rlm_perl returning attributes
Ryan De Kock
ryandekock1988 at gmail.com
Fri Dec 23 23:02:07 CET 2016
Hi.
I'm trying to return an attribute using the rlm_rest module.
Authentication works fine but when a response is sent, an Access-Reject is
generated. I'm hoping someone can point me in the right direction.
*Working auth *(with no attributes in the response)
(8) Cleaning up request packet ID 178 with timestamp +606
Ready to process requests
(9) Received Access-Request Id 17 from 127.0.0.1:45433 to 127.0.0.1:1812
length 77
(9) User-Name = "585c208457bf8c3820c9e431 at test.com"
(9) User-Password = "password"
(9) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(9) authorize {
rlm_rest (rest): Reserved connection (16)
(9) rest: Expanding URI components
(9) rest: EXPAND http://127.0.0.1:1337
(9) rest: --> http://127.0.0.1:1337
(9) rest: EXPAND
/Radius/auth?username=%{User-Name}&password=%{User-Password}
(9) rest: --> /Radius/auth?username=585c208457bf8c3820c9e431%40test.com
&password=password
(9) rest: Sending HTTP GET to "
http://127.0.0.1:1337/Radius/auth?username=585c208457bf8c3820c9e431%40test.com&password=password
"
(9) rest: Processing response header
(9) rest: Status : 201 (Created)
(9) rest: Type : json (application/json)
rlm_rest (rest): Released connection (16)
rlm_rest (rest): Need 1 more connections to reach 10 spares
rlm_rest (rest): Opening additional connection (17), 1 of 30 pending slots
used
rlm_rest (rest): Connecting to "http://127.0.0.1:1337"
(9) [rest] = ok
(9) if (ok || updated) {
(9) if (ok || updated) -> TRUE
(9) if (ok || updated) {
(9) update control {
(9) Auth-Type := Rest
(9) } # update control = noop
(9) } # if (ok || updated) = noop
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # if (&User-Name) = ok
(9) } # policy filter_username = ok
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: Looking up realm "test.com" for User-Name = "
585c208457bf8c3820c9e431 at test.com"
(9) suffix: No such realm "test.com"
(9) [suffix] = noop
(9) eap: No EAP-Message, not doing EAP
(9) [eap] = noop
(9) [files] = noop
(9) [expiration] = noop
(9) [logintime] = noop
(9) pap: WARNING: No "known good" password found for the user. Not setting
Auth-Type
(9) pap: WARNING: Authentication will fail unless a "known good" password
is available
(9) [pap] = noop
(9) } # authorize = ok
(9) Found Auth-Type = Rest
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(9) Auth-Type Rest {
rlm_rest (rest): Reserved connection (15)
(9) rest: Expanding URI components
(9) rest: EXPAND http://127.0.0.1:1337
(9) rest: --> http://127.0.0.1:1337
(9) rest: EXPAND
/Radius/auth?username=%{User-Name}&password=%{User-Password}
(9) rest: --> /Radius/auth?username=585c208457bf8c3820c9e431%40test.com
&password=password
(9) rest: Sending HTTP GET to "
http://127.0.0.1:1337/Radius/auth?username=585c208457bf8c3820c9e431%40test.com&password=password
"
(9) rest: Processing response header
(9) rest: Status : 201 (Created)
(9) rest: Type : json (application/json)
rlm_rest (rest): Released connection (15)
(9) [rest] = ok
(9) } # Auth-Type Rest = ok
(9) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
(9) post-auth {
(9) update {
(9) No attributes updated
(9) } # update = noop
(9) [exec] = noop
(9) policy remove_reply_message_if_eap {
(9) if (&reply:EAP-Message && &reply:Reply-Message) {
(9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(9) else {
(9) [noop] = noop
(9) } # else = noop
(9) } # policy remove_reply_message_if_eap = noop
(9) } # post-auth = noop
(9) Sent Access-Accept Id 17 from 127.0.0.1:1812 to 127.0.0.1:45433 length 0
(9) Finished request
Waking up in 4.9 seconds.
*exactly the same auth*, except I try return some values
(8) Received Access-Request Id 178 from 127.0.0.1:41930 to 127.0.0.1:1812
length 77
(8) User-Name = "585c208457bf8c3820c9e431 at test.com"
(8) User-Password = "password"
(8) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(8) authorize {
rlm_rest (rest): Closing connection (13): Hit idle_timeout, was idle for
239 seconds
rlm_rest (rest): You probably need to lower "min"
rlm_rest (rest): Closing connection (14): Hit idle_timeout, was idle for
239 seconds
rlm_rest (rest): You probably need to lower "min"
rlm_rest (rest): Closing connection (12): Hit idle_timeout, was idle for
239 seconds
rlm_rest (rest): You probably need to lower "min"
rlm_rest (rest): 0 of 0 connections in use. You may need to increase
"spare"
rlm_rest (rest): Opening additional connection (15), 1 of 32 pending slots
used
rlm_rest (rest): Connecting to "http://127.0.0.1:1337"
rlm_rest (rest): Reserved connection (15)
(8) rest: Expanding URI components
(8) rest: EXPAND http://127.0.0.1:1337
(8) rest: --> http://127.0.0.1:1337
(8) rest: EXPAND
/Radius/auth?username=%{User-Name}&password=%{User-Password}
(8) rest: --> /Radius/auth?username=585c208457bf8c3820c9e431%40test.com
&password=password
(8) rest: Sending HTTP GET to "
http://127.0.0.1:1337/Radius/auth?username=585c208457bf8c3820c9e431%40test.com&password=password
"
(8) rest: Processing response header
(8) rest: Status : 201 (Created)
(8) rest: Type : json (application/json)
(8) rest: Parsing attribute "Mikrotik-Address-List"
(8) rest: EXPAND myList
(8) rest: --> myList
(8) rest: Mikrotik-Address-List := "myList"
rlm_rest (rest): Released connection (15)
rlm_rest (rest): Need 2 more connections to reach 10 spares
rlm_rest (rest): Opening additional connection (16), 1 of 31 pending slots
used
rlm_rest (rest): Connecting to "http://127.0.0.1:1337"
(8) [rest] = updated
(8) if (ok || updated) {
(8) if (ok || updated) -> TRUE
(8) if (ok || updated) {
(8) update control {
(8) Auth-Type := Rest
(8) } # update control = noop
(8) } # if (ok || updated) = noop
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = updated
(8) } # policy filter_username = updated
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: Looking up realm "test.com" for User-Name = "
585c208457bf8c3820c9e431 at test.com"
(8) suffix: No such realm "test.com"
(8) [suffix] = noop
(8) eap: No EAP-Message, not doing EAP
(8) [eap] = noop
(8) [files] = noop
(8) [expiration] = noop
(8) [logintime] = noop
(8) pap: WARNING: No "known good" password found for the user. Not setting
Auth-Type
(8) pap: WARNING: Authentication will fail unless a "known good" password
is available
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = Rest
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(8) Auth-Type Rest {
rlm_rest (rest): Reserved connection (15)
(8) rest: Expanding URI components
(8) rest: EXPAND http://127.0.0.1:1337
(8) rest: --> http://127.0.0.1:1337
(8) rest: EXPAND
/Radius/auth?username=%{User-Name}&password=%{User-Password}
(8) rest: --> /Radius/auth?username=585c208457bf8c3820c9e431%40test.com
&password=password
(8) rest: Sending HTTP GET to "
http://127.0.0.1:1337/Radius/auth?username=585c208457bf8c3820c9e431%40test.com&password=password
"
(8) rest: Processing response header
(8) rest: Status : 201 (Created)
(8) rest: Type : json (application/json)
(8) rest: Parsing attribute "Mikrotik-Address-List"
(8) rest: EXPAND myList
(8) rest: --> myList
(8) rest: Mikrotik-Address-List := "myList"
rlm_rest (rest): Released connection (15)
(8) [rest] = updated
(8) } # Auth-Type Rest = updated
(8) Failed to authenticate the user
(8) Using Post-Auth-Type Reject
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(8) Post-Auth-Type REJECT {
(8) attr_filter.access_reject: EXPAND %{User-Name}
(8) attr_filter.access_reject: --> 585c208457bf8c3820c9e431 at test.com
(8) attr_filter.access_reject: Matched entry DEFAULT at line 11
(8) [attr_filter.access_reject] = updated
(8) [eap] = noop
(8) policy remove_reply_message_if_eap {
(8) if (&reply:EAP-Message && &reply:Reply-Message) {
(8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(8) else {
(8) [noop] = noop
(8) } # else = noop
(8) } # policy remove_reply_message_if_eap = noop
(8) } # Post-Auth-Type REJECT = updated
(8) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.
Waking up in 0.7 seconds.
(8) Sending delayed response
(8) Sent Access-Reject Id 178 from 127.0.0.1:1812 to 127.0.0.1:41930 length
20
Waking up in 3.9 seconds.
It seems that because rest updated the user that it now fails for some
reason
(8) [rest] = updated
(8) } # Auth-Type Rest = updated
(8) Failed to authenticate the user
What do I need to change to allow this process to go through?
I would appreciate any light shedding.
More information about the Freeradius-Users
mailing list