How do I get every userid passed to an rlm_python module

Jim Whitescarver jimscarver at gmail.com
Wed Feb 10 16:04:15 CET 2016 

There is no password checking ever.  The password field will be used for a
device name for out-of band device and biometric authentication done from
python.

I've tried using
authorize {
        python
        update control {
                Auth-Type := example
        }
 }
and
authenticate {authenticate {
        Auth-Type example {
                python
        }
}
but I cannot get past authorize.  I want authorize to always succeed!

In example.py I have tried
  return (radiusd.RLM_MODULE_UPDATED, (), (('Auth-Type', 'Accept'),))
  return (radiusd.RLM_MODULE_UPDATED, (), (('Auth-Type', 'example'),))
  return radiusd.RLM_MODULE_OK
plus a few variation of
  reply = ( ('Reply-Message', 'Hello from rlm_python'), )
  config = ( ('Auth-Type', 'python'), )
  return (radiusd.RLM_MODULE_OK, reply, config)

But I always get
 pap: WARNING: No "known good" password found for the user.  Not setting
Auth-Type
(2) pap: WARNING: Authentication will fail unless a "known good" password
is available

How can I get past that?  There is never a "known good" password.
Passwords are not used.  Somehow four years ago we got it to work.

We are not using ANY other authentication other than python.  This should
be easy I would think.  I just do not know what I am doing and am afraid to
touch anything as I learned four years ago that the configuration is very
brittle.

Thanks all for your responses.  Today is my last day and if I cannot make
this work I may never work again :-(  I could pay a small consulting fee,
say $30, if someone is willing to fix this for me.

Jim

*** radlog call in authorize ***

(('User-Name', '"jim"'), ('User-Password', '"hello"'), ('NAS-IP-Address',
'10.34.1.18'), ('NAS-Port', '0'), ('Message-Authenticator',
'0x77b36c156957edc5c334369876516264'), ('Event-Timestamp', '"Feb 10 2016
14:37:07 UTC"'))
(1)     [python] = ok
(1)     update control {
(1)       Auth-Type := saferadius
(1)     } # update control = noop
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "jim", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: No EAP-Message, not doing EAP
(1)     [eap] = noop
(1)     [files] = noop
(1)     [expiration] = noop
(1)     [logintime] = noop
(1) pap: WARNING: No "known good" password found for the user.  Not setting
Auth-Type
(1) pap: WARNING: Authentication will fail unless a "known good" password
is available
(1)     [pap] = noop
(1)   } # authorize = ok
(1) Found Auth-Type = saferadius
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1)   Auth-Type saferadius {
(1)     [python] = noop
(1)   } # Auth-Type saferadius = noop
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1)   Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject:    --> jim
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1)     [attr_filter.access_reject] = updated
(1)     [eap] = noop
(1)     policy remove_reply_message_if_eap {
(1)       if (&reply:EAP-Message && &reply:Reply-Message) {
(1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(1)       else {
(1)         [noop] = noop
(1)       } # else = noop
(1)     } # policy remove_reply_message_if_eap = noop
(1)   } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 2 from 127.0.0.1:1812 to 127.0.0.1:48933 length 20
Waking up in 3.9 seconds.
(1) Cleaning up request packet ID 2 with timestamp +3119
Ready to process requests




On Wed, Feb 10, 2016 at 4:06 AM, Herwin Weststrate <herwin at quarantainenet.nl
> wrote:

> On 10-02-16 02:53, Matthew Newton wrote:
>
> > As for how to actually change attributes in python, I've never
> > done it I'm afraid. From one of the example files it looks like
> > you might want something like
> >
> >  return (radiusd.RLM_MODULE_UPDATED, (), (('Auth-Type', 'Accept'),))
> >
> > at the end of your authorize function. To return the correct
> > password you could try
> >
> >  return (radiusd.RLM_MODULE_UPDATED, (), (('Cleartext-Password',
> 'thingy'),))
>
> I recently updated the wiki page for rlm_python,
>
> http://wiki.freeradius.org/modules/Rlm_python#python-module-for-freeradius_example_writing-the-code
> actually contains an example of returning a Cleartext-Password.
>
> > I wouldn't put python in authorize unless you really know what
> > you're doing.
>
> I agree to this. Python has to fetch the passwords somehow, it's very
> likely that there is an existing module for FreeRADIUS that can do that
> out of the box.
>
> --
> Herwin Weststrate
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list