Il giorno mer 19 giu 2019 alle 19:09 Alan DeKok <aland@deployingradius.com> ha scritto:
On Jun 19, 2019, at 12:55 PM, Gianni Costanzi <gianni.costanzi@gmail.com> wrote:
Auth-Type reject is forced by the default entry, which is examined because the user entry was not matched with Exec-Program-Wait = "xxxx"
No, that's not true. Exec-Program-Wait doesn't affect how a "users" file entry is matched.
So the problem isn't with Exec-Program-Wait. It's with matching entries in the "users" file.
Describing the problem *correctly* will let us help you. Giving wrong information is a waste of everyones time.
(basically I need to reject the user if it receives an access accept but it is not matched by a specific entry in the users file).
That's the default behaviour. You don't need to add rules to do that.
Now I tried with a simpler user, which is not authenticated on another realm and has a simple cleartext password. This time the entry for testgianni user is matched, but the program is not invoked:
testgianni Cleartext-Password := "test123", Exec-Program-Wait := "/opt/script/radius/bin/check_operator_access.sh %{NAS-IP-Address} %{User-Name} %{Realm}" Service-Type := Login-User, cisco-avpair = "shell:priv-lvl=2"
DEFAULT Realm == imp, Auth-Type := reject
(1) suffix: No '@' in User-Name = "testgianni", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) files: EXPAND /opt/script/radius/bin/check_operator_access.sh %{NAS-IP-Address} %{User-Name} %{Realm} (1) files: --> /opt/script/radius/bin/check_operator_access.sh 10.122.159.2 testgianni (1) files: users: Matched entry testgianni at line 512 (1) [files] = ok [...] (1) Found Auth-Type = PAP (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Auth-Type PAP { (1) pap: Login attempt with password (1) pap: Comparing with "known good" Cleartext-Password (1) pap: User authenticated successfully (1) [pap] = ok (1) } # Auth-Type PAP = ok (1) # Executing section post-auth from file /etc/raddb/sites-enabled/default (1) post-auth { (1) update { (1) No attributes updated (1) } # update = noop (1) [exec] = noop
The "exec" module implements the Exec-Program-Wait functionality. If it's returning "noop", that's because the module doesn't see Exec-Program-Wait.
At this point, just use the "exec" module. See the "echo" module for examples of running a custom program.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Alan, the user is accepted by realm Imp proxy, then I force an analysis of users file even if the realm authentication succeeds, because there can be a user that is authenticated by the realm but must not be accepted by radius (you must be accepted by realm imp and be defined in the users file in order to have an access accept). So if realm authentication returns access Accept and I don’t put a default access reject for users with realm imp, every user authenticated by realm imp would be accepted by radius even without being defined in users file. When I put the exec-program-wait with := as you suggested the user entry is matched but the program is not executed at all, otherwise I would get an entry in /var/log/messages. I gave a look at the echo example but I don’t understand how I should use it in the way I was using exec-program-wait in release 2.0 (where it worked even if not placed on the first line as a check condition and was invoked correctly). I need to invoke that program only for some specific users and after having received an access accept by realm imp. Then I can return access accept to the device that authenticated the user. Hope I have clarified a bit our configuration. Gianni -- --< Sent from GMail mobile >-- -------------------------------------------------------------------------------------------------------------- Find me on LinkedIn: http://it.linkedin.com/in/giannicostanzi My blog: http://networkingpills.wordpress.com My best photos on 500px: http://500px.com/GianniCostanzi PGP Key Fingerprint: 2404 1798 E01F F6BF 0FA3 AA07 B6D5 040F 2EDD 456A --------------------------------------------------------------------------------------------------------------