On Jun 19, 2019, at 2:18 PM, Gianni Costanzi <gianni.costanzi@gmail.com> wrote:
Hi Alan, the user is accepted by realm Imp proxy, then I force an analysis of users file even if the realm authentication succeeds, because there can be a user that is authenticated by the realm but must not be accepted by radius (you must be accepted by realm imp and be defined in the users file in order to have an access accept).
Why not just check the "users" file *before* proxying? authorize { ... files if (notfound) { reject } ... } It's *always* better to reject as soon as possible, instead of accepting the user, and then going "whoops, they were supposed to be rejected!" If the "users" file isn't well-suited for this, you can use any number of other modules to load users from databases or text files.
So if realm authentication returns access Accept and I don’t put a default access reject for users with realm imp, every user authenticated by realm imp would be accepted by radius even without being defined in users file.
See above. Again, describing the problem *correctly* will let us help you. Giving wrong or incomplete information is a waste of everyones time. Right now, you're giving out information in bits and pieces. Stop it.
When I put the exec-program-wait with := as you suggested the user entry is matched but the program is not executed at all, otherwise I would get an entry in /var/log/messages.
You'd also get a message in the debug output. Which we recommend reading.
I gave a look at the echo example but I don’t understand how I should use it in the way I was using exec-program-wait in release 2.0
You don't. You can create a module. You can control when modules are called through if / then / else conditions. You're stuck on implementing a *particular* solution. Which means you're ignoring alternative solutions.
(where it worked even if not placed on the first line as a check condition and was invoked correctly).
You've said that already. We understand.
I need to invoke that program only for some specific users and after having received an access accept by realm imp. Then I can return access accept to the device that authenticated the user.
See above: a) reject users BEFORE proxying b) then run the program for ALL users on Access-Accept
Hope I have clarified a bit our configuration.
I sincerely hope that this is the last clarification. Alan DeKok.