Problem with external authentication script

Stefan Kuegler freeradius at
Mon Jun 15 21:18:00 CEST 2009

Hi Ivan.

>> exec motp {
>>       wait = yes
>>       program = "/usr/local/bin/ %{User-Name}
>> %{User-Password} %{reply:Secret} %{reply:PIN} %{reply:Offset}"
>>       input_pairs = request
>>       output_pairs = config
>> }
> You have changed them to reply items ...
>> /etc/freeradius/users:
>> DEFAULT Auth-Type = Accept
>>          Exec-Program-Wait = "/usr/local/bin/ '%{User-Name}'
>> '%{User-Password}' '%{reply:Secret}' '%{reply:PIN}' '%{reply:Offset}'",
>>          Fall-Through = Yes
>> user1   Secret:=143a5c6fa125ac1f, PIN:=1234, Offset:=0
> ... but configured them as check items. Revert to original exec line and
> place user entry *above* DEFAULT entry.
Thanks for your advice.
I configured the users-file described above, but it didn't work. Now I 
can see, that freeradius never calls the external script.

It seems, that freeradius never uses the "MOTP"-Auth-type:

Ready to process requests.
rad_recv: Access-Request packet from host port 1026, 
id=109, length=78
	User-Name = "user1"
	User-Password = "secret"
	Service-Type = Authenticate-Only
	NAS-Identifier = "debian.local"
	NAS-IP-Address =
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
     rlm_realm: No '@' in User-Name = "user1", looking up realm NULL
     rlm_realm: No such realm "NULL"
++[suffix] returns noop
   rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
     users: Matched entry user1 at line 3
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
   rad_check_password:  Found Auth-Type
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "secret"
rlm_pap: Using CRYPT encryption.
rlm_pap: Passwords don't match
++[pap] returns reject
auth: Failed to validate the user.
Login incorrect (rlm_pap: CRYPT password check failed): [user1/secret] 
(from client port 0)
   Found Post-Auth-Type Reject
+- entering group REJECT
	expand: %{User-Name} -> user1
  attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host port 1026, 
id=109, length=78
Waiting to send Access-Reject to client port 1026 - ID: 109
Sending delayed reject for request 0
Sending Access-Reject of id 109 to port 1026
Waking up in 4.9 seconds.
Cleaning up request 0 ID 109 with timestamp +17
Ready to process requests.

Do I need to configure something in the authorize-section or somewhere 
else ??

Thank you for your help.


More information about the Freeradius-Users mailing list