From d1ac9ec8eb3e54f1faabfd12e9140a5ee68a27b8 Mon Sep 17 00:00:00 2001 From: chapeau Date: Sat, 23 Oct 2021 11:54:01 +0200 Subject: [PATCH 1/3] fix autocapture --- auth.py | 61 +++++++++++++++++++++++++++++++++++---------------------- 1 file changed, 38 insertions(+), 23 deletions(-) diff --git a/auth.py b/auth.py index 5fbfce5..c2a174a 100644 --- a/auth.py +++ b/auth.py @@ -159,22 +159,16 @@ def authorize(data): nas_type = data_from_api["nas"] user = data_from_api["user"] - user_interface = data_from_api["user_interface"] if not nas_type or nas_type and nas_type["port_access_mode"] == "802.1X": - result, log, password = check_user_machine_and_register( - nas_type, user, user_interface, nas, username, mac) - logger.info(log.encode("utf-8")) + password = user.get("pwd_ntlm", "") logger.info(username.encode("utf-8")) - if not result: - return radiusd.RLM_MODULE_REJECT - else: - return ( - radiusd.RLM_MODULE_UPDATED, - (), - ((str("NT-Password"), str(password)),), - ) + return ( + radiusd.RLM_MODULE_UPDATED, + (), + ((str("NT-Password"), str(password)),), + ) else: return (radiusd.RLM_MODULE_UPDATED, (), (("Auth-Type", "Accept"),)) @@ -188,6 +182,9 @@ def post_auth(data): nas = data.get("NAS-IP-Address", data.get("NAS-Identifier", None)) nas_port = data.get("NAS-Port-Id", data.get("NAS-Port", None)) mac = data.get("Calling-Station-Id", None) + username = data.get("User-Name", "") + # For proxified request, split + username = username.split("@", 1)[0] # Get all required objects from API data_from_api = api_client().view( @@ -197,9 +194,28 @@ def post_auth(data): urllib.parse.quote(mac or "None", safe="") )) + data_from_api2 = api_client().view( + "radius/authorize/{0}/{1}/{2}".format( + urllib.parse.quote(nas or "None", safe=""), + urllib.parse.quote(username or "None", safe=""), + urllib.parse.quote(mac or "None", safe="") + )) + nas_type = data_from_api["nas"] port = data_from_api["port"] switch = data_from_api["switch"] + nas_type = data_from_api2["nas"] + user = data_from_api2["user"] + user_interface = data_from_api2["user_interface"] + + result, log = check_user_machine_and_register( + nas_type, user, user_interface, nas, username, mac) + + logger.info(log.encode("utf-8")) + logger.info(username.encode("utf-8")) + + if not result: + return radiusd.RLM_MODULE_REJECT # If proxified request if not nas_type: @@ -258,10 +274,10 @@ def check_user_machine_and_register(nas_type, user, user_interface, nas_id, user if not user: # No username provided - return (False, "User unknown", "") + return (False, "User unknown") if not user["access"]: - return (False, "Invalid connexion (non-contributing user)", "") + return (False, "Invalid connexion (non-contributing user)") if user_interface: if user_interface["user_pk"] != user["pk"]: @@ -272,7 +288,7 @@ def check_user_machine_and_register(nas_type, user, user_interface, nas_id, user ) elif not user_interface["active"]: - return (False, "Interface/Machine disabled", "") + return (False, "Interface/Machine disabled") elif not user_interface["ipv4"]: # Try to autoassign ip @@ -281,11 +297,11 @@ def check_user_machine_and_register(nas_type, user, user_interface, nas_id, user "radius/assign_ip/{0}".format( urllib.parse.quote(mac_address or "None", safe="") )) - return (True, "Ok, new ipv4 assignement...", user.get("pwd_ntlm", "")) + return (True, "Ok, new ipv4 assignement...") except HTTPError as err: - return (False, "Error during ip assignement %s" % err.response.text, "") + return (False, "Error during ip assignement %s" % err.response.text) else: - return (True, "Access ok", user.get("pwd_ntlm", "")) + return (True, "Access ok") elif nas_type: # The interface is not yet registred, try to autoregister if enabled @@ -297,14 +313,13 @@ def check_user_machine_and_register(nas_type, user, user_interface, nas_id, user urllib.parse.quote(username or "None", safe=""), urllib.parse.quote(mac_address or "None", safe="") )) - return (True, "Access Ok, Registering mac...", user["pwd_ntlm"]) + return (True, "Access Ok, Registering mac...") except HTTPError as err: - return (False, "Error during mac register %s" % err.response.text, "") - return (False, "Autoregistering is disabled", "") + return (False, "Error during mac register %s" % err.response.text) else: - return (False, "Unknown interface/machine", "") + return (False, "Autoregistering is disabled") else: - return (False, "Unknown interface/machine", "") + return (False, "Unknown interface/machine") def set_radius_attributes_values(attributes, values): From f9020318711b0c716d11251182314999f42d23ec Mon Sep 17 00:00:00 2001 From: chapeau Date: Sat, 23 Oct 2021 12:03:06 +0200 Subject: [PATCH 2/3] autocapture en wifi uniquement --- auth.py | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/auth.py b/auth.py index c2a174a..ca1d49b 100644 --- a/auth.py +++ b/auth.py @@ -208,15 +208,6 @@ def post_auth(data): user = data_from_api2["user"] user_interface = data_from_api2["user_interface"] - result, log = check_user_machine_and_register( - nas_type, user, user_interface, nas, username, mac) - - logger.info(log.encode("utf-8")) - logger.info(username.encode("utf-8")) - - if not result: - return radiusd.RLM_MODULE_REJECT - # If proxified request if not nas_type: logger.info("Proxified request, nas unknown") @@ -263,6 +254,14 @@ def post_auth(data): # Else it is from wifi else: + result, log = check_user_machine_and_register( + nas_type, user, user_interface, nas, username, mac) + + logger.info(log.encode("utf-8")) + logger.info(username.encode("utf-8")) + + if not result: + return radiusd.RLM_MODULE_REJECT return radiusd.RLM_MODULE_OK From e6442570404b02f9ba0948103d3806918082bced Mon Sep 17 00:00:00 2001 From: chapeau Date: Mon, 25 Oct 2021 20:08:54 +0200 Subject: [PATCH 3/3] api plus propre --- auth.py | 20 ++++++-------------- 1 file changed, 6 insertions(+), 14 deletions(-) diff --git a/auth.py b/auth.py index ca1d49b..e59abed 100644 --- a/auth.py +++ b/auth.py @@ -151,10 +151,9 @@ def authorize(data): # Get all required objects from API data_from_api = api_client().view( - "radius/authorize/{0}/{1}/{2}".format( + "radius/authorize/{0}/{1}".format( urllib.parse.quote(nas or "None", safe=""), urllib.parse.quote(username or "None", safe=""), - urllib.parse.quote(mac or "None", safe="") )) nas_type = data_from_api["nas"] @@ -188,25 +187,18 @@ def post_auth(data): # Get all required objects from API data_from_api = api_client().view( - "radius/post_auth/{0}/{1}/{2}".format( + "radius/post_auth/{0}/{1}/{2}/{3}".format( urllib.parse.quote(nas or "None", safe=""), urllib.parse.quote(nas_port or "None", safe=""), - urllib.parse.quote(mac or "None", safe="") - )) - - data_from_api2 = api_client().view( - "radius/authorize/{0}/{1}/{2}".format( - urllib.parse.quote(nas or "None", safe=""), - urllib.parse.quote(username or "None", safe=""), - urllib.parse.quote(mac or "None", safe="") + urllib.parse.quote(mac or "None", safe=""), + urllib.parse.quote(username or "None", safe="") )) nas_type = data_from_api["nas"] port = data_from_api["port"] switch = data_from_api["switch"] - nas_type = data_from_api2["nas"] - user = data_from_api2["user"] - user_interface = data_from_api2["user_interface"] + user = data_from_api["user"] + user_interface = data_from_api["user_interface"] # If proxified request if not nas_type: