Hi Hollman, I too have failed to grasp the nuances of the 'new' exec mechanisms. In the end I admitted defeat, and stuck to the 'old way' - which I fear may become deprecated at some point. In any case, here is what I have done and have working at this point. 1. Restore all the config files to their state before your exec modifications. 2. In the ..../raddb/users file, add an entry similar to the following.. DEFAULT Auth-Type := Accept Exec-Program-Wait = "/usr/local/sbin/auth -L -X -U -- %{User-Name} %{User-Password} %{%{Called-Station-Id}:-Missing} %{%{NAS-IP-Address}:-Missing} %{%{Calling-Station-Id}:-Missing} %{%{NAS-Port-Type}:-Missing} %{Vendor-Specific}" , Fall-Through = no 3. My program (auth) required some command line parameters (for legacy reasons). Radius dictionary name/value pairs are (should be) stored in the environment. Environment variables are radius dictionary names converted to upper case only and all '-' changed to '_' characters. 4. The auth program in my case is responsible for returning (on stdout) all the replay Name/Value pairs. These need to be 'comma separated. Beware <cr> characters and magically appearing commas. My code has the following comment/warning , "/* Need comma separated for freeradisu 2.1.8 */ /* EXCEPT for first value pair - freeradius adds it's own comma there for some reason..." A trailing comma seems to be harmless at this point. I THINK multiple comma MAY also be harmless at this point. If your reply value pairs are constant, you should be able to add them on the last line before the "Fall-Through = no" entry. Your auth program should return 0 for successful authentication, I return 255 for deny of login. (Perhaps any non 0 would work. Cannot recall.) I would LOVE to understand the NEW and more correct way of achieving the same result. If you figure it out, please let me know how to do it. Good Luck, -craig ----- Original Message ----- From: "hollman.diaz" <hollman.diaz@gmail.com> To: <freeradius-users@lists.freeradius.org> Sent: Sunday, January 30, 2011 8:50 PM Subject: Exec Module FreeRADIUS Version 2.1.8
Hi everybody
I'm trying to change the Auth-Type attribute with an external application. I'm using FreeRADIUS Version 2.1.8 and Ubuntu 10.04
What files do I should modify? I have tried with:
/etc/freeradius/radiusd.conf: ... instantiate { # # Allows the execution of external scripts. # The entire command line (and output) must fit into 253 bytes. # # e.g. Framed-Pool = `%{exec:/bin/echo foo}` exec ven{ wait = yes program = "/etc/disconnect/php return.php %{Calling-Station-Id}" input_pairs = request output_pairs = reply shell_escape = yes }
/etc/freeradius/sites-enabled/default post-auth { ... exec ven{ wait = yes program = "/etc/disconnect/php return.php %{Calling-Station-Id}" input_pairs = request output_pairs = reply shell_escape = yes }
/etc/freeradius/modules/exec ... # See also "echo" for more sample configuration. # exec ven{ wait = yes program = "/etc/disconnect/php return.php %{Calling-Station-Id}" input_pairs = request output_pairs = reply shell_escape = yes }
And /etc/freeradius/users: ... DEFAULT Auth-Type := '%{exec:/etc/disconnect/php return.php %{Calling-Station-Id}}' Fall-Through = No
External application is /etc/disconnect/return.php and it returns Accept or Reject values.
I have read several forums but I do not understand the procedure. I would appreciate a step by step procedure :)
Running freeradius -X, I get (with no modifications in /etc/freeradius/users): ... Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load /etc/freeradius/sites-enabled/default[464]: Failed to find module "exec". /etc/freeradius/sites-enabled/default[435]: Errors parsing post-auth section.
Line 464 is exec ven{
and line 435 is post-auth {
Thanks in advance,
Hollman Diaz -- View this message in context: http://freeradius.1045715.n5.nabble.com/Exec-Module-FreeRADIUS-Version-2-1-8... Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Information from ESET Smart Security, version of virus signature database 5832 (20110130) __________
The message was checked by ESET Smart Security.
__________ Information from ESET Smart Security, version of virus signature database 5833 (20110131) __________ The message was checked by ESET Smart Security. http://www.eset.com