pyrad 1.1

RADIUS client tools

Introduction

pyrad is an implementation of a RADIUS client as described in RFC2865. It takes care of all the details like building RADIUS packets, sending them and decoding responses.

Here is an example of doing a authentication request:

import pyrad.packet
from pyrad.client import Client
from pyrad.dictionary import Dictionary

srv=Client(server="radius.my.domain", secret="s3cr3t",
      dict=Dictionary("dicts/dictionary", "dictionary.acc"))

req=srv.CreateAuthPacket(code=pyrad.packet.AccessRequest,
              User_Name="wichert", NAS_Identifier="localhost")
req["User-Password"]=req.PwCrypt("password")

reply=srv.SendPacket(req)
if reply.code==pyrad.packet.AccessAccept:
    print "access accepted"
else:
    print "access denied"

print "Attributes returned by server:"
for i in reply.keys():
    print "%s: %s" % (i, reply[i])

Requirements & Installation

pyrad requires Python 2.4 or later.

Installing is simple; pyrad uses the standard distutils system for installing Python modules:

python setup.py install

Author, copyright, availability

pyrad was written by Wichert Akkerman <wichert@wiggy.net>

Copyright and license information can be found in LICENSE.txt

The current version and documentation can be found at its homepage: http://www.simplon.biz/software/pyrad

Bugs and wishes can be submitted in the pyrad issue tracker: https://code.wiggy.net/tracker/pyrad/

Pyrad 1.1

• Add the ‘octets’ datatype from FreeRADIUS. This is treated just like string; the only difference is how FreeRADIUS prints it.

• Check against unimplemented datatypes in EncodeData and DecodeData instead of assuming an identity transform works.

• Make Packet.has_key and __contains__ gracefully handle unknown attributes. Based on a patch from Alexey V Michurun <am@rol.ru>.

• Add a __delitem__ implementation to Packet. Based on a patch from Alexey V Michurun <am@rol.ru>.

Pyrad 1.0

• Add unit tests. Pyrad now has 100% test coverage!

• Moved the proxy server has been out of the server module to a new proxy module.

• Fix several errors that prevented the proxy code from working.

• Use the standard logging module instead of printing to stdout.

• The default dictionary for Server instances was shared between all instances, possibly leading to unwanted data pollution. Each Server now gets its own dict instance if none is passed in to the constructor.

• Fixed a timeout handling problem in the client: after receiving an invalid reply the current time was not updated, possibly leading to the client blocking forever.

• Switch to setuptools, allowing pyrad to be distributed as an egg via the python package index.

• Use absolute instead of relative imports.

• Sockets are now opened with SO_REUSEADDR enabled to allow for faster restarts.

Version 0.9

• Start using trac to manage the project: http://code.wiggy.net/tracker/pyrad/

• [bug 3] Fix handling of packets with an id of 0

• [bug 2] Fix handling of file descriptor parameters in the server code and example.

• [bug 4] Fix wrong variable name in exception raised when encountering an overly long packet.

• [bug 5] Fix error message in parse error for dictionaries.

• [bug 8] Packet.CreateAuthenticator is now a static method.

Version 0.8

• Fix time-handling in the client packet sending code: it would loop forever since the now time was updated at the wrong moment. Fix from Michael Mitchell <Michael.Mitchell@team.telstra.com>

• Fix passing of dict parameter when creating reply packets

Version 0.7

• add HandleAuthPacket and HandleAcctPacket hooks to Server class. Request from Thomas Boettcher.

• Pass on dict attribute when creating a reply packet. Requested by Thomas Boettcher.

• Allow specififying new attributes when using Server.CreateReplyPacket. Requested by Thomas Boettcher.

Version 0.6

• packet.VerifyReply() had a syntax error when not called with a raw packet.

• Add bind() method to the Client class.

• [SECURITY] Fix handling of timeouts in client module: when a bad packet was received pyrad immediately started the next retry instead of discarding it and waiting for a timeout. This could be exploited by sending a number of bogus responses before a correct reply to make pyrad not see the real response.

• correctly set Acct-Delay-Time when resending accounting requests packets.

• verify account request packages as well (from Farshad Khoshkhui).

• protect against packets with bogus lengths (from Farshad Khoshkhui).

Version 0.5

• Fix typo in server class which broke handling of accounting packets.

• Create seperate AuthPacket and AcctPacket classes; this resulted in a fair number of API changes.

• Packets now know how to create and verify replies.

• Client now directs authentication and accounting packets to the correct port on the server.

• Add twisted support via the new curved module.

• Fix incorrect exception handling in client code.

• Update example server to handle accounting packets.

• Add example for sending account packets.

Version 0.4

• Fix last case of bogus exception usage.

• Move RADIUS code constants to packet module.

• Add support for decoding passwords and generating reply packets to Packet class.

• Add basic RADIUS server and proxy implementation.

Version 0.3

• client.Timeout is now derived from Exception.

• Docstring documentation added.

• Include example dictionaries and authentication script.

Version 0.2

• Use proper exceptions.

• Encode and decode vendor attributes.

• Dictionary can parse vendor dictionaries.

• Dictionary can handle attribute values.

• Enhance most constructors; they now take extra optional parameters with initialisation info.

• No longer use obsolete python interfaces like whrandom.

Version 0.1

• First release