external auth script

Janis Heller janis.heller at outlook.de
Fri Jul 22 13:10:56 CEST 2016


I’m using Freeradius v 3.0.11.
Sorry, there is no „rest“ file in mods-enabled folder (etc/freeradius/mods-enabled).

I’ve reread your post, here’s my current config:

authorize {
		Auth-Type  exec {
	     exec
		}
}

authenticate {

}

Now when I try to start radius these lines are printed in red color.

/etc/freeradius/sites-enabled/default[18]: Failed to find "Auth-Type" as a module or policy.
/etc/freeradius/sites-enabled/default[18]: Please verify that the configuration exists in /etc/freeradius/mods-enabled/Auth-Type.
/etc/freeradius/sites-enabled/default[17]: Errors parsing authorize section.

All the best;

janis

> Am 22.07.2016 um 12:27 schrieb Matthew Newton <mcn4 at leicester.ac.uk>:
> 
> On Fri, Jul 22, 2016 at 10:18:10AM +0000, Janis Heller wrote:
>> I’m a newbie to RADIUS.
> 
> I suggest you read through doc/concepts/aaa.rst.
> 
> Otherwise you're just guessing where you should put things.
> 
>> I’ve taken a look into my modules folder, there’s no rest module. How can I built this fast? Many of you told me to use rest instead of exec to perform a simple web request to some script.
> 
> If you've got a "modules" folder then you're using version 2,
> which is end of life and not supported any more. You need version
> 3.
> 
> We would have known this if you'd sent the full output of radiusd
> -X...
> 
>> authorize {
>> 
>> }
>> 
>> authenticate {
>> 	Auth-Type exec {
>>      exec
>> 	}
>> }
>> 
>> I get this error all the time (provided username & password are correct)
>> 
>> (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
>> 
>> I’m a bit confused about this. I think I only need to use
>> authorize to validate username & password. My accounts won’t
>> have custom permissions etc.
> 
> That's not the right place for what you are trying to do, and not
> what I put in the previous e-mails.
> 
>  Put exec in authorize, nothing in authenticate.
> 
>  Make your script output "Auth-Type := Accept" on stdout. This
>  skips the authenticate section and directly accepts the request.
> 
>  Use "output_pairs = config" as well as your existing exec config.
> 
> It works. I tested it here. No other config changes than those.
> 
> You still shouldn't use exec like this in production.
> 
> I suggest you play around with concepts like this first (even if
> you shouldn't use it) before trying to use something like rest, so
> that you learn how FreeRADIUS works.
> 
> And read all the debug output. It shows how packets flow through
> the server, and which modules are hit when. Debug output in
> version 3.0.11 is clearer than in version 2.
> 
> Matthew
> 
> 
> 
> -- 
> Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
> 
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
> 
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list