Performing an additional check on the credentials

Alan DeKok aland at deployingradius.com
Thu Apr 11 23:49:44 CEST 2013 

Romeo Mihalcea wrote:
> I successfully managed to deploy a freeradius server and created a
> python script which does an additional check on the user (incoming
> request). I checked the internet (resources for freeradius are pretty
> horrible)

  Well... the server comes with a lot of documentation.  Searching
random pages on the internet isn't a good idea.

> and only found a thread which explains some basics about
> adding a python script to the process.

  That isn't well documented because no one has contributed documentation.

> Right now I have it inside /etc/freeradius/sites-enabled/default under
> the authorize section:
> 
> update control {
>        Auth-Type := `/usr/bin/python /etc/test.py '%{User-Name}'
> '%{User-Password}'`
> }

  While that works, I wouldn't recommend doing it.  It's just using
python as an external script.  i.e. there's no python-specific
documentation needed.  You could use `/bin/echo Accept` to get much the
same affect.

> My test.py file spits Reject or Accept. I also have sql authentication

  No... the SQL module does authorization checks.  They really are
different, and the difference is important.  See the wiki for more
discussion on this topic.

> setup with freeradius and the problem is that, if my script returns
> Accept any other authorization request under is ignored; response will
> still be an Accept even if sql check rejects the user.

  Yes, that's what you told it to do.  Which is why the FAQ says to
*not* set Auth-Type.  It's almost always wrong.

> From what I understand I should pass a noop instead of Accept to allow
> freeradius to continue and only pass Reject if I need to reject the user
> but If I respond with noop the server complains (probably because it
> expects a reply for Auth-Type as I coded it).

  No.  "noop" isn't an authentication type.  You're mixing multiple
topics without a clear understanding of any of them.

> Someone on serverfault suggested I shouldnt use unlang to call a python
> script and I should use rlm_python but I really have no idea how to even
> start calling my script.
> 
> Any ideas? Maybe I need to add my code to the Authentication. section? How?

  What you want to do?  Please explain what you have, and what you want.

  Right now you're describing a "solution" that doesn't work.  You're
not describing a problem.  There's really no point in trying to fix the
solution until the problem is clear.  If we do, we'll be stuck on
miscommunication and misunderstanding.

  Alan DeKok.

More information about the Freeradius-Users mailing list