How do I get every userid passed to an rlm_python module
Jim Whitescarver
jimscarver at gmail.com
Wed Feb 10 01:26:40 CET 2016
We are running FreeRADIUS Version 3.0.11 with rlm_python. We followed all
instructions installing the module. python is in the config and the module
is configured to call the script. We just want all requests to pass to the
python script for approval.
The test user bob works fine with his password. Any other user fails as if
the python module is not being called. How can I get it to call the module
for all users? Any tips on debugging this?
It worked four years ago but I had help with the configuration then and do
not have access to the old configuration. I am desperate as I need this
working tomorrow. I will be eternally greatfull for any assistance.
The example.py should pass everyone I think.
#! /usr/bin/env python
#
# Python module example file
# Miguel A.L. Paraz <mparaz at mparaz.com>
#
# $Id: dd5b0b88243ea2919634d1ae519f5825f0560c93 $
import radiusd
def instantiate(p):
print "*** instantiate ***"
print p
def authorize(p):
print "*** authorize ***"
print
radiusd.radlog(radiusd.L_INFO, '*** radlog call in authorize ***')
print
print p
return radiusd.RLM_MODULE_OK
def preacct(p):
print "*** preacct ***"
print p
return radiusd.RLM_MODULE_OK
def accounting(p):
print "*** accounting ***"
radiusd.radlog(radiusd.L_INFO, '*** radlog call in accounting (0) ***')
print
print p
return radiusd.RLM_MODULE_OK
def pre_proxy(p):
print "*** pre_proxy ***"
print p
return radiusd.RLM_MODULE_OK
def post_proxy(p):
print "*** post_proxy ***"
print p
return radiusd.RLM_MODULE_OK
def post_auth(p):
print "*** post_auth ***"
print p
return radiusd.RLM_MODULE_OK
def recv_coa(p):
print "*** recv_coa ***"
print p
return radiusd.RLM_MODULE_OK
def send_coa(p):
print "*** send_coa ***"
print p
return radiusd.RLM_MODULE_OK
def detach():
print "*** goodbye from example.py ***"
return radiusd.RLM_MODULE_OK
Sent Access-Request Id 200 from 0.0.0.0:44895 to 127.0.0.1:1812 length 73
User-Name = "bob"
User-Password = "hello"
NAS-IP-Address = 10.34.1.18
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "hello"
Received Access-Accept Id 200 from 127.0.0.1:1812 to 0.0.0.0:0 length 32
Reply-Message = "Hello, bob"
root at abs-radius1-san3-qa:/usr/local/etc/raddb# radtest -x jim hello
127.0.0.1 0 testing123
Sent Access-Request Id 91 from 0.0.0.0:34005 to 127.0.0.1:1812 length 73
User-Name = "jim"
User-Password = "hello"
NAS-IP-Address = 10.34.1.18
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "hello"
Received Access-Reject Id 91 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject
server log
(1) Received Access-Request Id 91 from 127.0.0.1:34005 to 127.0.0.1:1812
length 73
(1) User-Name = "jim"
(1) User-Password = "hello"
(1) NAS-IP-Address = 10.34.1.18
(1) NAS-Port = 0
(1) Message-Authenticator = 0xb4ac20cbafab1dcf538ee25e1c505725
(1) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
*** authorize ***
*** radlog call in authorize ***
(('User-Name', '"jim"'), ('User-Password', '"hello"'), ('NAS-IP-Address',
'10.34.1.18'), ('NAS-Port', '0'), ('Message-Authenticator',
'0xb4ac20cbafab1dcf538ee25e1c505725'), ('Event-Timestamp', '"Feb 10 2016
00:21:12 UTC"'))
(1) [python] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "jim", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: No EAP-Message, not doing EAP
(1) [eap] = noop
(1) [files] = noop
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: No "known good" password found for the user. Not setting
Auth-Type
(1) pap: WARNING: Authentication will fail unless a "known good" password
is available
(1) [pap] = noop
(1) } # authorize = ok
(1) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject: --> jim
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1) [attr_filter.access_reject] = updated
(1) [eap] = noop
(1) policy remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else {
(1) [noop] = noop
(1) } # else = noop
(1) } # policy remove_reply_message_if_eap = noop
(1) } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 91 from 127.0.0.1:1812 to 127.0.0.1:34005 length
20
Waking up in 3.9 seconds.
(1) Cleaning up request packet ID 91 with timestamp +61
Ready to process requests
Thanks in advance,
Jim
More information about the Freeradius-Users
mailing list