From 6bf8494a5d7cb027a919b2f66732430c87f3a5ab Mon Sep 17 00:00:00 2001 From: chapeau Date: Sun, 9 Jan 2022 19:20:04 +0000 Subject: [PATCH] fix: Fix autocapture --- freeradius_utils/auth.py | 30 +++++++++++++++++------------- radius/api/serializers.py | 2 +- radius/api/urls.py | 4 ++-- radius/api/views.py | 21 ++++++++++++--------- 4 files changed, 32 insertions(+), 25 deletions(-) diff --git a/freeradius_utils/auth.py b/freeradius_utils/auth.py index 9c1fd295..e53127fa 100644 --- a/freeradius_utils/auth.py +++ b/freeradius_utils/auth.py @@ -141,19 +141,15 @@ def authorize(data): if not nas_type or nas_type.port_access_mode == "802.1X": user = data.get("User-Name", "") user = user.split("@", 1)[0] - mac = data.get("Calling-Station-Id", "") - result, log, password = check_user_machine_and_register(nas_type, user, mac) - logger.info(str(log)) - logger.info(str(user)) - - if not result: - return radiusd.RLM_MODULE_REJECT - else: - return ( - radiusd.RLM_MODULE_UPDATED, - (), - ((str("NT-Password"), str(password)),), - ) + user = User.objects.filter(pseudo__iexact=user).first() + if not user: + return (False, "User unknown", "") + password = user.pwd_ntlm + return ( + radiusd.RLM_MODULE_UPDATED, + (), + ((str("NT-Password"), str(password)),), + ) else: return (radiusd.RLM_MODULE_UPDATED, (), (("Auth-Type", "Accept"),)) @@ -234,6 +230,14 @@ def post_auth(data): return (radiusd.RLM_MODULE_REJECT, tuple(attributes), ()) else: + user = data.get("User-Name", "") + user = user.split("@", 1)[0] + result, log, password = check_user_machine_and_register(nas_type, user, mac) + logger.info(str(log)) + logger.info(str(user)) + + if not result: + return radiusd.RLM_MODULE_REJECT return radiusd.RLM_MODULE_OK diff --git a/radius/api/serializers.py b/radius/api/serializers.py index febca280..f4521e98 100644 --- a/radius/api/serializers.py +++ b/radius/api/serializers.py @@ -110,7 +110,6 @@ class AuthorizeResponseSerializer(Serializer): nas = NasSerializer(read_only=True) user = UserSerializer(read_only=True) - user_interface = InterfaceSerializer(read_only=True) class PostAuthResponseSerializer(Serializer): @@ -123,6 +122,7 @@ class PostAuthResponseSerializer(Serializer): port = PortSerializer() port_profile = PortProfileSerializer(partial=True) switch = SwitchSerializer() + user = UserSerializer(read_only=True) user_interface = InterfaceSerializer() radius_option = RadiusOptionSerializer() EMAIL_STATE_UNVERIFIED = serializers.IntegerField() diff --git a/radius/api/urls.py b/radius/api/urls.py index 2ab8ec91..b0a0d336 100644 --- a/radius/api/urls.py +++ b/radius/api/urls.py @@ -23,12 +23,12 @@ from . import views urls_functional_view = [ ( - r"radius/authorize/(?P[^/]+)/(?P.+)/(?P[^/]{17})$", + r"radius/authorize/(?P[^/]+)/(?P.+)$", views.authorize, None, ), ( - r"radius/post_auth/(?P[^/]+)/(?P.+)/(?P[^/]{17})$", + r"radius/post_auth/(?P[^/]+)/(?P.+)/(?P[^/]{17})/(?P.+)$", views.post_auth, None, ), diff --git a/radius/api/views.py b/radius/api/views.py index ba490b04..67936687 100644 --- a/radius/api/views.py +++ b/radius/api/views.py @@ -37,10 +37,9 @@ from re2o.acl import can_view_all_api, can_edit_all_api, can_create_api class AuthorizeResponse: """Contains objects the radius needs for the Authorize step""" - def __init__(self, nas, user, user_interface): + def __init__(self, nas, user): self.nas = nas self.user = user - self.user_interface = user_interface def can_view(self, user): """Method to bypass api permissions, because we are using ACL decorators""" @@ -50,13 +49,12 @@ class AuthorizeResponse: @api_view(["GET"]) @login_required @can_view_all_api(Interface, Domain, IpList, Nas, User) -def authorize(request, nas_id, username, mac_address): +def authorize(request, nas_id, username): """Return objects the radius needs for the Authorize step Parameters: nas_id (string): NAS name or ipv4 username (string): username of the user who is trying to connect - mac_address (string): mac address of the device which is trying to connect Return: AuthorizeResponse: contains all required informations @@ -74,11 +72,8 @@ def authorize(request, nas_id, username, mac_address): # If no username was provided (wired connection), username="None" user = User.objects.filter(pseudo__iexact=username).first() - # get the interface which is trying to connect (if already created) - user_interface = Interface.objects.filter(mac_address=mac_address).first() - serialized = serializers.AuthorizeResponseSerializer( - AuthorizeResponse(nas_type, user, user_interface) + AuthorizeResponse(nas_type, user) ) return Response(data=serialized.data) @@ -94,6 +89,7 @@ class PostAuthResponse: port, port_profile, switch, + user, user_interface, radius_option, EMAIL_STATE_UNVERIFIED, @@ -105,6 +101,7 @@ class PostAuthResponse: self.port = port self.port_profile = port_profile self.switch = switch + self.user = user self.user_interface = user_interface self.radius_option = radius_option self.EMAIL_STATE_UNVERIFIED = EMAIL_STATE_UNVERIFIED @@ -119,13 +116,14 @@ class PostAuthResponse: @api_view(["GET"]) @login_required @can_view_all_api(Interface, Domain, IpList, Nas, Switch, Port, User) -def post_auth(request, nas_id, nas_port, user_mac): +def post_auth(request, nas_id, nas_port, user_mac, username): """Return objects the radius needs for the Post-Auth step Parameters: nas_id (string): NAS name or ipv4 nas_port (string): NAS port from wich the request came. Work with Cisco, HP and Juniper convention user_mac (string): mac address of the device which is trying to connect + username (string): username of the user who is trying to connect Return: PostAuthResponse: contains all required informations @@ -172,6 +170,10 @@ def post_auth(request, nas_id, nas_port, user_mac): if port: port_profile = port.get_port_profile + # get the User corresponding to the username in the URL + # If no username was provided (wired connection), username="None" + user = User.objects.filter(pseudo__iexact=username).first() + # get the interface which is trying to connect (if already created) user_interface = ( Interface.objects.filter(mac_address=user_mac) @@ -202,6 +204,7 @@ def post_auth(request, nas_id, nas_port, user_mac): port, port_profile, switch, + user, user_interface, radius_option, EMAIL_STATE_UNVERIFIED,