Exec-Program-Wait not working

Alan DeKok aland at deployingradius.com
Wed Jun 19 19:08:58 CEST 2019 

On Jun 19, 2019, at 12:55 PM, Gianni Costanzi <gianni.costanzi at gmail.com> wrote:
> Auth-Type reject is forced by the default entry, which is examined because
> the user entry was not matched with Exec-Program-Wait = "xxxx"

  No, that's not true.  Exec-Program-Wait doesn't affect how a "users" file entry is matched.

  So the problem isn't with Exec-Program-Wait.  It's with matching entries in the "users" file.

  Describing the problem *correctly* will let us help you.  Giving wrong information is a waste of everyones time.

> (basically I
> need
> to reject the user if it receives an access accept but it is not matched by
> a specific entry in the users file).

  That's the default behaviour.  You don't need to add rules to do that.

> Now I tried with a simpler user, which
> is not authenticated
> on another realm and has a simple cleartext password. This time the entry
> for testgianni user is matched, but the program is not invoked:
> 
> testgianni Cleartext-Password := "test123", Exec-Program-Wait :=
> "/opt/script/radius/bin/check_operator_access.sh %{NAS-IP-Address}
> %{User-Name} %{Realm}"
>        Service-Type := Login-User,
>        cisco-avpair = "shell:priv-lvl=2"
> 
> DEFAULT         Realm == imp, Auth-Type := reject
> 
> (1) suffix: No '@' in User-Name = "testgianni", looking up realm NULL
> (1) suffix: No such realm "NULL"
> (1)     [suffix] = noop
> (1) files: EXPAND /opt/script/radius/bin/check_operator_access.sh
> %{NAS-IP-Address} %{User-Name} %{Realm}
> (1) files:    --> /opt/script/radius/bin/check_operator_access.sh
> 10.122.159.2 testgianni
> (1) files: users: Matched entry testgianni at line 512
> (1)     [files] = ok
> [...]
> (1) Found Auth-Type = PAP
> (1) # Executing group from file /etc/raddb/sites-enabled/default
> (1)   Auth-Type PAP {
> (1) pap: Login attempt with password
> (1) pap: Comparing with "known good" Cleartext-Password
> (1) pap: User authenticated successfully
> (1)     [pap] = ok
> (1)   } # Auth-Type PAP = ok
> (1) # Executing section post-auth from file /etc/raddb/sites-enabled/default
> (1)   post-auth {
> (1)     update {
> (1)       No attributes updated
> (1)     } # update = noop
> (1)     [exec] = noop

  The "exec" module implements the Exec-Program-Wait functionality.  If it's returning "noop", that's because the module doesn't see Exec-Program-Wait.

  At this point, just use the "exec" module.  See the "echo" module for examples of running a custom program.

  Alan DeKok.

More information about the Freeradius-Users mailing list