On 27/11/2023 12:38, Vogt, Andreas wrote:
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Auth-Type OTP_OWA { (0) update control { (0) Executing: /usr/bin/php /freeradius_scripts/getSecretFromDB.php --username=%{User-Name} : (0) EXPAND --username=%{User-Name} (0) --> --username=USER.NAME (0) Program returned code (0) and output SECRET (0) SECRET := SECRET (0) Executing: /usr/bin/php /freeradius_scripts/get_last_used_pin.php --username=%{User-Name}: (0) EXPAND --username=%{User-Name} (0) --> --username= USER.NAME (0) Program returned code (0) and output 12346 (0) LAST_USED_PIN := 12346 (0) Executing: /bin/bash /freeradius_scripts/getPin %{control:SECRET}: (0) EXPAND %{control:SECRET} (0) --> SECRET (0) Program returned code (0) and output 12346 (0) PIN := 12346 (0) PIN_FROM_USER := %{User-Password} (0) Executing: /usr/bin/php /freeradius_scripts/get_attempts.php --username=%{User-Name}: (0) EXPAND --username=%{User-Name} (0) --> --username= USER.NAME (0) Program returned code (0) and output '0' (0) ATTEMPTS := 0 (0) Executing: /usr/bin/php /freeradius_scripts/check_pin_dev_log.php --username=%{User-Name} --pin=%{control:PIN} --pin_from_user=%{User-Password} --last_used_pin=%{control:LAST_USED_PIN} --attempts=%{control:ATTEMPTS}: (0) EXPAND --username=%{User-Name} (0) --> --username= USER.NAME (0) EXPAND --pin=%{control:PIN} (0) --> --pin=12346 (0) EXPAND --pin_from_user=%{User-Password} (0) --> --pin_from_user=12346 (0) EXPAND --last_used_pin=%{control:LAST_USED_PIN} (0) --> --last_used_pin=64321 (0) EXPAND --attempts=%{control:ATTEMPTS} (0) --> --attempts=0 (0) Program returned code (0) and output 'Accept' (0) Auth_Type_LOG := Accept (0) Executing: /usr/bin/php /freeradius_scripts/check_pin_dev_log.php --username=%{User-Name} --pin=%{control:PIN} --pin_from_user=%{User-Password} --last_used_pin=%{control:LAST_USED_PIN} --attempts=%{control:ATTEMPTS}:
I hope this is only a toy server for playing around. Running that number of external scripts must make this the most inefficient configuration I've seen in years.
(0) Program returned code (0) and output 'Accept' (0) Auth-Type := Accept (0) } # update control = noop (0) update reply { (0) Reply-Message := Accept (0) } # update reply = noop (0) } # Auth-Type OTP_OWA = noop
Your Auth-Type section is returning "noop", not "ok". It's too late to set Auth-Type here - you do that in the authorize section.
(0) Failed to authenticate the user
So my .php Script checks the OTP-PIN ans returns “Accept”, but the freeradius answers Accept-Reject… Why?
Return "ok" from the authenticate section. You can do that with an "if" to test the response from the hundreds of scripts. if (whatever) { ok } -- Matthew