Operator being rewritten - rlm_python
Fraser McGlinn
fraser at frizianz.com
Mon Nov 20 09:51:50 CET 2017
Hi Guys,
Trying to get rlm_python going on 3.0.13 on Centos 7. Got everything working
correctly although I am finding that the reply tuple does not appear to be
accepting my operator +=.
See debug below:
authorize - 'reply:Framed-IP-Address' = '192.0.2.0'
authorize - 'reply:Cisco-AVPair' += 'ip:dns-servers=192.0.2.255 192.0.2.254'
authorize - 'reply:Cisco-AVPair' += 'ip:outacl#10=deny udp any any eq
domain'
authorize - 'reply:Cisco-AVPair' += 'ip:outacl#20=deny udp any any eq snmp'
authorize - 'reply:Cisco-AVPair' += 'ip:outacl#30=deny udp any any eq 1900'
authorize - 'reply:Cisco-AVPair' += 'ip:outacl#40=deny tcp any any eq 80'
authorize - 'reply:Cisco-AVPair' += 'ip:outacl#50=deny udp any any eq 80'
authorize - 'reply:Cisco-AVPair' += 'ip:outacl#60=deny tcp any any eq 443'
authorize - 'reply:Cisco-AVPair' += 'ip:outacl#70=deny udp any any eq 443'
authorize - 'reply:Cisco-AVPair' += 'ip:outacl#80=permit ip any any'
authorize - 'reply:Cisco-AVPair' += 'ipv6:outacl#10=deny udp any any eq
domain'
authorize - 'reply:Cisco-AVPair' += 'ipv6:outacl#20=deny udp any any eq
snmp'
authorize - 'reply:Cisco-AVPair' += 'ipv6:outacl#30=deny udp any any eq
1900'
authorize - 'reply:Cisco-AVPair' += 'ipv6:outacl#40=deny tcp any any eq 80'
authorize - 'reply:Cisco-AVPair' += 'ipv6:outacl#50=deny udp any any eq 80'
authorize - 'reply:Cisco-AVPair' += 'ipv6:outacl#60=deny tcp any any eq 443'
authorize - 'reply:Cisco-AVPair' += 'ipv6:outacl#70=deny udp any any eq 443'
authorize - 'reply:Cisco-AVPair' += 'ipv6:outacl#80=permit ipv6 any any'
authorize - 'config:Cleartext-Password' = 'test'
(0) [python] = ok
(0) } # authorize = ok
(0) Found Auth-Type = CHAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Auth-Type CHAP {
(0) chap: Comparing with "known good" Cleartext-Password
(0) chap: CHAP user "test at domain.com" authenticated successfully
(0) [chap] = ok
(0) } # Auth-Type CHAP = ok
(0) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(0) post-auth {
(0) update {
(0) No attributes updated
(0) } # update = noop
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # post-auth = noop
(0) Login OK: [test at domain.com] (from client localhost port 0)
(0) Sent Access-Accept Id 121 from 127.0.0.1:1812 to 127.0.0.1:54848 length
0
(0) Framed-IP-Address = 192.0.2.0
(0) Cisco-AVPair = "ip:dns-servers=192.0.2.255 192.0.2.254"
(0) Cisco-AVPair = "ip:outacl#10=deny udp any any eq domain"
(0) Cisco-AVPair = "ip:outacl#20=deny udp any any eq snmp"
(0) Cisco-AVPair = "ip:outacl#30=deny udp any any eq 1900"
(0) Cisco-AVPair = "ip:outacl#40=deny tcp any any eq 80"
(0) Cisco-AVPair = "ip:outacl#50=deny udp any any eq 80"
(0) Cisco-AVPair = "ip:outacl#60=deny tcp any any eq 443"
(0) Cisco-AVPair = "ip:outacl#70=deny udp any any eq 443"
(0) Cisco-AVPair = "ip:outacl#80=permit ip any any"
(0) Cisco-AVPair = "ipv6:outacl#10=deny udp any any eq domain"
(0) Cisco-AVPair = "ipv6:outacl#20=deny udp any any eq snmp"
(0) Cisco-AVPair = "ipv6:outacl#30=deny udp any any eq 1900"
(0) Cisco-AVPair = "ipv6:outacl#40=deny tcp any any eq 80"
(0) Cisco-AVPair = "ipv6:outacl#50=deny udp any any eq 80"
(0) Cisco-AVPair = "ipv6:outacl#60=deny tcp any any eq 443"
(0) Cisco-AVPair = "ipv6:outacl#70=deny udp any any eq 443"
(0) Cisco-AVPair = "ipv6:outacl#80=permit ipv6 any any"
Note in the authorize reply output provided by rlm_python shows the op as
+=, but the op in the access accept show =.
I note that in the source there is a sanity check to verify the operator
passed to rlm_python, but I'm not seeing any logs even in -XX showing that
its being rewritten as per the source.
Any ideas?
Thanks,
Fraser
More information about the Freeradius-Users
mailing list