Problem with external authentication script

Stefan Kuegler freeradius at kuegler.org
Mon Jun 15 21:18:00 CEST 2009 

Hi Ivan.

>> exec motp {
>>       wait = yes
>>       program = "/usr/local/bin/otpverify.sh %{User-Name}
>> %{User-Password} %{reply:Secret} %{reply:PIN} %{reply:Offset}"
>>       input_pairs = request
>>       output_pairs = config
>> }
>>
> 
> You have changed them to reply items ...
> 
>> /etc/freeradius/users:
>> DEFAULT Auth-Type = Accept
>>          Exec-Program-Wait = "/usr/local/bin/otpverify.sh '%{User-Name}'
>> '%{User-Password}' '%{reply:Secret}' '%{reply:PIN}' '%{reply:Offset}'",
>>          Fall-Through = Yes
>>
>> user1   Secret:=143a5c6fa125ac1f, PIN:=1234, Offset:=0
>>
> 
> ... but configured them as check items. Revert to original exec line and
> place user entry *above* DEFAULT entry.
> 
Thanks for your advice.
I configured the users-file described above, but it didn't work. Now I 
can see, that freeradius never calls the external script.

It seems, that freeradius never uses the "MOTP"-Auth-type:

[...]
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.82.40 port 1026, 
id=109, length=78
	User-Name = "user1"
	User-Password = "secret"
	Service-Type = Authenticate-Only
	NAS-Identifier = "debian.local"
	NAS-IP-Address = 192.168.82.40
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
     rlm_realm: No '@' in User-Name = "user1", looking up realm NULL
     rlm_realm: No such realm "NULL"
++[suffix] returns noop
   rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
     users: Matched entry user1 at line 3
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
   rad_check_password:  Found Auth-Type
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "secret"
rlm_pap: Using CRYPT encryption.
rlm_pap: Passwords don't match
++[pap] returns reject
auth: Failed to validate the user.
Login incorrect (rlm_pap: CRYPT password check failed): [user1/secret] 
(from client 192.168.82.40 port 0)
   Found Post-Auth-Type Reject
+- entering group REJECT
	expand: %{User-Name} -> user1
  attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.82.40 port 1026, 
id=109, length=78
Waiting to send Access-Reject to client 192.168.82.40 port 1026 - ID: 109
Sending delayed reject for request 0
Sending Access-Reject of id 109 to 192.168.82.40 port 1026
Waking up in 4.9 seconds.
Cleaning up request 0 ID 109 with timestamp +17
Ready to process requests.



Do I need to configure something in the authorize-section or somewhere 
else ??


Thank you for your help.

Stefan

More information about the Freeradius-Users mailing list