external script reply

Hegedus Gabor hegedus.gabor at euroway.hu
Tue Dec 23 09:47:53 CET 2008 

Hegedus Gabor írta:
> tnt at kalik.net írta:
>>> now I have just one output, this:
>>>
>>> Exec-Program output: Tunnel-Private-Group-Id = vlan20
>>>
>>> no need "/n"
>>>
>>>     
>>
>> That is OK.
>>
>>  
>>> and the users file contains:
>>>
>>> DEFAULT auth-type = Accept
>>>     Tunnel-Type = VLAN,        #both are fix, send everytime, when 
>>> accepted      Tunnel-Medium-Type = IEEE-802    
>>>     
>>
>> That is fine as well.
>>
>>  
>>> What have to change, cos the Group-Id is not sent.
>>>     
>>
>> Can you post the configuration of exec module that calls you script.
>> There should be output = reply in it.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>   
>                                             okay let's see:
>
> here is the first settings which is not works:  (Group-Id is not sent)
>
> debug log:
> +- entering group post-auth {...}
> [get-vlan]     expand: %{mschap:User-Name} -> Hege
> Exec-Program output: Tunnel-Private-Group-Id = 999
> Exec-Program-Wait: value-pairs: Tunnel-Private-Group-Id = 999
> Exec-Program: returned: 0
> ++[get-vlan] returns ok
> } # server inner-tunnel
> [peap] Got tunneled reply code 2
>    Tunnel-Type:0 = VLAN
>    Tunnel-Medium-Type:0 = IEEE-802
>    EAP-Message = 0x03090004
>    Message-Authenticator = 0x00000000000000000000000000000000
>    User-Name = "TEST\\Hege"
> [peap] Got tunneled reply RADIUS code 2
>    Tunnel-Type:0 = VLAN
>    Tunnel-Medium-Type:0 = IEEE-802
>    EAP-Message = 0x03090004
>    Message-Authenticator = 0x00000000000000000000000000000000
>    User-Name = "TEST\\Hege"
> [peap] Tunneled authentication was successful.
> [peap] SUCCESS
> [peap] Saving tunneled attributes for later
> ++[eap] returns handled
> Sending Access-Challenge of id 33 to 192.168.2.2 port 1812
>    EAP-Message = 
> 0x010a00261900170301001bb32c77d09f7f70675ba4f6ef975008f2807a19c9950a8bee9ea770 
>
>    Message-Authenticator = 0x00000000000000000000000000000000
>    State = 0xfa60c880f36ad1ad83e4969de6c343b6
> Finished request 9.
> Going to the next request
> Waking up in 4.6 seconds.
> rad_recv: Access-Request packet from host 192.168.2.2 port 1812, 
> id=34, length=175
>    NAS-IP-Address = 192.168.2.2
>    NAS-Port = 50019
>    NAS-Port-Type = Ethernet
>    User-Name = "TEST\\Hege"
>    Called-Station-Id = "00-0A-F4-2E-DF-13"
>    Calling-Station-Id = "00-80-C8-CD-4F-31"
>    Service-Type = Framed-User
>    Framed-MTU = 1500
>    State = 0xfa60c880f36ad1ad83e4969de6c343b6
>    EAP-Message = 
> 0x020a00261900170301001b21c0560fc73a5ff63ec05c899069439c4e57f7de1252f65f1ce21b 
>
>    Message-Authenticator = 0x90917ce085fc882aa837e4d65415423f
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "TEST\Hege", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 10 length 38
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established.  Decoding tunneled attributes.
> [peap] Received EAP-TLV response.
> [peap] Success
> [peap] Using saved attributes from the original Access-Accept
> [eap] Freeing handler
> ++[eap] returns ok
> Sending Access-Accept of id 34 to 192.168.2.2 port 1812
>    Tunnel-Type:0 = VLAN
>    Tunnel-Medium-Type:0 = IEEE-802
>    User-Name = "TEST\\Hege"
>    MS-MPPE-Recv-Key = 
> 0x525851a76af3aa5f59c6553b06a540b05d248b43865ec9da0e1a0a94191ced5b
>    MS-MPPE-Send-Key = 
> 0x62a6b9ec702b2819c7d80448239213ea432ee86d9d2ad084cc775bcc3724fe42
>    EAP-Message = 0x030a0004
>    Message-Authenticator = 0x00000000000000000000000000000000
> Finished request 10.
> Going to the next request
> Waking up in 4.6 seconds.
>
> users file:
> DEFAULT Auth-Type = Accept
>    Tunnel-type = VLAN,
>    Tunnel-Medium-Type = IEEE-802
>
> exec file:
> exec {
>    wait = yes
>    input-pairs = request
>    shell-escape = yes
>    output = reply
> }
> exec get-vlan{
>    wait = yes
>    program = "/usr/local/etc/raddb/scripts/getvlan.php 
> %{mschap:User-Name}"
>    input-pairs = request
>    output = reply
> }
>
> @inner-tunnel file:
> post-auth{
>    #exec        # if remove comment nothing change
>    get-vlan
> }
>
>
> Why not send the Tunnel-Private-Group-Id in tunneled, accept packet?
> ------------------------------------------------------------------------------------------------------------------------ 
>
>
> here is the another settings which is works:  (get-vlan is not used)
>
> debug log:
> [files] users: Matched entry DEFAULT at line 90
> [files]     expand: /usr/local/etc/raddb/scripts/getvlan.php 
> %{mschap:User-Name} -> /usr/local/etc/raddb/scripts/getvlan.php Hege
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [eap] Freeing handler
> ++[eap] returns ok
> +- entering group post-auth {...}
> Exec-Program output: Tunnel-Private-Group-Id = 999
> Exec-Program-Wait: value-pairs: Tunnel-Private-Group-Id = 999
> Exec-Program: returned: 0
> ++[exec] returns noop
> } # server inner-tunnel
> [peap] Got tunneled reply code 2
>    Tunnel-Type:0 = VLAN
>    Tunnel-Medium-Type:0 = IEEE-802
>    Exec-Program-Wait = "/usr/local/etc/raddb/scripts/getvlan.php Hege"
>    EAP-Message = 0x03090004
>    Message-Authenticator = 0x00000000000000000000000000000000
>    User-Name = "TEST\\Hege"
>    Tunnel-Private-Group-Id:0 = "999"                     [peap] Got 
> tunneled reply RADIUS code 2
>    Tunnel-Type:0 = VLAN
>    Tunnel-Medium-Type:0 = IEEE-802
>    Exec-Program-Wait = "/usr/local/etc/raddb/scripts/getvlan.php Hege"
>    EAP-Message = 0x03090004
>    Message-Authenticator = 0x00000000000000000000000000000000
>    User-Name = "TEST\\Hege"
>    Tunnel-Private-Group-Id:0 = "999"
> [peap] Tunneled authentication was successful.
> [peap] SUCCESS
> [peap] Saving tunneled attributes for later
> ++[eap] returns handled
> Sending Access-Challenge of id 55 to 192.168.2.2 port 1812
>    EAP-Message = 
> 0x010a00261900170301001bbbb9779ffa1a57519ffc0b1e5689d56ddf63842cceb1f476d904f2 
>
>    Message-Authenticator = 0x00000000000000000000000000000000
>    State = 0x949108639d9b110fb7de5c9587f53d99
> Finished request 9.
> Going to the next request
> Waking up in 4.6 seconds.
> rad_recv: Access-Request packet from host 192.168.2.2 port 1812, 
> id=56, length=175
>    NAS-IP-Address = 192.168.2.2
>    NAS-Port = 50019
>    NAS-Port-Type = Ethernet
>    User-Name = "TEST\\Hege"
>    Called-Station-Id = "00-0A-F4-2E-DF-13"
>    Calling-Station-Id = "00-80-C8-CD-4F-31"
>    Service-Type = Framed-User
>    Framed-MTU = 1500
>    State = 0x949108639d9b110fb7de5c9587f53d99
>    EAP-Message = 
> 0x020a00261900170301001bee552239ad4c65254d4eac839cb1bcfc7dd6f9cfaa48b9c46f271a 
>
>    Message-Authenticator = 0xf6d00154ddd920c66013bb0fc048ddbe
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "TEST\Hege", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 10 length 38
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established.  Decoding tunneled attributes.
> [peap] Received EAP-TLV response.
> [peap] Success
> [peap] Using saved attributes from the original Access-Accept
> [eap] Freeing handler
> ++[eap] returns ok
> Sending Access-Accept of id 56 to 192.168.2.2 port 1812
>    Tunnel-Type:0 = VLAN
>    Tunnel-Medium-Type:0 = IEEE-802
>    User-Name = "TEST\\Hege"
>    Tunnel-Private-Group-Id:0 = "999"
>    MS-MPPE-Recv-Key = 
> 0xbfeee80dc26c96454c660e3eb112b242a92baeaca68f5b0454951f75a269b6ce
>    MS-MPPE-Send-Key = 
> 0xf6352b55b8cc2b48a4a2080ad0751048fae1d756fbbeb58ad504c7f01c4ae1cf
>    EAP-Message = 0x030a0004
>    Message-Authenticator = 0x00000000000000000000000000000000
> Finished request 10.
>
> users file:
> DEFAULT Auth-Type = Accept
>    Tunnel-type = VLAN,
>    Tunnel-Medium-Type = IEEE-802,
>    Exec-Program-Wait = "/usr/local/etc/raddb/scripts/getvlan.php 
> %{mschap:User-Name}"
>
> exec file:
> exec {
>    wait = yes
>    input-pairs = request
>    shell-escape = yes
>    output = reply
> }
> #exec get-vlan{
> #    wait = yes
> #    program = "/usr/local/etc/raddb/scripts/getvlan.php 
> %{mschap:User-Name}"
> #    input-pairs = request
> #    output = reply
> #    packet-type = Access-Accept
> #    shell-escape = yes
> #}
>
> @inner-tunnel file:
> post-auth{
>    exec
> #  get-vlan
> }
>
> I will use the second settings but i want to know why the first 
> settins is wrong...
> ideas?
>
> thank you, Gabor
>
>
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
no ansvers? Idea?
thank you Gabor

More information about the Freeradius-Users mailing list