Returning Vendor Specific Attribute in radius reply
Siddiqui Najam
Najam.Siddiqui at gemalto.com
Wed Aug 23 03:05:31 CEST 2017
-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+najam.siddiqui=gemalto.com at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Tuesday, August 22, 2017 6:11 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: [+SPAM+]: Re: [+SPAM+]: Re: Returning Vendor Specific Attribute in radius reply
On Aug 22, 2017, at 6:17 PM, Siddiqui Najam <Najam.Siddiqui at gemalto.com> wrote:
>
> Thanks for the response Alan.
>
> I have a backend server that can return any VSA, and the attribute is returned as a hex string. so I have to handle this dynamically.
>
> In version 2.X this was working fine. However, with 3.X (rlm_python) I am having this issue.
> It should work. What's the full debug output for it?
Wed Aug 23 00:44:09 2017 : Debug: (0) Received Access-Request Id 24 from 192.168.99.1:58796 to 172.17.0.5:1812 length 48
Wed Aug 23 00:44:09 2017 : Debug: (0) User-Name = "testuser"
Wed Aug 23 00:44:09 2017 : Debug: (0) User-Password = "testpassword"
Wed Aug 23 00:44:09 2017 : Debug: (0) session-state: No State attribute
Wed Aug 23 00:44:09 2017 : Debug: (0) # Executing section authorize from file /etc/raddb/sites-enabled/default
Wed Aug 23 00:44:09 2017 : Debug: (0) authorize {
Wed Aug 23 00:44:09 2017 : Debug: (0) modsingle[authorize]: calling preprocess (rlm_preprocess)
Wed Aug 23 00:44:09 2017 : Debug: (0) modsingle[authorize]: returned from preprocess (rlm_preprocess)
Wed Aug 23 00:44:09 2017 : Debug: (0) [preprocess] = ok
Wed Aug 23 00:44:09 2017 : Debug: (0) modsingle[authorize]: calling agent_mod (rlm_python)
Wed Aug 23 00:44:09 2017 : Debug: (0) agent_mod: Initialised new thread state 0x563921b35680
Wed Aug 23 00:44:09 2017 : Debug: (0) agent_mod: Using thread state 0x563921b35680
Wed Aug 23 00:44:09 2017 : Debug: authorize - 'config:Auth-Type' = 'agent'
Wed Aug 23 00:44:09 2017 : Debug: (0) agent_mod: ::: FROM 1 TO 0 MAX 1
Wed Aug 23 00:44:09 2017 : Debug: (0) agent_mod: ::: Examining Auth-Type
Wed Aug 23 00:44:09 2017 : Debug: (0) agent_mod: ::: APPENDING Auth-Type FROM 0 TO 0
Wed Aug 23 00:44:09 2017 : Debug: (0) agent_mod: ::: TO in 0 out 0
Wed Aug 23 00:44:09 2017 : Debug: (0) modsingle[authorize]: returned from agent_mod (rlm_python)
Wed Aug 23 00:44:09 2017 : Debug: (0) [agent_mod] = ok
Wed Aug 23 00:44:09 2017 : Debug: (0) modsingle[authorize]: calling chap (rlm_chap)
Wed Aug 23 00:44:09 2017 : Debug: (0) modsingle[authorize]: returned from chap (rlm_chap)
Wed Aug 23 00:44:09 2017 : Debug: (0) [chap] = noop
Wed Aug 23 00:44:09 2017 : Debug: (0) modsingle[authorize]: calling mschap (rlm_mschap)
Wed Aug 23 00:44:09 2017 : Debug: (0) modsingle[authorize]: returned from mschap (rlm_mschap)
Wed Aug 23 00:44:09 2017 : Debug: (0) [mschap] = noop
Wed Aug 23 00:44:09 2017 : Debug: (0) modsingle[authorize]: calling digest (rlm_digest)
Wed Aug 23 00:44:09 2017 : Debug: (0) modsingle[authorize]: returned from digest (rlm_digest)
Wed Aug 23 00:44:09 2017 : Debug: (0) [digest] = noop
Wed Aug 23 00:44:09 2017 : Debug: (0) modsingle[authorize]: calling suffix (rlm_realm)
Wed Aug 23 00:44:09 2017 : Debug: (0) suffix: Checking for suffix after "@"
Wed Aug 23 00:44:09 2017 : Debug: (0) suffix: No '@' in User-Name = "testuser", looking up realm NULL
Wed Aug 23 00:44:09 2017 : Debug: (0) suffix: No such realm "NULL"
Wed Aug 23 00:44:09 2017 : Debug: (0) modsingle[authorize]: returned from suffix (rlm_realm)
Wed Aug 23 00:44:09 2017 : Debug: (0) [suffix] = noop
Wed Aug 23 00:44:09 2017 : Debug: (0) modsingle[authorize]: calling files (rlm_files)
Wed Aug 23 00:44:09 2017 : Debug: ^[Rr][Oo][Oo][Tt]$
Wed Aug 23 00:44:09 2017 : Debug: Parsed xlat tree:
Wed Aug 23 00:44:09 2017 : Debug: literal --> ^[Rr][Oo][Oo][Tt]$
Wed Aug 23 00:44:09 2017 : Debug: (0) files: EXPAND ^[Rr][Oo][Oo][Tt]$
Wed Aug 23 00:44:09 2017 : Debug: (0) files: --> ^[Rr][Oo][Oo][Tt]$
Wed Aug 23 00:44:09 2017 : Debug: No matches
Wed Aug 23 00:44:09 2017 : Debug: Adding 33 matches
Wed Aug 23 00:44:09 2017 : Debug: (0) modsingle[authorize]: returned from files (rlm_files)
Wed Aug 23 00:44:09 2017 : Debug: (0) [files] = noop
Wed Aug 23 00:44:09 2017 : Debug: (0) modsingle[authorize]: calling expiration (rlm_expiration)
Wed Aug 23 00:44:09 2017 : Debug: (0) modsingle[authorize]: returned from expiration (rlm_expiration)
Wed Aug 23 00:44:09 2017 : Debug: (0) [expiration] = noop
Wed Aug 23 00:44:09 2017 : Debug: (0) modsingle[authorize]: calling logintime (rlm_logintime)
Wed Aug 23 00:44:09 2017 : Debug: (0) modsingle[authorize]: returned from logintime (rlm_logintime)
Wed Aug 23 00:44:09 2017 : Debug: (0) [logintime] = noop
Wed Aug 23 00:44:09 2017 : Debug: (0) modsingle[authorize]: calling pap (rlm_pap)
Wed Aug 23 00:44:09 2017 : WARNING: (0) pap: No "known good" password found for the user. Not setting Auth-Type
Wed Aug 23 00:44:09 2017 : WARNING: (0) pap: Authentication will fail unless a "known good" password is available
Wed Aug 23 00:44:09 2017 : Debug: (0) modsingle[authorize]: returned from pap (rlm_pap)
Wed Aug 23 00:44:09 2017 : Debug: (0) [pap] = noop
Wed Aug 23 00:44:09 2017 : Debug: (0) } # authorize = ok
Wed Aug 23 00:44:09 2017 : Debug: (0) Found Auth-Type = agent
Wed Aug 23 00:44:09 2017 : Debug: (0) # Executing group from file /etc/raddb/sites-enabled/default
Wed Aug 23 00:44:09 2017 : Debug: (0) Auth-Type agent {
Wed Aug 23 00:44:09 2017 : Debug: (0) modsingle[authenticate]: calling agent_mod (rlm_python)
Wed Aug 23 00:44:09 2017 : Debug: (0) agent_mod: Using thread state 0x563921b35680
Wed Aug 23 00:44:11 2017 : Debug: authenticate - Failed: 'reply:Attr-26' = '0x00000009010f54657374417474726962757465'
Wed Aug 23 00:44:11 2017 : Debug: (0) agent_mod: ::: FROM 1 TO 0 MAX 1
Wed Aug 23 00:44:11 2017 : Debug: (0) agent_mod: ::: Examining Vendor-Specific
Wed Aug 23 00:44:11 2017 : Debug: (0) agent_mod: ::: APPENDING Vendor-Specific FROM 0 TO 0
Wed Aug 23 00:44:11 2017 : Debug: (0) agent_mod: ::: TO in 0 out 0
Wed Aug 23 00:44:11 2017 : Debug: authenticate - 'config:Auth-Type' = 'agent'
Wed Aug 23 00:44:11 2017 : Debug: (0) agent_mod: ::: FROM 1 TO 1 MAX 2
Wed Aug 23 00:44:11 2017 : Debug: (0) agent_mod: ::: Examining Auth-Type
Wed Aug 23 00:44:11 2017 : Debug: (0) agent_mod: ::: TO in 1 out 1
Wed Aug 23 00:44:11 2017 : Debug: (0) agent_mod: ::: to[0] = Auth-Type
Wed Aug 23 00:44:11 2017 : Debug: (0) modsingle[authenticate]: returned from agent_mod (rlm_python)
Wed Aug 23 00:44:11 2017 : Debug: (0) [agent_mod] = ok
Wed Aug 23 00:44:11 2017 : Debug: (0) } # Auth-Type agent = ok
Wed Aug 23 00:44:11 2017 : Debug: (0) # Executing section post-auth from file /etc/raddb/sites-enabled/default
Wed Aug 23 00:44:11 2017 : Debug: (0) post-auth {
Wed Aug 23 00:44:11 2017 : Debug: (0) modsingle[post-auth]: calling exec (rlm_exec)
Wed Aug 23 00:44:11 2017 : Debug: (0) modsingle[post-auth]: returned from exec (rlm_exec)
Wed Aug 23 00:44:11 2017 : Debug: (0) [exec] = noop
Wed Aug 23 00:44:11 2017 : Debug: (0) } # post-auth = noop
Wed Aug 23 00:44:11 2017 : Auth: (0) Login OK: [testuser] (from client Radius Local port 0)
Wed Aug 23 00:44:11 2017 : Debug: (0) Sent Access-Accept Id 24 from 172.17.0.5:1812 to 192.168.99.1:58796 length 0
SOFT ASSERT FAILED src/lib/value.c[1872]: 0
Wed Aug 23 00:44:11 2017 : Debug: (0) Vendor-Specific =
Wed Aug 23 00:44:11 2017 : Debug: (0) Finished request
Wed Aug 23 00:44:11 2017 : Debug: Waking up in 4.9 seconds.
Wed Aug 23 00:44:16 2017 : Debug: (0) Cleaning up request packet ID 24 with timestamp +7
Wed Aug 23 00:44:16 2017 : Info: Ready to process requests
>And is the hex string well-formed? i.e. is it correct for the Cisco VSA?
Yes.
The response from freeradius server version 2.2.0:
Sending Access-Accept of id 25 to 192.168.56.1 port 55685
Attr-26 = 0x00000009010f54657374417474726962757465
In the test client (radtest) the response is:
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=204, length=53
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Cisco-AVPair = "TestAttribute"
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
More information about the Freeradius-Users
mailing list