How do I get every userid passed to an rlm_python module

Alan DeKok aland at
Wed Feb 10 02:55:53 CET 2016

On Feb 9, 2016, at 8:35 PM, Jim Whitescarver <jimscarver at> wrote:
> for jim the password is arbitrary as I am not checking it at this point in
> the python.  The authentication will be done out-of-band by the plugin.
> Before trying my script I want to get the example script to just always
> authenticate.  Then I will add the code for out-of-band authentication.
> I see ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
> Reject

  Because you didn't tell the server how to authenticate the user.

  You'll need to do one of two things.  Either do all the work in "authorize", and set "Auth-Type = Accept" for successful authentication, or (preferred) do the authentication in the "authenticate" section.

  But there, you'll also need to force "Auth-Type = my-python-script", and put the relevant configuration into "authenticate".

  It's best to use the sections the way they are intended.

> I included python in the authorize section per the instructions but it is
> not in the authenticate section of sites-enabled/default,  I suspect that
> may be an issue but I do not know where/how to put it.


authenticate {
	Auth-Type my-python-script {

  And it will call the authenticate method of your python script.

  The downside here is that this works *only* for PAP authentication.  For CHAP, MS-CHAP, EAP, etc., you really want to let FreeRADIUS authenticate the user.

  Alan DeKok.

More information about the Freeradius-Users mailing list