Univention Bugzilla – Bug 55388
univention-radius-check-access insists on optional argument "station-id"
Last modified: 2023-09-14 14:32:51 CEST
Environment: UCS: 5.0-2 errata460, radius=5.0 samba4=4.16 ucsschool=5.0 v3 root@dn1:~# univention-radius-check-access --help usage: univention-radius-check-access [-h] --username USERNAME [--station-id STATION_ID] Check network access for a user and/or MAC address optional arguments: -h, --help show this help message and exit --username USERNAME --station-id STATION_ID This indicates that "--station-id" is optional. but: root@dn1:~# univention-radius-check-access --username a.mueller Traceback (most recent call last): File "/usr/bin/univention-radius-check-access", line 63, in <module> sys.exit(main()) File "/usr/bin/univention-radius-check-access", line 49, in main networkAccess = NetworkAccess(options.username, options.station_id, loglevel=4) File "/usr/lib/python3/dist-packages/univention/radius/networkaccess.py", line 99, in __init__ self.mac_address = decode_stationId(stationId) File "/usr/lib/python3/dist-packages/univention/radius/utils.py", line 36, in decode_stationId norm = "".join(c for c in stationId.lower() if c in "0123456789abcdef") AttributeError: 'NoneType' object has no attribute 'lower' This is a regression: root@monitor:~# univention-app info UCS: 4.4-9 errata1272 Installed: nagios=4.3 prometheus-node-exporter=1.1 radius=5.0 Upgradable: prometheus-node-exporter root@monitor:~# univention-radius-check-access --username=someone DEBUG: [user=someone; mac=None] Given username: "someone" DEBUG: [user=someone; mac=None] Given stationId: "None" DEBUG: [user=someone; mac=None] UCS@school RADIUS support is not installed INFO: [user=someone; mac=None] Login attempt with unknown username DEBUG: [user=someone; mac=None] User is not allowed to authenticate via RADIUS DEBUG: [user=someone; mac=None] --- Thus access is DENIED. But it will work when specifying a station-id: root@dn1:~# univention-radius-check-access --username a.mueller --station-id none DEBUG: [user=a.mueller; mac=e:::::] Given username: 'a.mueller' DEBUG: [user=a.mueller; mac=e:::::] Given stationId: 'none' DEBUG: [user=a.mueller; mac=e:::::] UCS@school RADIUS support is not installed DEBUG: [user=a.mueller; mac=e:::::] Checking LDAP settings for user DEBUG: [user=a.mueller; mac=e:::::] DENY 'uid=a.mueller,cn=lehrer,cn=users,ou=SchuleA,dc=training,dc=ucs' DEBUG: [user=a.mueller; mac=e:::::] -> DENY 'cn=admins-schulea,cn=ouadmins,cn=groups,dc=training,dc=ucs' DEBUG: [user=a.mueller; mac=e:::::] -> DENY 'cn=lehrer-schulea,cn=groups,ou=SchuleA,dc=training,dc=ucs' DEBUG: [user=a.mueller; mac=e:::::] -> DENY 'cn=Domain Users SchuleA,cn=groups,ou=SchuleA,dc=training,dc=ucs' DEBUG: [user=a.mueller; mac=e:::::] -> DENY 'cn=lehrer-schuleb,cn=groups,ou=SchuleB,dc=training,dc=ucs' DEBUG: [user=a.mueller; mac=e:::::] -> DENY 'cn=Domain Users SchuleB,cn=groups,ou=SchuleB,dc=training,dc=ucs' DEBUG: [user=a.mueller; mac=e:::::] -> DENY 'cn=SchuleB-1a,cn=klassen,cn=schueler,cn=groups,ou=SchuleB,dc=training,dc=ucs' DEBUG: [user=a.mueller; mac=e:::::] -> DENY 'cn=SchuleB-1b,cn=klassen,cn=schueler,cn=groups,ou=SchuleB,dc=training,dc=ucs' DEBUG: [user=a.mueller; mac=e:::::] -> DENY 'cn=SchuleA-1a,cn=klassen,cn=schueler,cn=groups,ou=SchuleA,dc=training,dc=ucs' DEBUG: [user=a.mueller; mac=e:::::] -> DENY 'cn=SchuleA-1b,cn=klassen,cn=schueler,cn=groups,ou=SchuleA,dc=training,dc=ucs' DEBUG: [user=a.mueller; mac=e:::::] -> DENY 'cn=SchuleB-1c,cn=klassen,cn=schueler,cn=groups,ou=SchuleB,dc=training,dc=ucs' DEBUG: [user=a.mueller; mac=e:::::] -> DENY 'cn=SchuleA-1c,cn=klassen,cn=schueler,cn=groups,ou=SchuleA,dc=training,dc=ucs' DEBUG: [user=a.mueller; mac=e:::::] -> DENY 'cn=SchuleA-AG Informatik,cn=schueler,cn=groups,ou=SchuleA,dc=training,dc=ucs' INFO: [user=a.mueller; mac=e:::::] Login attempt denied by LDAP settings DEBUG: [user=a.mueller; mac=e:::::] User is not allowed to authenticate via RADIUS DEBUG: [user=a.mueller; mac=e:::::] --- Thus access is DENIED. As it is unclear to me if this behaviour is now by design I will open a bug for the componentent. In case the syntax has changed the help-text as well as the documentation should be adjusted.
I came across this bug today with a customer. I could not figure out what the problem was. It is quite confusing since the documentation does not mention the station id and there is no way of finding out what that attribut is.
also mentioned in https://help.univention.com/t/radius-app-univention-radius-check-access-fehlermeldung/22027 last comment says: "...So, I assume the Univention provided univention-radius-check-access is somehow deprecated/abandonned/defect?"