_proxy_ranjith Found Session !!!!!!!!!!!!! ***
++[python] returns handled
++? if (handled)
? Evaluating (handled) -> TRUE
++? if (handled) -> TRUE
++- entering if (handled) {...}
+++[handled] returns handled
++- if (handled) returns handled
There was no response configured: rejecting request 1
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> ranjith
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 94 to port 2010
Waking up in 4.9 seconds.
Cleaning up request 1 ID 94 with timestamp +19
Ready to process requests.

The following is the snippet of the "sites-available/default" pre-proxy section.

pre-proxy {
#       attr_rewrite

       #  Uncomment the following line if you want to change attributes
       #  as defined in the preproxy_users file.
#       files

       #  Uncomment the following line if you want to filter requests
       #  sent to remote servers based on the rules defined in the
       #  'attrs.pre-proxy' file.
#       attr_filter.pre-proxy

       #  If you want to have a log of packets proxied to a home
       #  server, un-comment the following line, and the
       #  'detail pre_proxy_log' section, above.
#       pre_proxy_log

       python {
               notfound = 1
               noop     = 2
               ok       = 3
               updated  = 4
               fail     = return
               reject   = return
               userlock = return
               invalid  = return
               handled  = 3
               #handled  = return
               #ok = return

       if (handled) {
               #Post-Auth-Type = Access-Accept
               #Response-Packet-Type = Access-Accept


The following is the snippet of the "sites-available/default"
authenticate section(added python module).

authenticate {
       #  PAP authentication, when a back-end database listed
       #  in the 'authorize' section supplies a password.  The
       #  password can be clear-text, or encrypted.
       Auth-Type PAP {

       #  Most people want CHAP authentication
       #  A back-end database listed in the 'authorize' section
       #  MUST supply a CLEAR TEXT password.  Encrypted passwords
       #  won't work.
       Auth-Type CHAP {

       #  MSCHAP authentication.
       Auth-Type MS-CHAP {

       #  If you have a Cisco SIP server authenticating against
       #  FreeRADIUS, uncomment the following line, and the 'digest'
       #  line in the 'authorize' section.

       #  Pluggable Authentication Modules.
#       pam
       #  See 'man getpwent' for information on how the 'unix'
       #  module checks the users password.  Note that packets
       #  containing CHAP-Password attributes CANNOT be authenticated
       #  against /etc/passwd!  See the FAQ for details.
       #  For normal "crypt" authentication, the "pap" module should
       #  be used instead of the "unix" module.  The "unix" module should
       #  be used for authentication ONLY for compatibility with legacy
       #  FreeRADIUS configurations.


       #python {           #This doesn't work
             #ok = handled

       # Uncomment it if you want to use ldap for authentication
       # Note that this means "check plain-text password against
       # the ldap database", which means that EAP won't work,
       # as it does not supply a plain-text password.
#       Auth-Type LDAP {
#               ldap
#       }

       #  Allow EAP authentication.

       #  The older configurations sent a number of attributes in
       #  Access-Challenge packets, which wasn't strictly correct.
       #  If you want to filter out these attributes, uncomment
       #  the following lines.
#       Auth-Type eap {
#               eap {
#                       handled = 1
#               }
#               if (handled && (Response-Packet-Type == Access-Challenge)) {
#                       handled  # override the "updated" code from attr_filter
#               }
#       }


Ranjith T

More information about the Freeradius-Users mailing list