Check in of modified file, known to work

with Access server 2.7.5
2020-03-16 23:04:57 +00:00 · 2020-03-16 23:04:57 +00:00 · 74f775dbe4
commit 74f775dbe4
1 changed files with 82 additions and 0 deletions
--- a/post_auth_radius_mapping.py
+++ b/post_auth_radius_mapping.py
@ -0,0 +1,82 @@
+from pyovpn.plugin import *
+
+#
+# Following has been updated as tempoary workaround to issues with OpenVPN Radius Responses...
+#
+
+def post_auth(authcred, attributes, authret, info):
+
+    # Create user prop list, if one does not already exist
+    proplist = authret.setdefault('proplist', {})
+
+    # user properties to save
+    proplist_save = {}
+
+    # Proceed with post_auth script if the server is using RADIUS, otherwise skip this script
+    if info.get('auth_method') == 'radius':
+
+        # Every valid user should be able to connect to the VPN
+        authret['proplist']['prop_autogenerate'] = 'true'
+
+        # Evaluating RADIUS server reply for user access flags, 19 is the new code for Callback-Number
+        if 19 in info['radius_reply']:
+
+            print("***** RADIUS-Reply: Callback-Number received, evaluating reply for OpenVPN Access Server access flags...")
+
+            # Does it look like we are dealing with some access flags?
+            if ''.join(info['radius_reply'].get(19)).__len__() == 5:
+
+                # Is the superuser bit set?
+                if ''.join(info['radius_reply'].get(19))[0] == '0':
+                    print("*** RADIUS-Reply: Overrride found for prop_superuser, setting to false...")
+                    authret['proplist']['prop_superuser'] = 'false'
+                elif ''.join(info['radius_reply'].get(19))[0] == '1':
+                    print("*** RADIUS-Reply: Overrride found for prop_superuser, setting to true...")
+                    authret['proplist']['prop_superuser'] = 'true'
+
+                # Is the autologin bit set?
+                if ''.join(info['radius_reply'].get(19))[1] == '0':
+                    print("*** RADIUS-Reply: Overrride found for prop_autologin, setting to false...")
+                    proplist_save['prop_autologin'] = 'false'
+                elif ''.join(info['radius_reply'].get(19))[1] == '1':
+                    print("*** RADIUS-Reply: Overrride found for prop_autologin, setting to true...")
+                    proplist_save['prop_autologin'] = 'true'
+
+                # Is the lzo bit set?
+                if ''.join(info['radius_reply'].get(19))[2] == '0':
+                    print("*** RADIUS-Reply: Overrride found for prop_lzo, setting to false...")
+                    authret['proplist']['prop_lzo'] = 'false'
+                elif ''.join(info['radius_reply'].get(19))[2] == '1':
+                    print("*** RADIUS-Reply: Overrride found for prop_lzo, setting to true...")
+                    authret['proplist']['prop_lzo'] = 'true'
+
+                # Is the reroute_gw bit set?
+                if ''.join(info['radius_reply'].get(19))[3] == '0':
+                    print("*** RADIUS-Reply: Overrride found for prop_reroute_gw_override, setting to 'disable'...")
+                    authret['proplist']['prop_reroute_gw_override'] = 'disable'
+                elif ''.join(info['radius_reply'].get(19))[3] == '1':
+                    print("*** RADIUS-Reply: Overrride found for prop_reroute_gw_override, setting to 'dns_only'...")
+                    authret['proplist']['prop_reroute_gw_override'] = 'dns_only'
+
+                # Is the deny_web bit set?
+                if ''.join(info['radius_reply'].get(19))[4] == '0':
+                    print("*** RADIUS-Reply: Overrride found for prop_deny_web, setting to false...")
+                    authret['proplist']['prop_deny_web'] = 'false'
+                elif ''.join(info['radius_reply'].get(19))[4] == '1':
+                    print("*** RADIUS-Reply: Overrride found for prop_deny_web, setting to true...")
+                    authret['proplist']['prop_deny_web'] = 'true'
+
+        # If Framed-Pool is set, set that as the group for the AS server, 88 is the Framed-Pool response
+        if 88 in info['radius_reply']:
+            print("***** RADIUS-Reply: Framed-Pool received, setting OpenVPN Access Server group to:", ''.join(info['radius_reply'].get(88)))
+            authret['proplist']['conn_group'] = ''.join(info['radius_reply'].get(88))
+
+        # If a static IP address is defined, use it, unless the group is not explicitly defined, 8 is the Framed-IP-Address respone
+        if 8 in info['radius_reply']:
+            if authret['proplist'].get('conn_group') is not None:
+                print("***** RADIUS-Reply: Framed-IP-Address received, trying to set client IP address to: %s with group name: %s" % (''.join(info['radius_reply'].get(8)), authret['proplist'].get('conn_group')))
+                authret['proplist']['conn_ip'] = ''.join(info['radius_reply'].get(8))
+            else:
+                print("*** RADIUS-Reply: Framed-IP-Address received, but no group name is specified. Ignoring reply attribute...")
+
+    return authret, proplist_save