RADIUS Class

Properties   Methods   Events   Config Settings   Errors  

The RADIUS class provides an easy way to authenticate users.

Syntax

class ipworksauth.RADIUS

Remarks

The RADIUS component implements support for Remote Authentication Dial In User Service (RADIUS).

Authentication

The class can be used to authenticate users with a RADIUS server. To begin set the following properties:

• remote_host
• remote_port (optional)
• user
• password
• shared_secret

To authenticate the user call authenticate. If the method returns without error the user was successfully authenticated. The Attr* properties will hold information about the attributes in the response.

The auth_mechanism property may be set to specify the authentication mechanism used.

Property List

---

The following is the full list of the properties of the class with short descriptions. Click on the links for further details.

Method List

---

The following is the full list of the methods of the class with short descriptions. Click on the links for further details.

Event List

---

The following is the full list of the events fired by the class with short descriptions. Click on the links for further details.

Config Settings

---

The following is a list of config settings for the class with short descriptions. Click on the links for further details.

attr_count Property

The number of records in the Attr arrays.

Syntax

def get_attr_count() -> int: ...
def set_attr_count(value: int) -> None: ...

attr_count = property(get_attr_count, set_attr_count)

Default Value

0

Remarks

This property controls the size of the following arrays:

• attr_name
• attr_type
• attr_value

The array indices start at 0 and end at attr_count - 1.

attr_type Property

The type of the attribute.

Syntax

def get_attr_type(attr_index: int) -> int: ...
def set_attr_type(attr_index: int, value: int) -> None: ...

Default Value

0

Remarks

The type of the attribute.

This property identifies the type of the attribute. Common values are:

The attr_index parameter specifies the index of the item in the array. The size of the array is controlled by the attr_count property.

attr_name Property

A text description of the attribute type.

Syntax

def get_attr_name(attr_index: int) -> str: ...

Default Value

""

Remarks

A text description of the attribute type.

This property holds a text description of the attribute_type.

The attr_index parameter specifies the index of the item in the array. The size of the array is controlled by the attr_count property.

This property is read-only.

attr_value Property

The attribute value.

Syntax

def get_attr_value(attr_index: int) -> bytes: ...
def set_attr_value(attr_index: int, value: bytes) -> None: ...

Default Value

""

Remarks

The attribute value.

The attr_index parameter specifies the index of the item in the array. The size of the array is controlled by the attr_count property.

auth_mechanism Property

The authentication mechanism to be used when connecting to the RADIUS server.

Syntax

def get_auth_mechanism() -> int: ...
def set_auth_mechanism(value: int) -> None: ...

auth_mechanism = property(get_auth_mechanism, set_auth_mechanism)

Default Value

0

Remarks

This property defines the authentication mechanism used when connecting to the RADIUS server. Possible values are:

When set to ramEAPTLS the SSLCert* properties must be set to the client certificate used to authenticate to the server.

eap_anonymous_identity Property

The identity to use when using PEAP or EAP-TLS.

Syntax

def get_eap_anonymous_identity() -> str: ...
def set_eap_anonymous_identity(value: str) -> None: ...

eap_anonymous_identity = property(get_eap_anonymous_identity, set_eap_anonymous_identity)

Default Value

"anonymous"

Remarks

This property specifies the initital identity to use when establishing a secure connection using PEAP. When auth_mechanism is set to amPEAPv0 or emEAPTLS the connection begins in plaintext. This property specifies the user name (if any) that is sent in the initial plaintext request. This allows the true identity of the user to be hidden.

If set, the value will be sent in the plaintext connection request. If not set (empty string) the user will be sent. Authentication servers may make use of a value that includes the domain to which the user will authenticate, such as anonymous@example.com. In that case the user's identity is still hidden, however the authentication server will have knowledge of the domain for the user which it may make use of.

Once a secure connection is established the user's true identity is sent to the authentication server over the TLS encrypted connection. This property specifies only the identity sent in the initial plaintext request.

The default value is anonymous.

This setting is only applicable when auth_mechanism is set to amPEAPv0 or amEAPTLS.

local_host Property

The name of the local host or user-assigned IP interface through which connections are initiated or accepted.

Syntax

def get_local_host() -> str: ...
def set_local_host(value: str) -> None: ...

local_host = property(get_local_host, set_local_host)

Default Value

""

Remarks

The local_host property contains the name of the local host as obtained by the gethostname() system call, or if the user has assigned an IP address, the value of that address.

In multi-homed hosts (machines with more than one IP interface) setting LocalHost to the value of an interface will make the class initiate connections (or accept in the case of server classs) only through that interface.

If the class is connected, the local_host property shows the IP address of the interface through which the connection is made in internet dotted format (aaa.bbb.ccc.ddd). In most cases, this is the address of the local host, except for multi-homed hosts (machines with more than one IP interface).

NOTE: local_host is not persistent. You must always set it in code, and never in the property window.

local_port Property

The UDP port in the local host where UDP binds.

Syntax

def get_local_port() -> int: ...
def set_local_port(value: int) -> None: ...

local_port = property(get_local_port, set_local_port)

Default Value

0

Remarks

The local_port property must be set before UDP is activated (active is set to True). It instructs the class to bind to a specific port (or communication endpoint) in the local machine.

Setting it to 0 (default) enables the TCP/IP stack to choose a port at random. The chosen port will be shown by the local_port property after the connection is established.

local_port cannot be changed once the class is active. Any attempt to set the local_port property when the class is active will generate an error.

The local_port property is useful when trying to connect to services that require a trusted port in the client side.

password Property

The user's password.

Syntax

def get_password() -> str: ...
def set_password(value: str) -> None: ...

password = property(get_password, set_password)

Default Value

""

Remarks

This property specifies the password for the user. This must be set before calling authenticate.

remote_host Property

The address of the remote host. Domain names are resolved to IP addresses.

Syntax

def get_remote_host() -> str: ...
def set_remote_host(value: str) -> None: ...

remote_host = property(get_remote_host, set_remote_host)

Default Value

""

Remarks

The remote_host property specifies the IP address (IP number in dotted internet format) or Domain Name of the remote host.

If remote_host is set to 255.255.255.255, the class broadcasts data on the local subnet.

If the remote_host property is set to a Domain Name, a DNS request is initiated and upon successful termination of the request, the remote_host property is set to the corresponding address. If the search is not successful, an error is returned.

If UseConnection is set to True, the remote_host must be set before the class is activated (active is set to True).

remote_port Property

The port for the RADIUS server (default is 1812).

Syntax

def get_remote_port() -> int: ...
def set_remote_port(value: int) -> None: ...

remote_port = property(get_remote_port, set_remote_port)

Default Value

1812

Remarks

The remote_port is the UDP port to which requests will be made. The default value is 1812. Port 1645 is also commonly used.

shared_secret Property

The RADIUS shared secret.

Syntax

def get_shared_secret() -> bytes: ...
def set_shared_secret(value: bytes) -> None: ...

shared_secret = property(get_shared_secret, set_shared_secret)

Default Value

""

Remarks

This property holds the shared secret to use when communicating with the RADIUS server.

ssl_cert_encoded Property

This is the certificate (PEM/base64 encoded).

Syntax

def get_ssl_cert_encoded() -> bytes: ...
def set_ssl_cert_encoded(value: bytes) -> None: ...

ssl_cert_encoded = property(get_ssl_cert_encoded, set_ssl_cert_encoded)

Default Value

""

Remarks

This is the certificate (PEM/base64 encoded). This property is used to assign a specific certificate. The ssl_cert_store and ssl_cert_subject properties also may be used to specify a certificate.

When ssl_cert_encoded is set, a search is initiated in the current ssl_cert_store for the private key of the certificate. If the key is found, ssl_cert_subject is updated to reflect the full subject of the selected certificate; otherwise, ssl_cert_subject is set to an empty string.

ssl_cert_store Property

This is the name of the certificate store for the client certificate.

Syntax

def get_ssl_cert_store() -> bytes: ...
def set_ssl_cert_store(value: bytes) -> None: ...

ssl_cert_store = property(get_ssl_cert_store, set_ssl_cert_store)

Default Value

"MY"

Remarks

This is the name of the certificate store for the client certificate.

The ssl_cert_store_type property denotes the type of the certificate store specified by ssl_cert_store. If the store is password protected, specify the password in ssl_cert_store_password.

ssl_cert_store is used in conjunction with the ssl_cert_subject property to specify client certificates. If ssl_cert_store has a value, and ssl_cert_subject or ssl_cert_encoded is set, a search for a certificate is initiated. Please see the ssl_cert_subject property for details.

Designations of certificate stores are platform-dependent.

The following are designations of the most common User and Machine certificate stores in Windows:

When the certificate store type is PFXFile, this property must be set to the name of the file. When the type is PFXBlob, the property must be set to the binary contents of a PFX file (i.e. PKCS12 certificate store).

ssl_cert_store_password Property

If the type of certificate store requires a password, this property is used to specify the password needed to open the certificate store.

Syntax

def get_ssl_cert_store_password() -> str: ...
def set_ssl_cert_store_password(value: str) -> None: ...

ssl_cert_store_password = property(get_ssl_cert_store_password, set_ssl_cert_store_password)

Default Value

""

Remarks

If the type of certificate store requires a password, this property is used to specify the password needed to open the certificate store.

ssl_cert_store_type Property

This is the type of certificate store for this certificate.

Syntax

def get_ssl_cert_store_type() -> int: ...
def set_ssl_cert_store_type(value: int) -> None: ...

ssl_cert_store_type = property(get_ssl_cert_store_type, set_ssl_cert_store_type)

Default Value

0

Remarks

This is the type of certificate store for this certificate.

The class supports both public and private keys in a variety of formats. When the cstAuto value is used the class will automatically determine the type. This property can take one of the following values:

ssl_cert_subject Property

This is the subject of the certificate used for client authentication.

Syntax

def get_ssl_cert_subject() -> str: ...
def set_ssl_cert_subject(value: str) -> None: ...

ssl_cert_subject = property(get_ssl_cert_subject, set_ssl_cert_subject)

Default Value

""

Remarks

This is the subject of the certificate used for client authentication.

This property must be set after all other certificate properties are set. When this property is set, a search is performed in the current certificate store to locate a certificate with a matching subject.

If a matching certificate is found, the property is set to the full subject of the matching certificate.

If an exact match is not found, the store is searched for subjects containing the value of the property.

If a match is still not found, the property is set to an empty string, and no certificate is selected.

The special value "*" picks a random certificate in the certificate store.

The certificate subject is a comma separated list of distinguished name fields and values. For instance "CN=www.server.com, OU=test, C=US, E=support@nsoftware.com". Common fields and their meanings are displayed below.

If a field value contains a comma it must be quoted.

timeout Property

A timeout for the class.

Syntax

def get_timeout() -> int: ...
def set_timeout(value: int) -> None: ...

timeout = property(get_timeout, set_timeout)

Default Value

60

Remarks

If the timeout property is set to 0, all operations will run uninterrupted until successful completion or an error condition is encountered.

If timeout is set to a positive value, the class will wait for the operation to complete before returning control.

The class will use do_events to enter an efficient wait loop during any potential waiting period, making sure that all system events are processed immediately as they arrive. This ensures that the host application does not "freeze" and remains responsive.

If timeout expires, and the operation is not yet complete, the class fails with an error.

Please note that by default, all timeouts are inactivity timeouts, i.e. the timeout period is extended by timeout seconds when any amount of data is successfully sent or received.

The default value for the timeout property is 60 seconds.

user Property

The name of the user to authenticate.

Syntax

def get_user() -> str: ...
def set_user(value: str) -> None: ...

user = property(get_user, set_user)

Default Value

""

Remarks

This property holds the name of the user to authenticate.

authenticate Method

Authenticates the user.

Syntax

def authenticate() -> None: ...

Remarks

This method authenticates the user with the RADIUS server.

If authentication is successful this method returns without error. If authentication fails this method will throw an exception.

This following properties are applicable when calling this method:

• user (required)
• password (required)
• shared_secret (required)
• remote_host (required)
• remote_port
• timeout

config Method

Sets or retrieves a configuration setting.

Syntax

def config(configuration_string: str) -> str: ...

Remarks

config is a generic method available in every class. It is used to set and retrieve configuration settings for the class.

These settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the class, access to these internal properties is provided through the config method.

To set a configuration setting named PROPERTY, you must call Config("PROPERTY=VALUE"), where VALUE is the value of the setting expressed as a string. For boolean values, use the strings "True", "False", "0", "1", "Yes", or "No" (case does not matter).

To read (query) the value of a configuration setting, you must call Config("PROPERTY"). The value will be returned as a string.

do_events Method

Processes events from the internal message queue.

Syntax

def do_events() -> None: ...

Remarks

When do_events is called, the class processes any available events. If no events are available, it waits for a preset period of time, and then returns.

interrupt Method

Interrupt the current method.

Syntax

def interrupt() -> None: ...

Remarks

If there is no method in progress, interrupt simply returns, doing nothing.

reset Method

Resets the class properties to their default values.

Syntax

def reset() -> None: ...

Remarks

This method resets the properties to their default values.

on_attribute Event

Fires for each attribute that is received.

Syntax

class RADIUSAttributeEventParams(object):
  @property
  def attribute_type() -> int: ...

  @property
  def name() -> str: ...

  @property
  def value() -> bytes: ...

# In class RADIUS:
@property
def on_attribute() -> Callable[[RADIUSAttributeEventParams], None]: ...
@on_attribute.setter
def on_attribute(event_hook: Callable[[RADIUSAttributeEventParams], None]) -> None: ...

Remarks

This event fires once for each attribute that is received. This will fire when calling authenticate.

AttributeType is the attribute type. Common values are:

Name is the text description of the attribute.

Value is the value of the attribute.

on_error Event

Information about errors during data delivery.

Syntax

class RADIUSErrorEventParams(object):
  @property
  def error_code() -> int: ...

  @property
  def description() -> str: ...

# In class RADIUS:
@property
def on_error() -> Callable[[RADIUSErrorEventParams], None]: ...
@on_error.setter
def on_error(event_hook: Callable[[RADIUSErrorEventParams], None]) -> None: ...

Remarks

The on_error event is fired in case of exceptional conditions during message processing. Normally the class fails with an error.

ErrorCode contains an error code and Description contains a textual description of the error. For a list of valid error codes and their descriptions, please refer to the Error Codes section.

on_log Event

Fires with log information during processing.

Syntax

class RADIUSLogEventParams(object):
  @property
  def log_level() -> int: ...

  @property
  def message() -> str: ...

  @property
  def log_type() -> str: ...

# In class RADIUS:
@property
def on_log() -> Callable[[RADIUSLogEventParams], None]: ...
@on_log.setter
def on_log(event_hook: Callable[[RADIUSLogEventParams], None]) -> None: ...

Remarks

This event fires during processing with log information. The level of detail that is logged is controlled via the LogLevel.

LogLevel indicates the level of message. Possible values are:

LogMessage is the log entry.

LogType indicates the type of log. Possible values are:

• "REQUEST"
• "RESPONSE"

on_ssl_server_authentication Event

Fired after the server presents its certificate to the client.

Syntax

class RADIUSSSLServerAuthenticationEventParams(object):
  @property
  def cert_encoded() -> bytes: ...

  @property
  def cert_subject() -> str: ...

  @property
  def cert_issuer() -> str: ...

  @property
  def status() -> str: ...

  @property
  def accept() -> bool: ...
  @accept.setter
  def accept(value) -> None: ...

# In class RADIUS:
@property
def on_ssl_server_authentication() -> Callable[[RADIUSSSLServerAuthenticationEventParams], None]: ...
@on_ssl_server_authentication.setter
def on_ssl_server_authentication(event_hook: Callable[[RADIUSSSLServerAuthenticationEventParams], None]) -> None: ...

Remarks

This event is where the client can decide whether to continue with the connection process or not. The Accept parameter is a recommendation on whether to continue or close the connection. This is just a suggestion: application software must use its own logic to determine whether to continue or not.

When Accept is False, Status shows why the verification failed (otherwise, Status contains the string "OK"). If it is decided to continue, you can override and accept the certificate by setting the Accept parameter to True.

on_ssl_status Event

Shows the progress of the secure connection.

Syntax

class RADIUSSSLStatusEventParams(object):
  @property
  def message() -> str: ...

# In class RADIUS:
@property
def on_ssl_status() -> Callable[[RADIUSSSLStatusEventParams], None]: ...
@on_ssl_status.setter
def on_ssl_status(event_hook: Callable[[RADIUSSSLStatusEventParams], None]) -> None: ...

Remarks

The event is fired for informational and logging purposes only. Used to track the progress of the connection.

RADIUS Config Settings

The class accepts one or more of the following configuration settings. Configuration settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the class, access to these internal properties is provided through the config method.

RADIUS Config Settings

UDP Config Settings

Socket Config Settings

Base Config Settings

RADIUS Errors

RADIUS Errors

	900   Busy performing other action.
	901   Received invalid response.
	902   Received rejected response.
	903   Received challenge response.

UDP Errors

	104   UDP is already active.
	106   You cannot change the local_port while the class is active.
	107   You cannot change the local_host at this time. A connection is in progress.
	109   The class must be active for this operation.
	112   Cannot change MaxPacketSize while the class is active.
	113   Cannot change ShareLocalPort option while the class is active.
	114   Cannot change remote_host when UseConnection is set and the class active.
	115   Cannot change remote_port when UseConnection is set and the class is active.
	116   remote_port can't be zero when UseConnection is set. Please specify a valid service port number.
	117   Cannot change UseConnection while the class is active.
	118   Message can't be longer than MaxPacketSize.
	119   Message too short.
	434   Unable to convert string to selected CodePage

TCP/IP Errors

	10004   [10004] Interrupted system call.
	10009   [10009] Bad file number.
	10013   [10013] Access denied.
	10014   [10014] Bad address.
	10022   [10022] Invalid argument.
	10024   [10024] Too many open files.
	10035   [10035] Operation would block.
	10036   [10036] Operation now in progress.
	10037   [10037] Operation already in progress.
	10038   [10038] Socket operation on non-socket.
	10039   [10039] Destination address required.
	10040   [10040] Message too long.
	10041   [10041] Protocol wrong type for socket.
	10042   [10042] Bad protocol option.
	10043   [10043] Protocol not supported.
	10044   [10044] Socket type not supported.
	10045   [10045] Operation not supported on socket.
	10046   [10046] Protocol family not supported.
	10047   [10047] Address family not supported by protocol family.
	10048   [10048] Address already in use.
	10049   [10049] Can't assign requested address.
	10050   [10050] Network is down.
	10051   [10051] Network is unreachable.
	10052   [10052] Net dropped connection or reset.
	10053   [10053] Software caused connection abort.
	10054   [10054] Connection reset by peer.
	10055   [10055] No buffer space available.
	10056   [10056] Socket is already connected.
	10057   [10057] Socket is not connected.
	10058   [10058] Can't send after socket shutdown.
	10059   [10059] Too many references, can't splice.
	10060   [10060] Connection timed out.
	10061   [10061] Connection refused.
	10062   [10062] Too many levels of symbolic links.
	10063   [10063] File name too long.
	10064   [10064] Host is down.
	10065   [10065] No route to host.
	10066   [10066] Directory not empty
	10067   [10067] Too many processes.
	10068   [10068] Too many users.
	10069   [10069] Disc Quota Exceeded.
	10070   [10070] Stale NFS file handle.
	10071   [10071] Too many levels of remote in path.
	10091   [10091] Network subsystem is unavailable.
	10092   [10092] WINSOCK DLL Version out of range.
	10093   [10093] Winsock not loaded yet.
	11001   [11001] Host not found.
	11002   [11002] Non-authoritative 'Host not found' (try again or check DNS setup).
	11003   [11003] Non-recoverable errors: FORMERR, REFUSED, NOTIMP.
	11004   [11004] Valid name, no data record (check DNS setup).