Just to close out this thread with a solution... Turns out that neither rlm_python nor freeradius were the problem. They are working perfectly. The problem was my idiot wireless administrator! Once I beat the password out of him and properly configured the wireless switch, everything started working!
Sorry for the hassle. Bob On Thu, Feb 10, 2011 at 8:47 PM, Brett Littrell <blittr...@musd.org> wrote: > > Hi Bob, > > I do have this running successfully with eDir. I am guessing you are > using the eDir Radius schema extensions? Also, if you are using Cisco > equipment, you have to send the vlan name, not the ID. Not sure if other > switches require the ID. > > Brett Littrell > Network Manager > MUSD > CISSP, CCSP, CCVP, MCNE > > >>> On Thursday, February 10, 2011 at 1:24 AM, in message > >>> <AANLkTi=wzuimz+65y3-qzvzdpcvdwp8f4fhht-b+-...@mail.gmail.com>, Bob > >>> Brandt <b...@brandt.ie> wrote: > Not sure if there isn't another forum or mailing list for rlm_python > specifically, but... > > I have been using freeradius for a while now with great results, thanks! > > We are using a very simple configuration to authenticate users against LDAP > (eDirectory) and that part works great! I am trying to add a component that > will return the necessary attributes to allow for dynamic VLANs > > I was able to get this working using the /etc/raddb/users file, however do to > the size of the organization, this is very messy. I have started using python > to extract this information from another database and return the information. > > All my testing seems to indicate it should work, but it is not. I believe the > problem is in how rlm_python returns the "Tunnel-Private-Group-Id" attribute. > > My users file (which works) looks like this: > > # Generic LDAP return attributes > DEFAULT Auth-Type == "LDAP" > Class = "Staff", > Service-Type = Login, > Tunnel-Medium-Type = IEEE-802, > Tunnel-Type = VLAN, > Tunnel-Private-Group-ID = 99, > Fall-Through = Yes > > brandtb > Reply-Message += "You are a member of the IT Group", > Class := "CACS:0/ebf42/ac8c8e6/administrator", > Tunnel-Private-Group-ID := 150, > Alcatel-Lucent-Asa-Access = "all", > Fall-Through = No > > Below are the two snipets of the debugs. The first is from the old(working) > system which uses the users file and the second is from the new system using > the rlm_python module: > > Sending Access-Challenge of id 172 to 10.200.113.99 port 18699 > Class := > 0x434143533a302f65626634322f616338633865362f61646d696e6973747261746f72 > Service-Type = Login-User > Tunnel-Medium-Type:0 = IEEE-802 > Tunnel-Type:0 = VLAN > Tunnel-Private-Group-Id:0 := "150" > Reply-Message += "You are a member of the IT Group" > EAP-Message = 0x010200061920 > Message-Authenticator = 0x00000000000000000000000000000000 > State = 0xc146d1a4c144c80f46bec9bc87d3208b > Finished request 0. > > ----- > > Sending Access-Challenge of id 130 to 10.200.113.99 port 18673 > Reply-Message = "You are a member of the IT Group" > Tunnel-Type:0 = VLAN > Class = 0x4f50575374616666 > Class = 0x434143533a302f65626634322f616338633865362f61646d696e6973747261746f72 > Tunnel-Medium-Type:0 = IEEE-802 > Service-Type = Login-User > Tunnel-Private-Group-Id:0 = "150" > EAP-Message = 0x010200061920 > Message-Authenticator = 0x00000000000000000000000000000000 > State = 0x8cd4aac48cd6b3a6430ea766ccfa9b91 > Finished request 0. > > The debug output looks for the most part identical! > > Now, initially when using the users file, I had the same problem I am having > now, where the wireless access point was getting the attributes but was not > putting me in the correct VLAN. The problem turned out that I was passing a > string to the "Tunnel-Private-Group-Id" attribute instead of an integer. Once > I removed the quotes from the VLAN ID everything was working perfectly. > > Thinking that the problem was that within Python I was storing the > "Tunnel-Private-Group-Id" attribute as a string I changed it to an integer, > however I got immediately got the error: > > return tuple must be (str,str) > > I don't know who to get around this and I have not been able to find too many > examples of how to use the rlm_python module. Any help would be greatly > appreciated. > > Thanks > Bob Brandt > > > > > -- > What's the point of having a rapier wit if I can't use it to stab people? - > Jeph Jacques > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- What's the point of having a rapier wit if I can't use it to stab people? - Jeph Jacques - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
