Sorry, things are still busy around here. I did not catch that, thank you! I must have edited the wrong file by accident. For the most part things are working great. I am only struggling with one last thing; I am trying to pass the variable for the devices mac address to the script. I am able to collect the username, IP, and their entered pap password perfectly fine. It's just the MacAddr that appears to be blank every time. I thought I was referencing it properly using Calling-Station-Id.. authorize { update control { Auth-Type := `/usr/bin/php -f /etc/freeradius/auth.php '%{User-Name}' '%{User-Password}' '%{Client-IP-Address}' '%{Calling-Station-Id}'` } } A side question I have as well. Do you happen to know of a way to pass these parameters securely? or a way to prevent Injection attacks using this execution method? Thanks again for the help, On Mon, Sep 30, 2019 at 11:18 AM Alan DeKok <aland@deployingradius.com> wrote:
On Sep 30, 2019, at 11:06 AM, Nate . <nate2077developer@gmail.com> wrote:
Hello, I'm trying to test something different in my environment. I read that you can use external authenticators using EXEC. I have tried a basic setup and am running into a problem. I'm not super clear on what the logs are trying to tell me. I feel like the documents I'm reading must be outdated or wrong like many of the website out there. I am simply trying to use a PHP script to return Accept; no matter what
is
called. Just to test this out. *auth.php contents:*
You can't just return "accept' when the client is using EAP. You MUST allow the full EAP conversation to run to completion.
I feel like I must have the Executing script in the wrong location maybe? I am running using TTLS-PAP on the client(ignoring the certificate on the clients end) and it gives me an authentication failure.
Put the accept into the inner-tunnel virtual server. It will work for TTLS + PAP, but not for TTLS + MS-CHAP, or PEAP.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html