Just to close out this thread with a solution...

Turns out that neither rlm_python nor freeradius were the problem.
They are working perfectly.  The problem was my idiot wireless
administrator! Once I beat the password out of him and properly
configured the wireless switch, everything started working!

Sorry for the hassle.

Bob

On Thu, Feb 10, 2011 at 8:47 PM, Brett Littrell <blittr...@musd.org> wrote:
>
> Hi Bob,
>
>     I do have this running successfully with eDir.  I am guessing you are 
> using the eDir Radius schema extensions?  Also, if you are using Cisco 
> equipment, you have to send the vlan name, not the ID.  Not sure if other 
> switches require the ID.
>
> Brett Littrell
> Network Manager
> MUSD
> CISSP, CCSP, CCVP, MCNE
>
> >>> On Thursday, February 10, 2011 at 1:24 AM, in message 
> >>> <AANLkTi=wzuimz+65y3-qzvzdpcvdwp8f4fhht-b+-...@mail.gmail.com>, Bob 
> >>> Brandt <b...@brandt.ie> wrote:
> Not sure if there isn't another forum or mailing list for rlm_python 
> specifically, but...
>
> I have been using freeradius for a while now with great results, thanks!
>
> We are using a very simple configuration to authenticate users against LDAP 
> (eDirectory) and that part works great! I am trying to add a component that 
> will return the necessary attributes to allow for dynamic VLANs
>
> I was able to get this working using the /etc/raddb/users file, however do to 
> the size of the organization, this is very messy. I have started using python 
> to extract this information from another database and return the information.
>
> All my testing seems to indicate it should work, but it is not. I believe the 
> problem is in how rlm_python returns the "Tunnel-Private-Group-Id" attribute.
>
> My users file (which works) looks like this:
>
> # Generic LDAP return attributes
> DEFAULT Auth-Type == "LDAP"
> Class = "Staff",
> Service-Type = Login,
> Tunnel-Medium-Type = IEEE-802,
> Tunnel-Type = VLAN,
> Tunnel-Private-Group-ID = 99,
> Fall-Through = Yes
>
> brandtb
> Reply-Message += "You are a member of the IT Group",
> Class := "CACS:0/ebf42/ac8c8e6/administrator",
> Tunnel-Private-Group-ID := 150,
> Alcatel-Lucent-Asa-Access = "all",
> Fall-Through = No
>
> Below are the two snipets of the debugs. The first is from the old(working) 
> system which uses the users file and the second is from the new system using 
> the rlm_python module:
>
> Sending Access-Challenge of id 172 to 10.200.113.99 port 18699
> Class := 
> 0x434143533a302f65626634322f616338633865362f61646d696e6973747261746f72
> Service-Type = Login-User
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Type:0 = VLAN
> Tunnel-Private-Group-Id:0 := "150"
> Reply-Message += "You are a member of the IT Group"
> EAP-Message = 0x010200061920
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xc146d1a4c144c80f46bec9bc87d3208b
> Finished request 0.
>
> -----
>
> Sending Access-Challenge of id 130 to 10.200.113.99 port 18673
> Reply-Message = "You are a member of the IT Group"
> Tunnel-Type:0 = VLAN
> Class = 0x4f50575374616666
> Class = 0x434143533a302f65626634322f616338633865362f61646d696e6973747261746f72
> Tunnel-Medium-Type:0 = IEEE-802
> Service-Type = Login-User
> Tunnel-Private-Group-Id:0 = "150"
> EAP-Message = 0x010200061920
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x8cd4aac48cd6b3a6430ea766ccfa9b91
> Finished request 0.
>
> The debug output looks for the most part identical!
>
> Now, initially when using the users file, I had the same problem I am having 
> now, where the wireless access point was getting the attributes but was not 
> putting me in the correct VLAN. The problem turned out that I was passing a 
> string to the "Tunnel-Private-Group-Id" attribute instead of an integer. Once 
> I removed the quotes from the VLAN ID everything was working perfectly.
>
> Thinking that the problem was that within Python I was storing the 
> "Tunnel-Private-Group-Id" attribute as a string I changed it to an integer, 
> however I got immediately got the error:
>
> return tuple must be (str,str)
>
> I don't know who to get around this and I have not been able to find too many 
> examples of how to use the rlm_python module. Any help would be greatly 
> appreciated.
>
> Thanks
> Bob Brandt
>
>
>
>
> --
> What's the point of having a rapier wit if I can't use it to stab people? - 
> Jeph Jacques
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--
What's the point of having a rapier wit if I can't use it to stab
people? - Jeph Jacques

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to