RADIUS@NPS authentication via python script using pyrad

Scripts which allow the use of special authentication methods (LDAP, AD, MySQL/PostgreSQL, etc).

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
Apokrif
OpenVpn Newbie
Posts: 11
Joined: Fri Sep 07, 2012 8:04 pm

RADIUS@NPS authentication via python script using pyrad

Post by Apokrif » Fri Apr 24, 2015 2:38 am

I spent quite some time trying to make OpenVPN work with RADIUS@NPS via python script using pyrad.
The difficult part was to figure out right config syntax, the only one worked below:
auth-user-pass-verify "C:/Python27/python.exe user-auth.py" via-env
The most surprising thing was: OpenVPN cannot run python (or vbs) script without crouches! :shock:

user-auth.py

Code: Select all

#!/usr/bin/python

import os
import sys
import socket
import pyrad.packet
from pyrad.client import Client
from pyrad.dictionary import Dictionary

srv=Client(server="server_ip", secret="some_s3cret", dict=Dictionary("dictionary"))

req=srv.CreateAuthPacket(code=pyrad.packet.AccessRequest, User_Name=os.environ.get('username'))
req["User-Password"]=req.PwCrypt(os.environ.get('password'))

try:
	reply=srv.SendPacket(req)
except pyrad.client.Timeout:
	print "RADIUS server does not reply"
	sys.exit(1)
except socket.error, error:
	print "Network error: " + error[1]
	sys.exit(1)

if reply.code==pyrad.packet.AccessAccept:
	print "access accepted"
	sys.exit(0)
else:
	print "access denied"
	sys.exit(1)
The :idea: was stolen here

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: RADIUS@NPS authentication via python script using pyrad

Post by Traffic » Fri Apr 24, 2015 1:04 pm

Apokrif wrote:The most surprising thing was: OpenVPN cannot run python (or vbs) script without crouches! :shock:
(by crouches .. i presume you mean crashes )
  • Why would openvpn be able to natively run a Python or VBS script ?
    Do you want openvpn to come with Python and Windows script host compiled in ?
FYI this:
Apokrif wrote:auth-user-pass-verify "C:/Python27/python.exe user-auth.py" via-env
could also be configured like so:

Code: Select all

auth-user-pass-verify "C:\\Python27\\python.exe user-auth.py" via-env

Apokrif
OpenVpn Newbie
Posts: 11
Joined: Fri Sep 07, 2012 8:04 pm

Re: RADIUS@NPS authentication via python script using pyrad

Post by Apokrif » Sat Apr 25, 2015 4:11 pm

Traffic wrote:FYI this:
Apokrif wrote:auth-user-pass-verify "C:/Python27/python.exe user-auth.py" via-env
could also be configured like so:
auth-user-pass-verify "C:\\Python27\\python.exe user-auth.py" via-env
Nope, OpenVPN returns error smth. like: File "C:\Python27\python.exe user-auth.py" doesn’t exist.
Traffic wrote:Why would openvpn be able to natively run a Python or VBS script?
Do you want openvpn to come with Python and Windows script host compiled in?
I've never said that. I meat, it cannot find python.exe neither via path, because it's reduced to
PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
That’s why we need "C:\Python27\python.exe"

And it ignores file association either, smth. like:
>assoc .py
.py=Python.File
>ftype Python.File
Python.File="C:\Python27\python.exe" "%1" %*
which is funny, because in sample config files line
--auth-user-pass-verify script method
shows script parameter as absolute or relative script path only, without "python prefix".
AFAIK, it’ll work for Unix/Linux only, Windows requires very special syntax. That’s why I wrote:
Apokrif wrote:The most surprising thing was: OpenVPN cannot run python (or vbs) script without crouches! :shock:
Another workaround is to create user-auth.cmd

Code: Select all

C:\Python27\python.exe user-auth.py
exit %errorlevel%
and use
auth-user-pass-verify user-auth.cmd via-env

Same is true for vbs, php, etc. script, you can find auth-user-pass-verify samples in this forum branch.

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: RADIUS@NPS authentication via python script using pyrad

Post by Traffic » Sat Apr 25, 2015 5:03 pm

Apokrif wrote:File "C:\Python27\python.exe user-auth.py" doesn’t exist
Note the escape character for the folder marker .. " \\" not " \"

Apokrif
OpenVpn Newbie
Posts: 11
Joined: Fri Sep 07, 2012 8:04 pm

Re: RADIUS@NPS authentication via python script using pyrad

Post by Apokrif » Sat Apr 25, 2015 6:18 pm

Traffic wrote:
Apokrif wrote:File "C:\Python27\python.exe user-auth.py" doesn’t exist
Note the escape character for the folder marker .. " \\" not " \"
In case it’s not clear still, below are errors for wrong parameter settings:

auth-user-pass-verify "C:\\Python27\\python.exe user-auth.py" via-env
Options error: --auth-user-pass-verify script fails with 'C:\Python27\python.exe user-auth.py': No such file or directory
Options error: Please correct this error.
Use --help for more information.


auth-user-pass-verify "C:\Python27\python.exe user-auth.py" via-env
Options warning: Bad backslash ('\') usage in server.ovpn:313: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as "c:\\openvpn\\static.key"
Use --help for more information.

Post Reply