Okay thanks for the explanation. Here is the configuration that works for me: authorize { if (!control:Auth-Type) { update control { Auth-Type := `/usr/local/bin/otpme-auth -l verify %{User-Name} %{User-Password} %{NAS-Identifier} %{Client-IP-Address}` } } But is this the correct way to call an external script? I thought it should be done in the authenticate section. But if i try it with the config below it does not work: authorize { if (!control:Auth-Type) { update control { Auth-Type := OTPme } } authenticate { Auth-Type OTPme { update control { Auth-Type := `/usr/local/bin/otpme-auth -l verify %{User-Name} %{User-Password} %{NAS-Identifier} %{Client-IP-Address}` } } radiusd -X shows the following: Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1 port 52764, id=187, length=58 User-Name = "testuser" User-Password = "2b3491" NAS-Identifier = "SSO" server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] No EAP-Message, not doing EAP ++[eap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> TRUE ++? if (!control:Auth-Type) -> TRUE ++if (!control:Auth-Type) { +++update control { +++} # update control = noop ++} # if (!control:Auth-Type) = noop +} # group authorize = noop Found Auth-Type = OTPme # Executing group from file /etc/raddb/sites-enabled/otpme +group OTPme { ++update control { expand: %{User-Name} -> testuser expand: %{User-Password} -> 2b3491 expand: %{NAS-Identifier} -> SSO expand: %{Client-IP-Address} -> 192.168.1.1 Exec output: Accept Exec plaintext: Accept Exec: program returned: 0 ++} # update control = noop +} # group OTPme = noop Failed to authenticate the user. Login incorrect: [testuser] (from client radius1 port 0) } # server otpme Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.7 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 187 to 192.168.1.1 port 52764 Waking up in 4.9 seconds. i'm sorry if this is a dumb question. i've mostly read the documentation and also some howtos. but im still not clear about whats the right way to do it... regards the2nd On 2015-01-16 16:46, Alan DeKok wrote:
On Jan 16, 2015, at 10:28 AM, the2nd@otpme.org wrote:
i have two questions regarding this setup.
1. for clear-text requests i always get "Auth: Invalid user: [heiko.baumann" on authentication failure. for ntlm request an "Auth: Login incorrect" is logged. i was using the script (exec) module before which logged "Auth: Login incorrect" on failure but i liked the idea of having the complete config in the virtual host file.
The log messages are different because we haven’t double-checked all of them. It shouldn’t be much of a problem, though.
i also tried to call my script from the authenticate section of my vhost but this was not working.
See the FAQ for “it doesn’t work”.
2. is it possible to call the script for ntlm/mschap authentication from the vhost config? currently its called from the mschap module.
The MS-CHAP module calls ntlm_auth. You *cannot* put that configuration into the virtual server.
both are just cosmetic issues but it would be great to have everything in on file. :)
Each piece of the configuration exists for a reason. They exist as independent pieces for a reason. Jamming them together in one file means you won’t be able to tell them apart.. and they won’t work.
also it would be great if someone with good freeradius skills could have a look at the example config because i'm not sure if its the best way to do external authentication with freeradius.
If authentication works, then you have a working configuration.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html