First Last Prev Next    This bug is not in your last search results.
Bug 55388 - univention-radius-check-access insists on optional argument "station-id"
univention-radius-check-access insists on optional argument "station-id"
Status: NEW
Product: UCS
Classification: Unclassified
Component: Radius
UCS 5.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-11-04 10:38 CET by Dirk Ahrnke
Modified: 2023-09-14 14:32 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 1: Nuisance – not a big deal but noticeable
User Pain: 0.069
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Regression
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Ahrnke univentionstaff 2022-11-04 10:38:16 CET 
Environment:
UCS: 5.0-2 errata460, radius=5.0 samba4=4.16 ucsschool=5.0 v3

root@dn1:~# univention-radius-check-access --help
usage: univention-radius-check-access [-h] --username USERNAME
                                      [--station-id STATION_ID]

Check network access for a user and/or MAC address

optional arguments:
  -h, --help            show this help message and exit
  --username USERNAME
  --station-id STATION_ID

This indicates that "--station-id" is optional. 

but:
root@dn1:~# univention-radius-check-access --username a.mueller 
Traceback (most recent call last):
  File "/usr/bin/univention-radius-check-access", line 63, in <module>
    sys.exit(main())
  File "/usr/bin/univention-radius-check-access", line 49, in main
    networkAccess = NetworkAccess(options.username, options.station_id, loglevel=4)
  File "/usr/lib/python3/dist-packages/univention/radius/networkaccess.py", line 99, in __init__
    self.mac_address = decode_stationId(stationId)
  File "/usr/lib/python3/dist-packages/univention/radius/utils.py", line 36, in decode_stationId
    norm = "".join(c for c in stationId.lower() if c in "0123456789abcdef")
AttributeError: 'NoneType' object has no attribute 'lower'

This is a regression:

root@monitor:~# univention-app info
UCS: 4.4-9 errata1272
Installed: nagios=4.3 prometheus-node-exporter=1.1 radius=5.0
Upgradable: prometheus-node-exporter
root@monitor:~# univention-radius-check-access --username=someone
     DEBUG: [user=someone; mac=None] Given username: "someone"
     DEBUG: [user=someone; mac=None] Given stationId: "None"
     DEBUG: [user=someone; mac=None] UCS@school RADIUS support is not installed
      INFO: [user=someone; mac=None] Login attempt with unknown username
     DEBUG: [user=someone; mac=None] User is not allowed to authenticate via RADIUS
     DEBUG: [user=someone; mac=None] --- Thus access is DENIED.


But it will work when specifying a station-id:

root@dn1:~# univention-radius-check-access --username a.mueller --station-id none
     DEBUG: [user=a.mueller; mac=e:::::] Given username: 'a.mueller'
     DEBUG: [user=a.mueller; mac=e:::::] Given stationId: 'none'
     DEBUG: [user=a.mueller; mac=e:::::] UCS@school RADIUS support is not installed
     DEBUG: [user=a.mueller; mac=e:::::] Checking LDAP settings for user
     DEBUG: [user=a.mueller; mac=e:::::] DENY 'uid=a.mueller,cn=lehrer,cn=users,ou=SchuleA,dc=training,dc=ucs'
     DEBUG: [user=a.mueller; mac=e:::::] -> DENY 'cn=admins-schulea,cn=ouadmins,cn=groups,dc=training,dc=ucs'
     DEBUG: [user=a.mueller; mac=e:::::] -> DENY 'cn=lehrer-schulea,cn=groups,ou=SchuleA,dc=training,dc=ucs'
     DEBUG: [user=a.mueller; mac=e:::::] -> DENY 'cn=Domain Users SchuleA,cn=groups,ou=SchuleA,dc=training,dc=ucs'
     DEBUG: [user=a.mueller; mac=e:::::] -> DENY 'cn=lehrer-schuleb,cn=groups,ou=SchuleB,dc=training,dc=ucs'
     DEBUG: [user=a.mueller; mac=e:::::] -> DENY 'cn=Domain Users SchuleB,cn=groups,ou=SchuleB,dc=training,dc=ucs'
     DEBUG: [user=a.mueller; mac=e:::::] -> DENY 'cn=SchuleB-1a,cn=klassen,cn=schueler,cn=groups,ou=SchuleB,dc=training,dc=ucs'
     DEBUG: [user=a.mueller; mac=e:::::] -> DENY 'cn=SchuleB-1b,cn=klassen,cn=schueler,cn=groups,ou=SchuleB,dc=training,dc=ucs'
     DEBUG: [user=a.mueller; mac=e:::::] -> DENY 'cn=SchuleA-1a,cn=klassen,cn=schueler,cn=groups,ou=SchuleA,dc=training,dc=ucs'
     DEBUG: [user=a.mueller; mac=e:::::] -> DENY 'cn=SchuleA-1b,cn=klassen,cn=schueler,cn=groups,ou=SchuleA,dc=training,dc=ucs'
     DEBUG: [user=a.mueller; mac=e:::::] -> DENY 'cn=SchuleB-1c,cn=klassen,cn=schueler,cn=groups,ou=SchuleB,dc=training,dc=ucs'
     DEBUG: [user=a.mueller; mac=e:::::] -> DENY 'cn=SchuleA-1c,cn=klassen,cn=schueler,cn=groups,ou=SchuleA,dc=training,dc=ucs'
     DEBUG: [user=a.mueller; mac=e:::::] -> DENY 'cn=SchuleA-AG Informatik,cn=schueler,cn=groups,ou=SchuleA,dc=training,dc=ucs'
      INFO: [user=a.mueller; mac=e:::::] Login attempt denied by LDAP settings
     DEBUG: [user=a.mueller; mac=e:::::] User is not allowed to authenticate via RADIUS
     DEBUG: [user=a.mueller; mac=e:::::] --- Thus access is DENIED.

As it is unclear to me if this behaviour is now by design I will open a bug for the componentent. In case the syntax has changed the help-text as well as the documentation should be adjusted.
Comment 1 Stefanie Schneider univentionstaff 2023-06-29 12:28:15 CEST 
I came across this bug today with a customer. I could not figure out what the problem was. It is quite confusing since the documentation does not mention the station id and there is no way of finding out what that attribut is.
Comment 2 Dirk Ahrnke univentionstaff 2023-09-14 14:32:51 CEST 
also mentioned in https://help.univention.com/t/radius-app-univention-radius-check-access-fehlermeldung/22027

last comment says:
"...So, I assume the Univention provided univention-radius-check-access is somehow deprecated/abandonned/defect?"
First Last Prev Next    This bug is not in your last search results.