external auth script

Janis Heller janis.heller at outlook.de
Fri Jul 22 13:50:19 CEST 2016 

I think I will try to use REST module instead of exec module, many posts I found on the internet say „keep your hands off exec“. So I think I would take deeper look into REST.

I’ve found the rest module in the mods-available folder. I placed the sample config into this file and copied it to mods-enabled.
Now when I try to start radius (in debug mode) it shows:

/etc/freeradius/mods-enabled/rest[1]: Failed to link to module 'rlm_rest': /usr/lib/freeradius/rlm_rest.so: cannot open shared object file: No such file or directory

After some research solution seems to be to edit the config file of rest module, but I don’t find any hint regarding the location of it.

regards from Germany;

Am 22.07.2016 um 13:25 schrieb Pshem Kowalczyk <pshem.k at gmail.com<mailto:pshem.k at gmail.com>>:

Hi,

If you're to use rest - have a look in mods-available - should be there, a
sample config can look like this:

rest check_access_rest {
   connect_uri = "http://127.0.0.1:8080"

   connect_timeout = 4.0

   authorize {
       uri = "${..connect_uri}/auth/%{User-Name}"
       method = 'get'
   }
   authenticate {
   }

   accounting {
   }
   post-auth {
   }

   pool {
       start = ${thread[pool].start_servers}
       min = ${thread[pool].min_spare_servers}
       max = ${thread[pool].max_servers}

       spare = ${thread[pool].max_spare_servers}

       uses = 0
       lifetime = 0
       idle_timeout = 60
   }
}

and then the authorize section:

authorize {
 check_access_rest
}

Since you want to return 'Auth-Type := Accept' make sure  response is of
the correct type (application/json) and you return code is 200. The
response should look something like this:
{
         "Auth-Type": {
                   "op": ":=",
                   "value": "Accept"
}
More info here:
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-available/rest


kind regards
Pshem




On Fri, 22 Jul 2016 at 23:12 Janis Heller <janis.heller at outlook.de> wrote:

I’m using Freeradius v 3.0.11.
Sorry, there is no „rest“ file in mods-enabled folder
(etc/freeradius/mods-enabled).

I’ve reread your post, here’s my current config:

authorize {
               Auth-Type  exec {
            exec
               }
}

authenticate {

}

Now when I try to start radius these lines are printed in red color.

/etc/freeradius/sites-enabled/default[18]: Failed to find "Auth-Type" as a
module or policy.
/etc/freeradius/sites-enabled/default[18]: Please verify that the
configuration exists in /etc/freeradius/mods-enabled/Auth-Type.
/etc/freeradius/sites-enabled/default[17]: Errors parsing authorize
section.

All the best;

janis

Am 22.07.2016 um 12:27 schrieb Matthew Newton <mcn4 at leicester.ac.uk>:

On Fri, Jul 22, 2016 at 10:18:10AM +0000, Janis Heller wrote:
I’m a newbie to RADIUS.

I suggest you read through doc/concepts/aaa.rst.

Otherwise you're just guessing where you should put things.

I’ve taken a look into my modules folder, there’s no rest module. How
can I built this fast? Many of you told me to use rest instead of exec to
perform a simple web request to some script.

If you've got a "modules" folder then you're using version 2,
which is end of life and not supported any more. You need version
3.

We would have known this if you'd sent the full output of radiusd
-X...

authorize {

}

authenticate {
    Auth-Type exec {
    exec
    }
}

I get this error all the time (provided username & password are correct)

(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject

I’m a bit confused about this. I think I only need to use
authorize to validate username & password. My accounts won’t
have custom permissions etc.

That's not the right place for what you are trying to do, and not
what I put in the previous e-mails.

Put exec in authorize, nothing in authenticate.

Make your script output "Auth-Type := Accept" on stdout. This
skips the authenticate section and directly accepts the request.

Use "output_pairs = config" as well as your existing exec config.

It works. I tested it here. No other config changes than those.

You still shouldn't use exec like this in production.

I suggest you play around with concepts like this first (even if
you shouldn't use it) before trying to use something like rest, so
that you learn how FreeRADIUS works.

And read all the debug output. It shows how packets flow through
the server, and which modules are hit when. Debug output in
version 3.0.11 is clearer than in version 2.

Matthew



--
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list