Lost values

"Jack Daniels" <da_very_newbie@hotmail.com> · Tue, 05 Sep 2006 11:24:38 +0000

Hi there, I've got the next config file:

radiusd.conf
-----------------
modules {
  exec my_auth {
     wait = yes

     program = "/home/myself/my_auth.sh %{NAS-IP-Address} 

%{Calling-Station-ID} %{User-Name}"

     input_pairs = request
     output_pairs = reply
  }
...

instantiate {
  exec
  my_auth
}

authorize {
  mschap
  my_auth
  eap
}
...

/home/myself/my_auth.sh
------------------------------------
#!/bin/bash
echo "NAS: $1"
echo "Caller: $2"
echo "User: $3"
exit 0

And I'm using a Cisco Aironet 1200 AP.
Ok, so the problem is the next:

When I connect through the access point, i get the following output (I just 

put the parts regarding my script)

...
radius_xlat:  '/tmp/radius_auth/auth.sh 192.168.254.22 0002.2d85.4676 test'
Exec-Program: /tmp/radius_auth/auth.sh 192.168.254.22 0002.2d85.4676 test
Exec-Program output: NAS: 192.168.254.22 Caller: 0002.2d85.4676 User: test

Exec-Program-Wait: plaintext: NAS: 192.168.254.22 Caller: 0002.2d85.4676 

User: test

Exec-Program: returned: 0
...

I get like 6 of those and then I got 3 of these (Please note that the 

parameters are gone)

Exec-Program: /tmp/radius_auth/auth.sh   test
Exec-Program output: NAS: test Caller:  User:
Exec-Program-Wait: plaintext: NAS: test Caller:  User:
Exec-Program: returned: 0

And finally I get this one (And they are back)
radius_xlat:  '/tmp/radius_auth/auth.sh 192.168.254.22 0002.2d85.4676 test'
Exec-Program: /tmp/radius_auth/auth.sh 192.168.254.22 0002.2d85.4676 test
Exec-Program output: NAS: 192.168.254.22 Caller: 0002.2d85.4676 User: test

Exec-Program-Wait: plaintext: NAS: 192.168.254.22 Caller: 0002.2d85.4676 

User: test

Exec-Program: returned: 0

And access is granted.

So, my question is, why, at some point, i lose the values of 

%{NAS-IP-Address} and %{Calling-Station-ID}?

I'd like to know also if there is a way to "ignore" a request for my script. 

In this case, my script gives a 0 back, and this grants access. If I modify 

it to return 1, access is denied. I'd like to know if there is a value that 

doesn't cause the whole auth process to fail, like ignore until I get the IP 

address that was lost.

What I want to do in my script, is to check the AP's ip address and 

depending on it deny access to users of a determined AP and grant access to 

users of the others AP, but since sometimes I lose the value of those vars, 

the whole process will fail even for a user who is on an authorized AP.

If someone could shed some light, that'd be great.

Thanks a lot.

Jack

_________________________________________________________________

Don't just search. Find. Check out the new MSN Search! 

http://search.msn.click-url.com/go/onm00200636ave/direct/01/