freeradius service
I’m running a freshly freeradius server (built from source) version 3.0.12 on a ubuntu server. Is there a way to control radius server as a service, like for example ’service radiusd stop’? All the best; Janis
On Thu, Jul 21, 2016 at 08:55:29AM +0000, Janis Heller wrote:
I’m running a freshly freeradius server (built from source) version 3.0.12 on a ubuntu server. Is there a way to control radius server as a service, like for example ’service radiusd stop’?
Best way is to build .deb packages, then you can indeed 'service freeradius stop' as it installs init scripts/systemd unit files for you. Building packages is easy. See http://wiki.freeradius.org/building/Debian and http://wiki.freeradius.org/building/Building-Ubuntu-packages-from-source Otherwise you'll have to install the init scripts manually. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hi,
I’m running a freshly freeradius server (built from source) version 3.0.12 on a ubuntu server. Is there a way to control radius server as a service, like for example ’service radiusd stop’?
yes. in the source archive are relevant scripts for doing this (and if you used the package build method it'd have put it into place for you) many thanks alan
I’ve done nearly all steps from the documentation. But before I run: sudo dpkg -i *freeradius*_W.X.Y*_*.deb I looked into my directory of radius. There is no .deb file, so this is the reason why the command fail. Screenshot: http://puu.sh/q9dFM/98c85721b2.png How to install it with support for service now? I’ve completed the installation by using these commands: ./configure make make install All the best; Am 21.07.2016 um 11:36 schrieb <A.L.M.Buxey@lboro.ac.uk<mailto:A.L.M.Buxey@lboro.ac.uk>> <A.L.M.Buxey@lboro.ac.uk<mailto:A.L.M.Buxey@lboro.ac.uk>>: Hi, I’m running a freshly freeradius server (built from source) version 3.0.12 on a ubuntu server. Is there a way to control radius server as a service, like for example ’service radiusd stop’? yes. in the source archive are relevant scripts for doing this (and if you used the package build method it'd have put it into place for you) many thanks alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jul 21, 2016, at 1:02 PM, Janis Heller <janis.heller@outlook.de> wrote:
I’ve done nearly all steps from the documentation. But before I run:
sudo dpkg -i *freeradius*_W.X.Y*_*.deb
I looked into my directory of radius. There is no .deb file, so this is the reason why the command fail.
it fails because you're not building debian packages. The process for building debian packages is documented on wiki.freeradius.org. Please follow that documentation.
Screenshot: http://puu.sh/q9dFM/98c85721b2.png
Don't post screen shots. It's not difficult to cut & paste text to the list. Alan DeKok.
On Thu, Jul 21, 2016 at 11:02:51AM +0000, Janis Heller wrote:
sudo dpkg -i *freeradius*_W.X.Y*_*.deb
I looked into my directory of radius. There is no .deb file, so this is the reason why the command fail.
From the wiki:
"This will build packages in the parent directory"... dpkg -i ../*.deb
I’ve completed the installation by using these commands:
./configure make make install
That doesn't build .deb packages, which might explain why you haven't got any. See the wiki for how to do that. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
I would like to use RADIUS to process the authentification of users to my VPN servers using a PHP script which is called by RADIUS processing the auth process. For this reason I added the following part into my exec file: exec { wait = yes program = "/usr/bin/php -f /usr/local/auth.php %{User-Name} %{User-Password}" input_pairs = request shell_escape = yes timeout = 10 } When I test the script by executing: radtest testing password localhost -4 testing123 I get this error: (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject I attached my
On Thu, Jul 21, 2016 at 08:21:53PM +0000, Janis Heller wrote:
I would like to use RADIUS to process the authentification of users to my VPN servers using a PHP script which is called by RADIUS processing the auth process.
That's generally a bad idea, and won't scale well. Forking a new process for each auth is really slow. You are probably better to just get FreeRADIUS to look directly at whatever authentication database your PHP script is looking at.
For this reason I added the following part into my exec file:
exec { wait = yes program = "/usr/bin/php -f /usr/local/auth.php %{User-Name} %{User-Password}" input_pairs = request shell_escape = yes timeout = 10 }
When I test the script by executing:
radtest testing password localhost -4 testing123
I get this error:
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
Your script didn't set Auth-Type, so FreeRADIUS doesn't know how to authenticate the request. You could try a couple of things. Use output_pairs = config, then get your script to print "Auth-Type := Accept" or "Auth-Type := Reject" on success/failure. Or follow the usual PAP/ntlm_auth examples at http://wiki.freeradius.org/guide/NTLM%20Auth%20with%20PAP%20HOWTO and do it properly with its own Auth-Type.
I attached my
Not useful. The output of radiusd -X would be. But try the above first. But really, I'd forget the PHP script if possible. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Since RADIUS don’t support bcrypt() hashed passwords this isn’t possible. That’s why I choose this way. Any idea what’s my fault. It seems like PAP is active, I already put a # before the line of PAP.
Am 21.07.2016 um 22:59 schrieb Matthew Newton <mcn4@leicester.ac.uk>:
On Thu, Jul 21, 2016 at 08:21:53PM +0000, Janis Heller wrote:
I would like to use RADIUS to process the authentification of users to my VPN servers using a PHP script which is called by RADIUS processing the auth process.
That's generally a bad idea, and won't scale well. Forking a new process for each auth is really slow.
You are probably better to just get FreeRADIUS to look directly at whatever authentication database your PHP script is looking at.
For this reason I added the following part into my exec file:
exec { wait = yes program = "/usr/bin/php -f /usr/local/auth.php %{User-Name} %{User-Password}" input_pairs = request shell_escape = yes timeout = 10 }
When I test the script by executing:
radtest testing password localhost -4 testing123
I get this error:
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
Your script didn't set Auth-Type, so FreeRADIUS doesn't know how to authenticate the request.
You could try a couple of things.
Use output_pairs = config, then get your script to print "Auth-Type := Accept" or "Auth-Type := Reject" on success/failure.
Or follow the usual PAP/ntlm_auth examples at http://wiki.freeradius.org/guide/NTLM%20Auth%20with%20PAP%20HOWTO and do it properly with its own Auth-Type.
I attached my
Not useful. The output of radiusd -X would be. But try the above first.
But really, I'd forget the PHP script if possible.
Matthew
-- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Thu, Jul 21, 2016 at 09:01:57PM +0000, Janis Heller wrote:
Since RADIUS don’t support bcrypt() hashed passwords this isn’t possible. That’s why I choose this way.
If you're using a BSD system then you can use FreeRADIUS. Otherwise just watch the system doesn't get too slow doing authentications.
Any idea what’s my fault. It seems like PAP is active, I already put a # before the line of PAP.
Did you try anything I suggested? Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
I’ve cleared my default file a bit. I think these are the needed lines: authorize { exec } # Authentication. authenticate { exec } Now here’s my PHP script: <?php if ($argv[1] == 'testing' && $argv[2] == 'password') { echo "Accept"; return (0); } else echo "REJECT"; exit(2); ?> When I try to make a request this is the debug output: (0) authorize { (0) exec: Executing: /usr/bin/php -f /usr/local/auth.php %{User-Name} %{User-Password}: (0) exec: EXPAND %{User-Name} (0) exec: --> testing (0) exec: EXPAND %{User-Password} (0) exec: --> password (0) exec: Program returned code (0) and output 'Accept' (0) exec: Program executed successfully (0) [exec] = ok (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user It seems like the returned value of my PHP script is incorrect?
Am 21.07.2016 um 23:16 schrieb Matthew Newton <mcn4@leicester.ac.uk>:
On Thu, Jul 21, 2016 at 09:01:57PM +0000, Janis Heller wrote:
Since RADIUS don’t support bcrypt() hashed passwords this isn’t possible. That’s why I choose this way.
If you're using a BSD system then you can use FreeRADIUS. Otherwise just watch the system doesn't get too slow doing authentications.
Any idea what’s my fault. It seems like PAP is active, I already put a # before the line of PAP.
Did you try anything I suggested?
Matthew
-- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
If your OS’s crypt function supports bcrypt so does FreeRADIUS… Don’t screw up your install by using exec (which forks and is horribly slow), and a language that by transitive association was a pile of shit at its inception, and despite transitioning to C, hasn’t really improved in the past couple of decades. That elephant has nothing to smile about… apart from possibly what it’s about to receive into its rectum. -Arran
Please I would like to use exec. Regards; Janis
Am 21.07.2016 um 23:37 schrieb Arran Cudbard-Bell <a.cudbardb@freeradius.org>:
If your OS’s crypt function supports bcrypt so does FreeRADIUS…
Don’t screw up your install by using exec (which forks and is horribly slow), and a language that by transitive association was a pile of shit at its inception, and despite transitioning to C, hasn’t really improved in the past couple of decades.
That elephant has nothing to smile about… apart from possibly what it’s about to receive into its rectum.
-Arran
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Thu, Jul 21, 2016 at 09:25:44PM +0000, Janis Heller wrote:
authorize { exec }
Yes
# Authentication. authenticate { exec }
No
<?php if ($argv[1] == 'testing' && $argv[2] == 'password') { echo "Accept";
That's not what I wrote. "Auth-Type := Accept"
return (0); } else echo "REJECT";
Similarly, "Auth-Type := Reject"
It seems like the returned value of my PHP script is incorrect?
Yes. You need "output_pairs = config" in your exec config as well, as I previously wrote. The script output is taken as an attribute list, in the same way as you'd put in the users file, or feed to radclient, or is output from the detail writer. It tells FreeRADUS what attributes to create, with which values. On Thu, Jul 21, 2016 at 09:40:06PM +0000, Janis Heller wrote:
Please I would like to use exec.
Arran is right. Please don't complain here if you get it working, and then find that it stops after a short while because it can't cope with the workload. exec for auth is a really bad idea. But he was probably being a bit too kind about PHP. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hi, If you really have to use PHP for auth I suggest you run it through a web server in a FPM mode and then use rlm_rest to actually query your script. Might require slightly more work but will definitely scale much better then exec. kind regards Pshem On Fri, 22 Jul 2016 at 10:15 Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Thu, Jul 21, 2016 at 09:25:44PM +0000, Janis Heller wrote:
authorize { exec }
Yes
# Authentication. authenticate { exec }
No
<?php if ($argv[1] == 'testing' && $argv[2] == 'password') { echo "Accept";
That's not what I wrote.
"Auth-Type := Accept"
return (0); } else echo "REJECT";
Similarly,
"Auth-Type := Reject"
It seems like the returned value of my PHP script is incorrect?
Yes.
You need "output_pairs = config" in your exec config as well, as I previously wrote.
The script output is taken as an attribute list, in the same way as you'd put in the users file, or feed to radclient, or is output from the detail writer. It tells FreeRADUS what attributes to create, with which values.
On Thu, Jul 21, 2016 at 09:40:06PM +0000, Janis Heller wrote:
Please I would like to use exec.
Arran is right. Please don't complain here if you get it working, and then find that it stops after a short while because it can't cope with the workload.
exec for auth is a really bad idea.
But he was probably being a bit too kind about PHP.
Matthew
-- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I’ve done some research nearly the whole night.
>From my point of view I only need the authorize{} part. Here’s my entry in the default config file:
authorize {
update control {
Auth-Type := exec
}
}
authenticate {
exec
}
As soon as I delete the entry from „authenticate“ I get an error saying:
/etc/freeradius/sites-enabled/default[58]: Unknown or invalid value "exec" for attribute Auth-Type
/etc/freeradius/sites-enabled/default[56]: Errors parsing authorize section.
Here’s my PHP script:
<?php
if ($argv[1] == 'testing' && $argv[2] == 'password')
{
exit (0);
}
else
exit(2);
?>
Why did I need to fill exec into the authenticate section too? I just want to use radius to send the username & password to my script and whole checking process is made by the script.
After I read about „rlm_rest“ building a small web API for validation would be the best idea I think, are there some examples how I include the „rlm_rest“ for authorize section? As I already said, I only need radius to perform checks in the authorize section, other sections (authorization & accounting) can be empty, from my point of view?!
Regards;
janis
> Am 22.07.2016 um 00:27 schrieb Pshem Kowalczyk <pshem.k@gmail.com>:
>
> Hi,
>
> If you really have to use PHP for auth I suggest you run it through a web
> server in a FPM mode and then use rlm_rest to actually query your script.
> Might require slightly more work but will definitely scale much better then
> exec.
>
> kind regards
> Pshem
>
>
> On Fri, 22 Jul 2016 at 10:15 Matthew Newton <mcn4@leicester.ac.uk> wrote:
>
>> On Thu, Jul 21, 2016 at 09:25:44PM +0000, Janis Heller wrote:
>>> authorize {
>>> exec
>>> }
>>
>> Yes
>>
>>> # Authentication.
>>> authenticate {
>>> exec
>>> }
>>
>> No
>>
>>
>>> <?php
>>> if ($argv[1] == 'testing' && $argv[2] == 'password')
>>> {
>>> echo "Accept";
>>
>> That's not what I wrote.
>>
>> "Auth-Type := Accept"
>>
>>> return (0);
>>> }
>>> else
>>> echo "REJECT";
>>
>> Similarly,
>>
>> "Auth-Type := Reject"
>>
>>> It seems like the returned value of my PHP script is incorrect?
>>
>> Yes.
>>
>> You need "output_pairs = config" in your exec config as well, as I
>> previously wrote.
>>
>> The script output is taken as an attribute list, in the same way
>> as you'd put in the users file, or feed to radclient, or is output
>> from the detail writer. It tells FreeRADUS what attributes to
>> create, with which values.
>>
>>
>> On Thu, Jul 21, 2016 at 09:40:06PM +0000, Janis Heller wrote:
>>> Please I would like to use exec.
>>
>> Arran is right. Please don't complain here if you get it working,
>> and then find that it stops after a short while because it can't
>> cope with the workload.
>>
>> exec for auth is a really bad idea.
>>
>> But he was probably being a bit too kind about PHP.
>>
>> Matthew
>>
>>
>> --
>> Matthew Newton, Ph.D. <mcn4@leicester.ac.uk>
>>
>> Systems Specialist, Infrastructure Services,
>> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>>
>> For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Because in the authorize section you set the Auth-Type to 'exec'.
So FreeRADIUS expects to see an 'exec' authenticate item.
Stefan Paetow
Moonshot Industry & Research Liaison Coordinator
t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp@jabber.dev.ja.net
skype: stefan.paetow.janet
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT
No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower
Hill, Bristol, BS2 0JA. T 0203 697 5800.
On 22/07/2016, 07:45, "Freeradius-Users on behalf of Janis Heller"
<freeradius-users-bounces+stefan.paetow=jisc.ac.uk@lists.freeradius.org on
behalf of janis.heller@outlook.de> wrote:
>I’ve done some research nearly the whole night.
>From my point of view I only need the authorize{} part. Here’s my entry
>in the default config file:
>
>authorize {
> update control {
> Auth-Type := exec
> }
>}
>
>authenticate {
> exec
>}
>
>As soon as I delete the entry from „authenticate“ I get an error saying:
>
>/etc/freeradius/sites-enabled/default[58]: Unknown or invalid value
>"exec" for attribute Auth-Type
>/etc/freeradius/sites-enabled/default[56]: Errors parsing authorize
>section.
>
>Here’s my PHP script:
>
><?php
>if ($argv[1] == 'testing' && $argv[2] == 'password')
>{
> exit (0);
>}
>else
> exit(2);
>?>
>
>Why did I need to fill exec into the authenticate section too? I just
>want to use radius to send the username & password to my script and whole
>checking process is made by the script.
>
>After I read about „rlm_rest“ building a small web API for validation
>would be the best idea I think, are there some examples how I include the
>„rlm_rest“ for authorize section? As I already said, I only need radius
>to perform checks in the authorize section, other sections (authorization
>& accounting) can be empty, from my point of view?!
>
>Regards;
>
>janis
>
>> Am 22.07.2016 um 00:27 schrieb Pshem Kowalczyk <pshem.k@gmail.com>:
>>
>> Hi,
>>
>> If you really have to use PHP for auth I suggest you run it through a
>>web
>> server in a FPM mode and then use rlm_rest to actually query your
>>script.
>> Might require slightly more work but will definitely scale much better
>>then
>> exec.
>>
>> kind regards
>> Pshem
>>
>>
>> On Fri, 22 Jul 2016 at 10:15 Matthew Newton <mcn4@leicester.ac.uk>
>>wrote:
>>
>>> On Thu, Jul 21, 2016 at 09:25:44PM +0000, Janis Heller wrote:
>>>> authorize {
>>>> exec
>>>> }
>>>
>>> Yes
>>>
>>>> # Authentication.
>>>> authenticate {
>>>> exec
>>>> }
>>>
>>> No
>>>
>>>
>>>> <?php
>>>> if ($argv[1] == 'testing' && $argv[2] == 'password')
>>>> {
>>>> echo "Accept";
>>>
>>> That's not what I wrote.
>>>
>>> "Auth-Type := Accept"
>>>
>>>> return (0);
>>>> }
>>>> else
>>>> echo "REJECT";
>>>
>>> Similarly,
>>>
>>> "Auth-Type := Reject"
>>>
>>>> It seems like the returned value of my PHP script is incorrect?
>>>
>>> Yes.
>>>
>>> You need "output_pairs = config" in your exec config as well, as I
>>> previously wrote.
>>>
>>> The script output is taken as an attribute list, in the same way
>>> as you'd put in the users file, or feed to radclient, or is output
>>> from the detail writer. It tells FreeRADUS what attributes to
>>> create, with which values.
>>>
>>>
>>> On Thu, Jul 21, 2016 at 09:40:06PM +0000, Janis Heller wrote:
>>>> Please I would like to use exec.
>>>
>>> Arran is right. Please don't complain here if you get it working,
>>> and then find that it stops after a short while because it can't
>>> cope with the workload.
>>>
>>> exec for auth is a really bad idea.
>>>
>>> But he was probably being a bit too kind about PHP.
>>>
>>> Matthew
>>>
>>>
>>> --
>>> Matthew Newton, Ph.D. <mcn4@leicester.ac.uk>
>>>
>>> Systems Specialist, Infrastructure Services,
>>> I.T. Services, University of Leicester, Leicester LE1 7RH, United
>>>Kingdom
>>>
>>> For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>> -
>> List info/subscribe/unsubscribe? See
>>http://www.freeradius.org/list/users.html
>
>
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
Hi,
I’ve done some research nearly the whole night. From my point of view I only need the authorize{} part. Here’s my entry in the default config file:
authorize { update control { Auth-Type := exec } }
urgh. no need. just call the module in authenticate.
authenticate { exec }
if you are goign off-piste you need to hack in a lot more eg authenticate { Auth-Type exec { exec } } I doubt that works though - you cant just go freestyle and make up your own syntax
Why did I need to fill exec into the authenticate section too? I just want to use radius to send the username & password to my script and whole checking process is made by the script.
because you are checking passwords and authenticating someone. so you use authenticate alan
heyho, first of all, big thanks to all this help. I’m a newbie to RADIUS. I’ve taken a look into my modules folder, there’s no rest module. How can I built this fast? Many of you told me to use rest instead of exec to perform a simple web request to some script. I’ve used your code (A.L.M. Buxey), so my config file now looks like this: authorize { } authenticate { Auth-Type exec { exec } } I get this error all the time (provided username & password are correct) (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject I’m a bit confused about this. I think I only need to use authorize to validate username & password. My accounts won’t have custom permissions etc. All the best; janis
Am 22.07.2016 um 11:00 schrieb <A.L.M.Buxey@lboro.ac.uk> <A.L.M.Buxey@lboro.ac.uk>:
Hi,
I’ve done some research nearly the whole night. From my point of view I only need the authorize{} part. Here’s my entry in the default config file:
authorize { update control { Auth-Type := exec } }
urgh. no need. just call the module in authenticate.
authenticate { exec }
if you are goign off-piste you need to hack in a lot more eg
authenticate { Auth-Type exec { exec } }
I doubt that works though - you cant just go freestyle and make up your own syntax
Why did I need to fill exec into the authenticate section too? I just want to use radius to send the username & password to my script and whole checking process is made by the script.
because you are checking passwords and authenticating someone. so you use authenticate
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Fri, Jul 22, 2016 at 10:18:10AM +0000, Janis Heller wrote:
I’m a newbie to RADIUS.
I suggest you read through doc/concepts/aaa.rst. Otherwise you're just guessing where you should put things.
I’ve taken a look into my modules folder, there’s no rest module. How can I built this fast? Many of you told me to use rest instead of exec to perform a simple web request to some script.
If you've got a "modules" folder then you're using version 2, which is end of life and not supported any more. You need version 3. We would have known this if you'd sent the full output of radiusd -X...
authorize {
}
authenticate { Auth-Type exec { exec } }
I get this error all the time (provided username & password are correct)
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
I’m a bit confused about this. I think I only need to use authorize to validate username & password. My accounts won’t have custom permissions etc.
That's not the right place for what you are trying to do, and not what I put in the previous e-mails. Put exec in authorize, nothing in authenticate. Make your script output "Auth-Type := Accept" on stdout. This skips the authenticate section and directly accepts the request. Use "output_pairs = config" as well as your existing exec config. It works. I tested it here. No other config changes than those. You still shouldn't use exec like this in production. I suggest you play around with concepts like this first (even if you shouldn't use it) before trying to use something like rest, so that you learn how FreeRADIUS works. And read all the debug output. It shows how packets flow through the server, and which modules are hit when. Debug output in version 3.0.11 is clearer than in version 2. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
I’m using Freeradius v 3.0.11. Sorry, there is no „rest“ file in mods-enabled folder (etc/freeradius/mods-enabled). I’ve reread your post, here’s my current config: authorize { Auth-Type exec { exec } } authenticate { } Now when I try to start radius these lines are printed in red color. /etc/freeradius/sites-enabled/default[18]: Failed to find "Auth-Type" as a module or policy. /etc/freeradius/sites-enabled/default[18]: Please verify that the configuration exists in /etc/freeradius/mods-enabled/Auth-Type. /etc/freeradius/sites-enabled/default[17]: Errors parsing authorize section. All the best; janis
Am 22.07.2016 um 12:27 schrieb Matthew Newton <mcn4@leicester.ac.uk>:
On Fri, Jul 22, 2016 at 10:18:10AM +0000, Janis Heller wrote:
I’m a newbie to RADIUS.
I suggest you read through doc/concepts/aaa.rst.
Otherwise you're just guessing where you should put things.
I’ve taken a look into my modules folder, there’s no rest module. How can I built this fast? Many of you told me to use rest instead of exec to perform a simple web request to some script.
If you've got a "modules" folder then you're using version 2, which is end of life and not supported any more. You need version 3.
We would have known this if you'd sent the full output of radiusd -X...
authorize {
}
authenticate { Auth-Type exec { exec } }
I get this error all the time (provided username & password are correct)
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
I’m a bit confused about this. I think I only need to use authorize to validate username & password. My accounts won’t have custom permissions etc.
That's not the right place for what you are trying to do, and not what I put in the previous e-mails.
Put exec in authorize, nothing in authenticate.
Make your script output "Auth-Type := Accept" on stdout. This skips the authenticate section and directly accepts the request.
Use "output_pairs = config" as well as your existing exec config.
It works. I tested it here. No other config changes than those.
You still shouldn't use exec like this in production.
I suggest you play around with concepts like this first (even if you shouldn't use it) before trying to use something like rest, so that you learn how FreeRADIUS works.
And read all the debug output. It shows how packets flow through the server, and which modules are hit when. Debug output in version 3.0.11 is clearer than in version 2.
Matthew
-- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, If you're to use rest - have a look in mods-available - should be there, a sample config can look like this: rest check_access_rest { connect_uri = "http://127.0.0.1:8080" connect_timeout = 4.0 authorize { uri = "${..connect_uri}/auth/%{User-Name}" method = 'get' } authenticate { } accounting { } post-auth { } pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 lifetime = 0 idle_timeout = 60 } } and then the authorize section: authorize { check_access_rest } Since you want to return 'Auth-Type := Accept' make sure response is of the correct type (application/json) and you return code is 200. The response should look something like this: { "Auth-Type": { "op": ":=", "value": "Accept" } More info here: https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-avail... kind regards Pshem On Fri, 22 Jul 2016 at 23:12 Janis Heller <janis.heller@outlook.de> wrote:
I’m using Freeradius v 3.0.11. Sorry, there is no „rest“ file in mods-enabled folder (etc/freeradius/mods-enabled).
I’ve reread your post, here’s my current config:
authorize { Auth-Type exec { exec } }
authenticate {
}
Now when I try to start radius these lines are printed in red color.
/etc/freeradius/sites-enabled/default[18]: Failed to find "Auth-Type" as a module or policy. /etc/freeradius/sites-enabled/default[18]: Please verify that the configuration exists in /etc/freeradius/mods-enabled/Auth-Type. /etc/freeradius/sites-enabled/default[17]: Errors parsing authorize section.
All the best;
janis
Am 22.07.2016 um 12:27 schrieb Matthew Newton <mcn4@leicester.ac.uk>:
On Fri, Jul 22, 2016 at 10:18:10AM +0000, Janis Heller wrote:
I’m a newbie to RADIUS.
I suggest you read through doc/concepts/aaa.rst.
Otherwise you're just guessing where you should put things.
I’ve taken a look into my modules folder, there’s no rest module. How can I built this fast? Many of you told me to use rest instead of exec to perform a simple web request to some script.
If you've got a "modules" folder then you're using version 2, which is end of life and not supported any more. You need version 3.
We would have known this if you'd sent the full output of radiusd -X...
authorize {
}
authenticate { Auth-Type exec { exec } }
I get this error all the time (provided username & password are correct)
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
I’m a bit confused about this. I think I only need to use authorize to validate username & password. My accounts won’t have custom permissions etc.
That's not the right place for what you are trying to do, and not what I put in the previous e-mails.
Put exec in authorize, nothing in authenticate.
Make your script output "Auth-Type := Accept" on stdout. This skips the authenticate section and directly accepts the request.
Use "output_pairs = config" as well as your existing exec config.
It works. I tested it here. No other config changes than those.
You still shouldn't use exec like this in production.
I suggest you play around with concepts like this first (even if you shouldn't use it) before trying to use something like rest, so that you learn how FreeRADIUS works.
And read all the debug output. It shows how packets flow through the server, and which modules are hit when. Debug output in version 3.0.11 is clearer than in version 2.
Matthew
-- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I think I will try to use REST module instead of exec module, many posts I found on the internet say „keep your hands off exec“. So I think I would take deeper look into REST. I’ve found the rest module in the mods-available folder. I placed the sample config into this file and copied it to mods-enabled. Now when I try to start radius (in debug mode) it shows: /etc/freeradius/mods-enabled/rest[1]: Failed to link to module 'rlm_rest': /usr/lib/freeradius/rlm_rest.so: cannot open shared object file: No such file or directory After some research solution seems to be to edit the config file of rest module, but I don’t find any hint regarding the location of it. regards from Germany; Am 22.07.2016 um 13:25 schrieb Pshem Kowalczyk <pshem.k@gmail.com<mailto:pshem.k@gmail.com>>: Hi, If you're to use rest - have a look in mods-available - should be there, a sample config can look like this: rest check_access_rest { connect_uri = "http://127.0.0.1:8080" connect_timeout = 4.0 authorize { uri = "${..connect_uri}/auth/%{User-Name}" method = 'get' } authenticate { } accounting { } post-auth { } pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 lifetime = 0 idle_timeout = 60 } } and then the authorize section: authorize { check_access_rest } Since you want to return 'Auth-Type := Accept' make sure response is of the correct type (application/json) and you return code is 200. The response should look something like this: { "Auth-Type": { "op": ":=", "value": "Accept" } More info here: https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-avail... kind regards Pshem On Fri, 22 Jul 2016 at 23:12 Janis Heller <janis.heller@outlook.de> wrote: I’m using Freeradius v 3.0.11. Sorry, there is no „rest“ file in mods-enabled folder (etc/freeradius/mods-enabled). I’ve reread your post, here’s my current config: authorize { Auth-Type exec { exec } } authenticate { } Now when I try to start radius these lines are printed in red color. /etc/freeradius/sites-enabled/default[18]: Failed to find "Auth-Type" as a module or policy. /etc/freeradius/sites-enabled/default[18]: Please verify that the configuration exists in /etc/freeradius/mods-enabled/Auth-Type. /etc/freeradius/sites-enabled/default[17]: Errors parsing authorize section. All the best; janis Am 22.07.2016 um 12:27 schrieb Matthew Newton <mcn4@leicester.ac.uk>: On Fri, Jul 22, 2016 at 10:18:10AM +0000, Janis Heller wrote: I’m a newbie to RADIUS. I suggest you read through doc/concepts/aaa.rst. Otherwise you're just guessing where you should put things. I’ve taken a look into my modules folder, there’s no rest module. How can I built this fast? Many of you told me to use rest instead of exec to perform a simple web request to some script. If you've got a "modules" folder then you're using version 2, which is end of life and not supported any more. You need version 3. We would have known this if you'd sent the full output of radiusd -X... authorize { } authenticate { Auth-Type exec { exec } } I get this error all the time (provided username & password are correct) (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject I’m a bit confused about this. I think I only need to use authorize to validate username & password. My accounts won’t have custom permissions etc. That's not the right place for what you are trying to do, and not what I put in the previous e-mails. Put exec in authorize, nothing in authenticate. Make your script output "Auth-Type := Accept" on stdout. This skips the authenticate section and directly accepts the request. Use "output_pairs = config" as well as your existing exec config. It works. I tested it here. No other config changes than those. You still shouldn't use exec like this in production. I suggest you play around with concepts like this first (even if you shouldn't use it) before trying to use something like rest, so that you learn how FreeRADIUS works. And read all the debug output. It shows how packets flow through the server, and which modules are hit when. Debug output in version 3.0.11 is clearer than in version 2. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
I’ve found the rest module in the mods-available folder. I placed the sample config into this file and copied it to mods-enabled. Now when I try to start radius (in debug mode) it shows:
/etc/freeradius/mods-enabled/rest[1]: Failed to link to module 'rlm_rest': /usr/lib/freeradius/rlm_rest.so: cannot open shared object file: No such file or directory
the config file is there...but your server was built without rest support. recompile with required libraries/headers present alan
On Fri, Jul 22, 2016 at 01:05:49PM +0000, A.L.M.Buxey@lboro.ac.uk wrote:
I’ve found the rest module in the mods-available folder. I placed the sample config into this file and copied it to mods-enabled. Now when I try to start radius (in debug mode) it shows:
/etc/freeradius/mods-enabled/rest[1]: Failed to link to module 'rlm_rest': /usr/lib/freeradius/rlm_rest.so: cannot open shared object file: No such file or directory
the config file is there...but your server was built without rest support. recompile with required libraries/headers present
Or install the freeradius-rest package if installed from packages. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 22-07-16 15:16, Matthew Newton wrote:
On Fri, Jul 22, 2016 at 01:05:49PM +0000, A.L.M.Buxey@lboro.ac.uk wrote:
I’ve found the rest module in the mods-available folder. I placed the sample config into this file and copied it to mods-enabled. Now when I try to start radius (in debug mode) it shows:
/etc/freeradius/mods-enabled/rest[1]: Failed to link to module 'rlm_rest': /usr/lib/freeradius/rlm_rest.so: cannot open shared object file: No such file or directory
the config file is there...but your server was built without rest support. recompile with required libraries/headers present
Or install the freeradius-rest package if installed from packages.
If that is the case, I would consider it a bug that some package other than freeradius-rest installs mods-available/rest. -- Herwin Weststrate
On Fri, Jul 22, 2016 at 03:27:18PM +0200, Herwin Weststrate wrote:
On 22-07-16 15:16, Matthew Newton wrote:
Or install the freeradius-rest package if installed from packages.
If that is the case, I would consider it a bug that some package other than freeradius-rest installs mods-available/rest.
Possibly. You can probably argue it two ways. All the config is in freeradius-config. And that is optional IIRC. So you can install all the binary packages, and run with your own config, without installing the default config. If module-specific config was in module packages then you could install everything except the -config package, and end up with just little bits of config on your system, which is rather messy. Especially if you've put your own config in the standard location, and installing a module package would then modify your live config. Not sure which is the best way - both seem to have arguments for and against. I think personally I slightly lean towards the current way, but not entirely sure. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
It seems like this will run soon, I can feel it. I use this rest module code right now: rest check_access_rest { connect_timeout = 4.0 connect_uri = "http://IP" authorize { uri = "${..connect_uri}/demo?username=%{User-Name}" method = 'get' } authenticate { } accounting { } post-auth { } pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 lifetime = 0 idle_timeout = 60 } } Debug shows this output: (0) check_access_rest: EXPAND http://IP (0) check_access_rest: --> http://IP (0) check_access_rest: EXPAND /demo?username=%{User-Name} (0) check_access_rest: --> /demo?username=testing (0) check_access_rest: Sending HTTP GET to "http://IP/demo?username=testing" (0) check_access_rest: Processing response header (0) check_access_rest: Status : 200 (OK) (0) check_access_rest: Type : json (application/json) (0) check_access_rest: Parsing attribute "Auth-Type" (0) check_access_rest: EXPAND Accept (0) check_access_rest: --> Accept (0) check_access_rest: Auth-Type := Accept rlm_rest (check_access_rest): Released connection (0) rlm_rest (check_access_rest): Need 5 more connections to reach 10 spares rlm_rest (check_access_rest): Opening additional connection (5), 1 of 27 pending slots used rlm_rest (check_access_rest): Connecting to "http://IP" (0) [check_access_rest] = updated (0) } # authorize = updated (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user I only would like to use the authorize function, as far as I understand debug this process is done correctly. But it seems like the authenticate process fails. In my default config I’ve placed this authorize { check_access_rest } authenticate { } How to disable authenticate module so it will not try to start the rest module? It seems to start the module (you can see this in the debug ouput, it only used the IP address, not the „full path“). Regards; janis
Am 22.07.2016 um 16:00 schrieb Matthew Newton <mcn4@leicester.ac.uk>:
On Fri, Jul 22, 2016 at 03:27:18PM +0200, Herwin Weststrate wrote:
On 22-07-16 15:16, Matthew Newton wrote:
Or install the freeradius-rest package if installed from packages.
If that is the case, I would consider it a bug that some package other than freeradius-rest installs mods-available/rest.
Possibly. You can probably argue it two ways.
All the config is in freeradius-config. And that is optional IIRC. So you can install all the binary packages, and run with your own config, without installing the default config.
If module-specific config was in module packages then you could install everything except the -config package, and end up with just little bits of config on your system, which is rather messy. Especially if you've put your own config in the standard location, and installing a module package would then modify your live config.
Not sure which is the best way - both seem to have arguments for and against. I think personally I slightly lean towards the current way, but not entirely sure.
Matthew
-- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I’ve tried to set: authenticate { Auth-Type = Accept } doesn’t work too. Saying: /etc/freeradius/sites-enabled/default[61]: Entry is not a reference to a module /etc/freeradius/sites-enabled/default[60]: Errors parsing authenticate section Isn’t there a way to turn off this authenticate check? I’m sure my process of checking the login details is failing because of this check. Regards; janis
Am 22.07.2016 um 18:36 schrieb Janis Heller <janis.heller@outlook.de>:
It seems like this will run soon, I can feel it. I use this rest module code right now:
rest check_access_rest { connect_timeout = 4.0
connect_uri = "http://IP"
authorize { uri = "${..connect_uri}/demo?username=%{User-Name}"
method = 'get' } authenticate { }
accounting { } post-auth { }
pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0 lifetime = 0 idle_timeout = 60 } }
Debug shows this output:
(0) check_access_rest: EXPAND http://IP (0) check_access_rest: --> http://IP (0) check_access_rest: EXPAND /demo?username=%{User-Name} (0) check_access_rest: --> /demo?username=testing (0) check_access_rest: Sending HTTP GET to "http://IP/demo?username=testing" (0) check_access_rest: Processing response header (0) check_access_rest: Status : 200 (OK) (0) check_access_rest: Type : json (application/json) (0) check_access_rest: Parsing attribute "Auth-Type" (0) check_access_rest: EXPAND Accept (0) check_access_rest: --> Accept (0) check_access_rest: Auth-Type := Accept rlm_rest (check_access_rest): Released connection (0) rlm_rest (check_access_rest): Need 5 more connections to reach 10 spares rlm_rest (check_access_rest): Opening additional connection (5), 1 of 27 pending slots used rlm_rest (check_access_rest): Connecting to "http://IP" (0) [check_access_rest] = updated (0) } # authorize = updated (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user
I only would like to use the authorize function, as far as I understand debug this process is done correctly. But it seems like the authenticate process fails. In my default config I’ve placed this
authorize { check_access_rest }
authenticate { }
How to disable authenticate module so it will not try to start the rest module? It seems to start the module (you can see this in the debug ouput, it only used the IP address, not the „full path“).
Regards;
janis
Am 22.07.2016 um 16:00 schrieb Matthew Newton <mcn4@leicester.ac.uk>:
On Fri, Jul 22, 2016 at 03:27:18PM +0200, Herwin Weststrate wrote:
On 22-07-16 15:16, Matthew Newton wrote:
Or install the freeradius-rest package if installed from packages.
If that is the case, I would consider it a bug that some package other than freeradius-rest installs mods-available/rest.
Possibly. You can probably argue it two ways.
All the config is in freeradius-config. And that is optional IIRC. So you can install all the binary packages, and run with your own config, without installing the default config.
If module-specific config was in module packages then you could install everything except the -config package, and end up with just little bits of config on your system, which is rather messy. Especially if you've put your own config in the standard location, and installing a module package would then modify your live config.
Not sure which is the best way - both seem to have arguments for and against. I think personally I slightly lean towards the current way, but not entirely sure.
Matthew
-- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jul 22, 2016, at 9:34 PM, Janis Heller <janis.heller@outlook.de> wrote:
I’ve tried to set:
authenticate { Auth-Type = Accept }
doesn’t work too.
I think you should STOP trying random things, and instead START reading the messages on this list. And start reading the documentation, and examples that come with the server. You have been told over and over how to fix the issues you're running into. Most of the time, you ignore the help you asked for, and go do something else. Just stop. Alan DeKok.
Sorry, I don’t want to be unreasonable. I understand offering FREE support is requiring some kind of sovereignty from the inquirer. I’ve reread the part about authorization and authentication again. Here’s what I understand, first of all for my purpose I only would need to authorization "check“ of FreeRADIUS, since I don’t implement account roles or special user permissions (the script called by REST module will just accept or deny access for specified user login details). As far as I understand the procedure the authorization “check“ is called first. As seen in the debug log this check returns success to radius (of course only for correct details, meaning the script I wrote is working fine). After the authorization check is successful the authentication check is called. For some reason this check is called, but I won’t need it to be called. In the documentation I only find how to process requests now in the authentication check, but there’s no need for me to do so. Isn’t there an option to return from authorization check, so the authentication check won’t be triggered anymore, in case of success (meaning the authorization accepts the provided user login details)? Regards from Frankfurt/Germany; janis
Am 23.07.2016 um 10:14 schrieb Alan DeKok <aland@deployingradius.com>:
On Jul 22, 2016, at 9:34 PM, Janis Heller <janis.heller@outlook.de> wrote:
I’ve tried to set:
authenticate { Auth-Type = Accept }
doesn’t work too.
I think you should STOP trying random things, and instead START reading the messages on this list. And start reading the documentation, and examples that come with the server.
You have been told over and over how to fix the issues you're running into. Most of the time, you ignore the help you asked for, and go do something else.
Just stop.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
{ “control:Auth-Type”: { "op": ":=", "value": "Accept" } } -Arran
On 23 Jul 2016, at 11:54, Janis Heller <janis.heller@outlook.de> wrote:
Sorry, I don’t want to be unreasonable. I understand offering FREE support is requiring some kind of sovereignty from the inquirer.
Helps if you feed it valid JSON for a start, I guess JSON-C is more forgiving than I would be… You needed to qualify Auth-Type with the destination list. In this case the control list. -Arran
Hoorah, it’s running fine, just as I need it to perform. It’s sad the latest book of FreeRADIUS is soo old. I’m sure there would be more users of FreeRADIUS, if the documentation would be a bit more detailed. It’s just horrible to find out how the „not default“ auth work. -Big thanks to all users who helped. Is there some option to send tips to the project meaning for example for hosting etc. Regards; janis
Am 23.07.2016 um 18:55 schrieb Arran Cudbard-Bell <a.cudbardb@freeradius.org>:
On 23 Jul 2016, at 11:54, Janis Heller <janis.heller@outlook.de> wrote:
Sorry, I don’t want to be unreasonable. I understand offering FREE support is requiring some kind of sovereignty from the inquirer.
Helps if you feed it valid JSON for a start, I guess JSON-C is more forgiving than I would be…
You needed to qualify Auth-Type with the destination list. In this case the control list.
-Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Which book? 'FreeRADIUS for Beginners' is far more recent and useful alan
On Jul 23, 2016, at 1:16 PM, Janis Heller <janis.heller@outlook.de> wrote:
It’s sad the latest book of FreeRADIUS is soo old. I’m sure there would be more users of FreeRADIUS, if the documentation would be a bit more detailed. It’s just horrible to find out how the „not default“ auth work.
Please describe what you were looking for, and where you looked. From my reading of this lis, you were told to read certain documentation... and didn't. 99% of your questions were answered in the existing documentation and/or the configuration files.
-Big thanks to all users who helped. Is there some option to send tips to the project meaning for example for hosting etc.
The Wiki is publicly editable. Please also suggest how we can get people to read the documentation we've already written. Alan DeKok.
Or install the freeradius-rest package if installed from packages.
If that is the case, I would consider it a bug that some package other than freeradius-rest installs mods-available/rest.
True that. Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
After installing the package and saving all configs my default config looks like: authorize { check_access_rest } authenticate { } I’ve created a rest file in the mods-enabled folder and placed the following content into: rest check_access_rest { connect_uri = "http://pastebin.com/raw/WuVWAEZQ" connect_timeout = 4.0 authorize { uri = "${..connect_uri}/auth/%{User-Name}" method = 'get' } authenticate { } accounting { } post-auth { } pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 lifetime = 0 idle_timeout = 60 } } The rest script itself looks like: rest check_access_rest { connect_timeout = 4.0 authorize { uri = "http://192.99.59.135/demo" method = 'get' } authenticate { } accounting { } post-auth { } pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 lifetime = 0 idle_timeout = 60 } } This results in the following ouput, when making a demo request: rlm_rest (check_access_rest): Reserved connection (1) (1) check_access_rest: Expanding URI components (1) check_access_rest: EXPAND http://192.99.59.135 (1) check_access_rest: --> http://192.99.59.135 (1) check_access_rest: EXPAND /demo (1) check_access_rest: --> /demo (1) check_access_rest: Sending HTTP GET to "http://192.99.59.135/demo" (1) check_access_rest: Processing response header (1) check_access_rest: Status : 200 (OK) (1) check_access_rest: Type : json (application/json) (1) check_access_rest: Parsing attribute "Auth-Type" (1) check_access_rest: EXPAND Accept (1) check_access_rest: --> Accept (1) check_access_rest: Auth-Type := Accept rlm_rest (check_access_rest): Released connection (1) rlm_rest (check_access_rest): Need 4 more connections to reach 10 spares rlm_rest (check_access_rest): Opening additional connection (6), 1 of 26 pending slots used rlm_rest (check_access_rest): Connecting to "http://pastebin.com/raw/WuVWAEZQ" (1) [check_access_rest] = updated (1) } # authorize = updated (1) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (1) Failed to authenticate the user (1) Using Post-Auth-Type Reject (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject: EXPAND %{User-Name} (1) attr_filter.access_reject: --> testing
From my point of view server should allow each connection at the moment, since my PHP script will return the JSON to accept all the time.
reagrds; janis
Am 22.07.2016 um 15:16 schrieb Matthew Newton <mcn4@leicester.ac.uk>:
On Fri, Jul 22, 2016 at 01:05:49PM +0000, A.L.M.Buxey@lboro.ac.uk wrote:
I’ve found the rest module in the mods-available folder. I placed the sample config into this file and copied it to mods-enabled. Now when I try to start radius (in debug mode) it shows:
/etc/freeradius/mods-enabled/rest[1]: Failed to link to module 'rlm_rest': /usr/lib/freeradius/rlm_rest.so: cannot open shared object file: No such file or directory
the config file is there...but your server was built without rest support. recompile with required libraries/headers present
Or install the freeradius-rest package if installed from packages.
Matthew
-- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
I’ve reread your post, here’s my current config:
authorize { Auth-Type exec { exec } }
authorise { exec }
/etc/freeradius/sites-enabled/default[18]: Failed to find "Auth-Type" as a module or policy. /etc/freeradius/sites-enabled/default[18]: Please verify that the configuration exists in /etc/freeradius/mods-enabled/Auth-Type. /etc/freeradius/sites-enabled/default[17]: Errors parsing authorize section.
please send more output, these minimal outputs are not enough for help. what its your PHP script now returning? rest module is in mods-available/ directory if server built with rest support (ie required dev/libraries around) alan
Hi,
But he was probably being a bit too kind about PHP.
;-) oh you guys! ;-) regarding the query - info/advice provided (all covered in the docs/configs...but hey) to get the exec function working as requested.....but far more important advice given to not use exec. please heed that advice from people who are experts in this stuff and have experienced scaling issues etc themselves (and seen so many complaints about scaling in this list.... "my RADIUS server was fine but we've got a few more NAS and things dont work...I use the exec module to call a script..." ) :/ alan
participants (9)
-
A.L.M.Buxey@lboro.ac.uk -
Alan Buxey -
Alan DeKok -
Arran Cudbard-Bell -
Herwin Weststrate -
Janis Heller -
Matthew Newton -
Pshem Kowalczyk -
Stefan Paetow