gary
/
openvpn-as-scripts
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
openvpn-as-scripts/post_auth_radius_mapping.py

83 lines
4.6 KiB
Python
Raw Permalink Blame History

from pyovpn.plugin import *
#
# Following has been updated as tempoary workaround to issues with OpenVPN Radius Responses...
#
def post_auth(authcred, attributes, authret, info):
# Create user prop list, if one does not already exist
proplist = authret.setdefault('proplist', {})
# user properties to save
proplist_save = {}
# Proceed with post_auth script if the server is using RADIUS, otherwise skip this script
if info.get('auth_method') == 'radius':
# Every valid user should be able to connect to the VPN
authret['proplist']['prop_autogenerate'] = 'true'
# Evaluating RADIUS server reply for user access flags, 19 is the new code for Callback-Number
if 19 in info['radius_reply']:
print("***** RADIUS-Reply: Callback-Number received, evaluating reply for OpenVPN Access Server access flags...")
# Does it look like we are dealing with some access flags?
if ''.join(info['radius_reply'].get(19)).__len__() == 5:
# Is the superuser bit set?
if ''.join(info['radius_reply'].get(19))[0] == '0':
print("*** RADIUS-Reply: Overrride found for prop_superuser, setting to false...")
authret['proplist']['prop_superuser'] = 'false'
elif ''.join(info['radius_reply'].get(19))[0] == '1':
print("*** RADIUS-Reply: Overrride found for prop_superuser, setting to true...")
authret['proplist']['prop_superuser'] = 'true'
# Is the autologin bit set?
if ''.join(info['radius_reply'].get(19))[1] == '0':
print("*** RADIUS-Reply: Overrride found for prop_autologin, setting to false...")
proplist_save['prop_autologin'] = 'false'
elif ''.join(info['radius_reply'].get(19))[1] == '1':
print("*** RADIUS-Reply: Overrride found for prop_autologin, setting to true...")
proplist_save['prop_autologin'] = 'true'
# Is the lzo bit set?
if ''.join(info['radius_reply'].get(19))[2] == '0':
print("*** RADIUS-Reply: Overrride found for prop_lzo, setting to false...")
authret['proplist']['prop_lzo'] = 'false'
elif ''.join(info['radius_reply'].get(19))[2] == '1':
print("*** RADIUS-Reply: Overrride found for prop_lzo, setting to true...")
authret['proplist']['prop_lzo'] = 'true'
# Is the reroute_gw bit set?
if ''.join(info['radius_reply'].get(19))[3] == '0':
print("*** RADIUS-Reply: Overrride found for prop_reroute_gw_override, setting to 'disable'...")
authret['proplist']['prop_reroute_gw_override'] = 'disable'
elif ''.join(info['radius_reply'].get(19))[3] == '1':
print("*** RADIUS-Reply: Overrride found for prop_reroute_gw_override, setting to 'dns_only'...")
authret['proplist']['prop_reroute_gw_override'] = 'dns_only'
# Is the deny_web bit set?
if ''.join(info['radius_reply'].get(19))[4] == '0':
print("*** RADIUS-Reply: Overrride found for prop_deny_web, setting to false...")
authret['proplist']['prop_deny_web'] = 'false'
elif ''.join(info['radius_reply'].get(19))[4] == '1':
print("*** RADIUS-Reply: Overrride found for prop_deny_web, setting to true...")
authret['proplist']['prop_deny_web'] = 'true'
# If Framed-Pool is set, set that as the group for the AS server, 88 is the Framed-Pool response
if 88 in info['radius_reply']:
print("***** RADIUS-Reply: Framed-Pool received, setting OpenVPN Access Server group to:", ''.join(info['radius_reply'].get(88)))
authret['proplist']['conn_group'] = ''.join(info['radius_reply'].get(88))
# If a static IP address is defined, use it, unless the group is not explicitly defined, 8 is the Framed-IP-Address respone
if 8 in info['radius_reply']:
if authret['proplist'].get('conn_group') is not None:
print("***** RADIUS-Reply: Framed-IP-Address received, trying to set client IP address to: %s with group name: %s" % (''.join(info['radius_reply'].get(8)), authret['proplist'].get('conn_group')))
authret['proplist']['conn_ip'] = ''.join(info['radius_reply'].get(8))
else:
print("*** RADIUS-Reply: Framed-IP-Address received, but no group name is specified. Ignoring reply attribute...")
return authret, proplist_save
Reference in New Issue View Git Blame Copy Permalink