external script reply

Hegedus Gabor hegedus.gabor at euroway.hu
Sat Dec 20 13:13:18 CET 2008 

tnt at kalik.net írta:
>> now I have just one output, this:
>>
>> Exec-Program output: Tunnel-Private-Group-Id = vlan20
>>
>> no need "/n"
>>
>>     
>
> That is OK.
>
>   
>> and the users file contains:
>>
>> DEFAULT auth-type = Accept
>>     Tunnel-Type = VLAN,        #both are fix, send everytime, when accepted  
>>     Tunnel-Medium-Type = IEEE-802     
>>
>>     
>
> That is fine as well.
>
>   
>> What have to change, cos the Group-Id is not sent.
>>     
>
> Can you post the configuration of exec module that calls you script.
> There should be output = reply in it.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   
                                             
okay let's see:

here is the first settings which is not works:  (Group-Id is not sent)

debug log:
+- entering group post-auth {...}
[get-vlan]     expand: %{mschap:User-Name} -> Hege
Exec-Program output: Tunnel-Private-Group-Id = 999
Exec-Program-Wait: value-pairs: Tunnel-Private-Group-Id = 999
Exec-Program: returned: 0
++[get-vlan] returns ok
} # server inner-tunnel
[peap] Got tunneled reply code 2
    Tunnel-Type:0 = VLAN
    Tunnel-Medium-Type:0 = IEEE-802
    EAP-Message = 0x03090004
    Message-Authenticator = 0x00000000000000000000000000000000
    User-Name = "TEST\\Hege"
[peap] Got tunneled reply RADIUS code 2
    Tunnel-Type:0 = VLAN
    Tunnel-Medium-Type:0 = IEEE-802
    EAP-Message = 0x03090004
    Message-Authenticator = 0x00000000000000000000000000000000
    User-Name = "TEST\\Hege"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] returns handled
Sending Access-Challenge of id 33 to 192.168.2.2 port 1812
    EAP-Message = 0x010a00261900170301001bb32c77d09f7f70675ba4f6ef975008f2807a19c9950a8bee9ea770
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xfa60c880f36ad1ad83e4969de6c343b6
Finished request 9.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 192.168.2.2 port 1812, id=34, length=175
    NAS-IP-Address = 192.168.2.2
    NAS-Port = 50019
    NAS-Port-Type = Ethernet
    User-Name = "TEST\\Hege"
    Called-Station-Id = "00-0A-F4-2E-DF-13"
    Calling-Station-Id = "00-80-C8-CD-4F-31"
    Service-Type = Framed-User
    Framed-MTU = 1500
    State = 0xfa60c880f36ad1ad83e4969de6c343b6
    EAP-Message = 0x020a00261900170301001b21c0560fc73a5ff63ec05c899069439c4e57f7de1252f65f1ce21b
    Message-Authenticator = 0x90917ce085fc882aa837e4d65415423f
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "TEST\Hege", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
[eap] Freeing handler
++[eap] returns ok
Sending Access-Accept of id 34 to 192.168.2.2 port 1812
    Tunnel-Type:0 = VLAN
    Tunnel-Medium-Type:0 = IEEE-802
    User-Name = "TEST\\Hege"
    MS-MPPE-Recv-Key = 0x525851a76af3aa5f59c6553b06a540b05d248b43865ec9da0e1a0a94191ced5b
    MS-MPPE-Send-Key = 0x62a6b9ec702b2819c7d80448239213ea432ee86d9d2ad084cc775bcc3724fe42
    EAP-Message = 0x030a0004
    Message-Authenticator = 0x00000000000000000000000000000000
Finished request 10.
Going to the next request
Waking up in 4.6 seconds.

users file:
DEFAULT Auth-Type = Accept
    Tunnel-type = VLAN,
    Tunnel-Medium-Type = IEEE-802

exec file:
exec {
    wait = yes
    input-pairs = request
    shell-escape = yes
    output = reply
}
exec get-vlan{
    wait = yes
    program = "/usr/local/etc/raddb/scripts/getvlan.php %{mschap:User-Name}"
    input-pairs = request
    output = reply
}

@inner-tunnel file:
post-auth{
    #exec        # if remove comment nothing change
    get-vlan
}


Why not send the Tunnel-Private-Group-Id in tunneled, accept packet?
------------------------------------------------------------------------------------------------------------------------

here is the another settings which is works:  (get-vlan is not used)

debug log:
[files] users: Matched entry DEFAULT at line 90
[files]     expand: /usr/local/etc/raddb/scripts/getvlan.php %{mschap:User-Name} -> /usr/local/etc/raddb/scripts/getvlan.php Hege
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
+- entering group post-auth {...}
Exec-Program output: Tunnel-Private-Group-Id = 999
Exec-Program-Wait: value-pairs: Tunnel-Private-Group-Id = 999
Exec-Program: returned: 0
++[exec] returns noop
} # server inner-tunnel
[peap] Got tunneled reply code 2
    Tunnel-Type:0 = VLAN
    Tunnel-Medium-Type:0 = IEEE-802
    Exec-Program-Wait = "/usr/local/etc/raddb/scripts/getvlan.php Hege"
    EAP-Message = 0x03090004
    Message-Authenticator = 0x00000000000000000000000000000000
    User-Name = "TEST\\Hege"
    Tunnel-Private-Group-Id:0 = "999"                     
[peap] Got tunneled reply RADIUS code 2
    Tunnel-Type:0 = VLAN
    Tunnel-Medium-Type:0 = IEEE-802
    Exec-Program-Wait = "/usr/local/etc/raddb/scripts/getvlan.php Hege"
    EAP-Message = 0x03090004
    Message-Authenticator = 0x00000000000000000000000000000000
    User-Name = "TEST\\Hege"
    Tunnel-Private-Group-Id:0 = "999"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] returns handled
Sending Access-Challenge of id 55 to 192.168.2.2 port 1812
    EAP-Message = 0x010a00261900170301001bbbb9779ffa1a57519ffc0b1e5689d56ddf63842cceb1f476d904f2
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x949108639d9b110fb7de5c9587f53d99
Finished request 9.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 192.168.2.2 port 1812, id=56, length=175
    NAS-IP-Address = 192.168.2.2
    NAS-Port = 50019
    NAS-Port-Type = Ethernet
    User-Name = "TEST\\Hege"
    Called-Station-Id = "00-0A-F4-2E-DF-13"
    Calling-Station-Id = "00-80-C8-CD-4F-31"
    Service-Type = Framed-User
    Framed-MTU = 1500
    State = 0x949108639d9b110fb7de5c9587f53d99
    EAP-Message = 0x020a00261900170301001bee552239ad4c65254d4eac839cb1bcfc7dd6f9cfaa48b9c46f271a
    Message-Authenticator = 0xf6d00154ddd920c66013bb0fc048ddbe
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "TEST\Hege", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
[eap] Freeing handler
++[eap] returns ok
Sending Access-Accept of id 56 to 192.168.2.2 port 1812
    Tunnel-Type:0 = VLAN
    Tunnel-Medium-Type:0 = IEEE-802
    User-Name = "TEST\\Hege"
    Tunnel-Private-Group-Id:0 = "999"
    MS-MPPE-Recv-Key = 0xbfeee80dc26c96454c660e3eb112b242a92baeaca68f5b0454951f75a269b6ce
    MS-MPPE-Send-Key = 0xf6352b55b8cc2b48a4a2080ad0751048fae1d756fbbeb58ad504c7f01c4ae1cf
    EAP-Message = 0x030a0004
    Message-Authenticator = 0x00000000000000000000000000000000
Finished request 10.

users file:
DEFAULT Auth-Type = Accept
    Tunnel-type = VLAN,
    Tunnel-Medium-Type = IEEE-802,
    Exec-Program-Wait = "/usr/local/etc/raddb/scripts/getvlan.php %{mschap:User-Name}"

exec file:
exec {
    wait = yes
    input-pairs = request
    shell-escape = yes
    output = reply
}
#exec get-vlan{
#    wait = yes
#    program = "/usr/local/etc/raddb/scripts/getvlan.php %{mschap:User-Name}"
#    input-pairs = request
#    output = reply
#    packet-type = Access-Accept
#    shell-escape = yes
#}

@inner-tunnel file:
post-auth{
    exec
#  get-vlan
}

I will use the second settings but i want to know why the first settins is wrong...
ideas?

thank you, Gabor

More information about the Freeradius-Users mailing list