FreeRADIUS
[defect]: rlm_python3 setting attributes to array/tuple values doesn't work
What type of defect/bug is this?
Unexpected behaviour (obvious or verified by project member)
How can the issue be reproduced?
In rlm_perl, the value of an attribute can be set to an array. This can used to give (for example) a RADIUS reply with multiple attributes having the same name and different values.
In rlm_python3, this does not work. If an attribute is value set to an array or tuple, then the attribute is simply not set at all.
For example:
def post_auth(p):
update_dict={
"reply": (
("Some-Attribute",("one","two","three")),
)
}
Would be expected to set reply attributes:
Some-Attribute: one
Some-Attribute: two
Some-Attribute: three
Instead, it does not set anything.
Log output from the FreeRADIUS daemon
N/A
Relevant log output from client utilities
No response
Backtrace from LLDB or GDB
No response
I'am facing a similar issue
import radiusd
def authorize(p):
return (
radiusd.RLM_MODULE_OK,
(("Tunnel-Type", "VLAN"), ("Tunnel-Medium-Type", "IEEE-802"), ("Tunnel-Private-Group-Id", "899"), ("Egress-VLANID", "822084384"), ("Egress-VLANID", "822084395"), ("Egress-VLANID", "822084404"), ("Egress-VLANID", "822084484"), ("Egress-VLANID", "822084574"), ("Egress-VLANID", "822084485"), ("Ingress-Filters", "1"),),
(('Auth-Type', 'python'),)
)
yields
Sent Access-Request Id 122 from 0.0.0.0:55012 to 127.0.0.1:1812 length 87
User-Name = "00:00:00:00:00:00"
User-Password = "somepassword"
NAS-IP-Address = 10.172.0.50
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "somepassword"
Received Access-Accept Id 122 from 127.0.0.1:1812 to 127.0.0.1:55012 length 67
Message-Authenticator = 0xa178fe7c3192a5807faf6174c1666353
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "899"
Egress-VLANID = 822084384
Ingress-Filters = Enabled
...where I expected it to respond with multiple Egress-VLANID attributes.
Transform it to a list or tuple of values in the Egress-VLANID like
import radiusd
def authorize(p):
return (
radiusd.RLM_MODULE_OK,
(("Tunnel-Type", "VLAN"), ("Tunnel-Medium-Type", "IEEE-802"), ("Tunnel-Private-Group-Id", "899"), ("Egress-VLANID", ("822084384", "822084485")), ("Ingress-Filters", "1"),),
(('Auth-Type', 'python'),)
)
Results in
Error: authorize - Tuple element 3 of reply must be as (str, str)
How it that supposed to work?
When Using the rlm_exec module, a process would write to stdout
Egress-VLANID += 822084384,
Egress-VLANID += 822084485,
Is it actually possible to replicate with the rlm_python3 module or when not, planned to do so in the future?
Turns out at least in 3.2.7 it is possible with triple tupels like
import radiusd
def authorize(p):
return (
radiusd.RLM_MODULE_OK,
{'reply': (
("Tunnel-Type", "VLAN"),
("Tunnel-Medium-Type", "IEEE-802"),
("Tunnel-Private-Group-Id", "899"),
("Egress-VLANID", "+=", "822084384"),
("Egress-VLANID", "+=", "822084395"),
("Egress-VLANID", "+=", "822084404"),
("Egress-VLANID", "+=", "822084484"),
("Egress-VLANID", "+=", "822084574"),
("Egress-VLANID", "+=", "822084485"),
("Ingress-Filters", "1"),
),},)
Finally Resulting in
Sent Access-Request Id 188 from 0.0.0.0:51322 to 127.0.0.1:1812 length 87
User-Name = "00:00:00:00:00:00"
User-Password = "somepassword"
NAS-IP-Address = 10.172.0.50
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "somepassword"
Received Access-Accept Id 188 from 127.0.0.1:1812 to 127.0.0.1:51322 length 97
Message-Authenticator = 0x956f4afd300bbb743cc4bfa4e99b3b91
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "899"
Egress-VLANID = 822084384
Egress-VLANID = 822084395
Egress-VLANID = 822084404
Egress-VLANID = 822084484
Egress-VLANID = 822084574
Egress-VLANID = 822084485
Ingress-Filters = Enabled
This did not yet work in the ubuntu jammy distributed version. I used the currently latest docker build.
@darrellenns Can you confirm this working in Your case too?