using external script in virtual server config
Hi list, currently i'm using freeradius-2.2.5 with an external authentication script for clear-text and ntlm requests. the setup is described here: https://www.otpme.org/redmine/projects/otpme/wiki/Freeradius_Example_Configu... i have two questions regarding this setup. 1. for clear-text requests i always get "Auth: Invalid user: [heiko.baumann" on authentication failure. for ntlm request an "Auth: Login incorrect" is logged. i was using the script (exec) module before which logged "Auth: Login incorrect" on failure but i liked the idea of having the complete config in the virtual host file. i also tried to call my script from the authenticate section of my vhost but this was not working. 2. is it possible to call the script for ntlm/mschap authentication from the vhost config? currently its called from the mschap module. both are just cosmetic issues but it would be great to have everything in on file. :) also it would be great if someone with good freeradius skills could have a look at the example config because i'm not sure if its the best way to do external authentication with freeradius. regards the2nd
On Jan 16, 2015, at 10:28 AM, the2nd@otpme.org wrote:
i have two questions regarding this setup.
1. for clear-text requests i always get "Auth: Invalid user: [heiko.baumann" on authentication failure. for ntlm request an "Auth: Login incorrect" is logged. i was using the script (exec) module before which logged "Auth: Login incorrect" on failure but i liked the idea of having the complete config in the virtual host file.
The log messages are different because we haven’t double-checked all of them. It shouldn’t be much of a problem, though.
i also tried to call my script from the authenticate section of my vhost but this was not working.
See the FAQ for “it doesn’t work”.
2. is it possible to call the script for ntlm/mschap authentication from the vhost config? currently its called from the mschap module.
The MS-CHAP module calls ntlm_auth. You *cannot* put that configuration into the virtual server.
both are just cosmetic issues but it would be great to have everything in on file. :)
Each piece of the configuration exists for a reason. They exist as independent pieces for a reason. Jamming them together in one file means you won’t be able to tell them apart.. and they won’t work.
also it would be great if someone with good freeradius skills could have a look at the example config because i'm not sure if its the best way to do external authentication with freeradius.
If authentication works, then you have a working configuration. Alan DeKok.
Okay thanks for the explanation. Here is the configuration that works for me: authorize { if (!control:Auth-Type) { update control { Auth-Type := `/usr/local/bin/otpme-auth -l verify %{User-Name} %{User-Password} %{NAS-Identifier} %{Client-IP-Address}` } } But is this the correct way to call an external script? I thought it should be done in the authenticate section. But if i try it with the config below it does not work: authorize { if (!control:Auth-Type) { update control { Auth-Type := OTPme } } authenticate { Auth-Type OTPme { update control { Auth-Type := `/usr/local/bin/otpme-auth -l verify %{User-Name} %{User-Password} %{NAS-Identifier} %{Client-IP-Address}` } } radiusd -X shows the following: Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1 port 52764, id=187, length=58 User-Name = "testuser" User-Password = "2b3491" NAS-Identifier = "SSO" server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] No EAP-Message, not doing EAP ++[eap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> TRUE ++? if (!control:Auth-Type) -> TRUE ++if (!control:Auth-Type) { +++update control { +++} # update control = noop ++} # if (!control:Auth-Type) = noop +} # group authorize = noop Found Auth-Type = OTPme # Executing group from file /etc/raddb/sites-enabled/otpme +group OTPme { ++update control { expand: %{User-Name} -> testuser expand: %{User-Password} -> 2b3491 expand: %{NAS-Identifier} -> SSO expand: %{Client-IP-Address} -> 192.168.1.1 Exec output: Accept Exec plaintext: Accept Exec: program returned: 0 ++} # update control = noop +} # group OTPme = noop Failed to authenticate the user. Login incorrect: [testuser] (from client radius1 port 0) } # server otpme Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.7 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 187 to 192.168.1.1 port 52764 Waking up in 4.9 seconds. i'm sorry if this is a dumb question. i've mostly read the documentation and also some howtos. but im still not clear about whats the right way to do it... regards the2nd On 2015-01-16 16:46, Alan DeKok wrote:
On Jan 16, 2015, at 10:28 AM, the2nd@otpme.org wrote:
i have two questions regarding this setup.
1. for clear-text requests i always get "Auth: Invalid user: [heiko.baumann" on authentication failure. for ntlm request an "Auth: Login incorrect" is logged. i was using the script (exec) module before which logged "Auth: Login incorrect" on failure but i liked the idea of having the complete config in the virtual host file.
The log messages are different because we haven’t double-checked all of them. It shouldn’t be much of a problem, though.
i also tried to call my script from the authenticate section of my vhost but this was not working.
See the FAQ for “it doesn’t work”.
2. is it possible to call the script for ntlm/mschap authentication from the vhost config? currently its called from the mschap module.
The MS-CHAP module calls ntlm_auth. You *cannot* put that configuration into the virtual server.
both are just cosmetic issues but it would be great to have everything in on file. :)
Each piece of the configuration exists for a reason. They exist as independent pieces for a reason. Jamming them together in one file means you won’t be able to tell them apart.. and they won’t work.
also it would be great if someone with good freeradius skills could have a look at the example config because i'm not sure if its the best way to do external authentication with freeradius.
If authentication works, then you have a working configuration.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jan 16, 2015, at 1:32 PM, the2nd@otpme.org wrote:
Okay thanks for the explanation.
Here is the configuration that works for me:
authorize { if (!control:Auth-Type) { update control { Auth-Type := `/usr/local/bin/otpme-auth -l verify %{User-Name} %{User-Password} %{NAS-Identifier} %{Client-IP-Address}` } }
To be clear: You’re setting the value of Auth-Type based on the script.
But is this the correct way to call an external script? I thought it should be done in the authenticate section. But if i try it with the config below it does not work:
authorize { if (!control:Auth-Type) { update control { Auth-Type := OTPme } }
authenticate { Auth-Type OTPme { update control { Auth-Type := `/usr/local/bin/otpme-auth -l verify %{User-Name} %{User-Password} %{NAS-Identifier} %{Client-IP-Address}` } }
Auth-Type says which subsection to use for the “authenticate” section. Setting Auth-Type *inside* of “authenticate” makes no sense,. Alan DeKok.
On 2015-01-18 04:29, Alan DeKok wrote:
On Jan 16, 2015, at 1:32 PM, the2nd@otpme.org wrote:
Okay thanks for the explanation.
Here is the configuration that works for me:
authorize { if (!control:Auth-Type) { update control { Auth-Type := `/usr/local/bin/otpme-auth -l verify %{User-Name} %{User-Password} %{NAS-Identifier} %{Client-IP-Address}` } }
To be clear: You’re setting the value of Auth-Type based on the script.
ok. my script returns "Accept" and "Reject" and it works without any problems. but is it okay to use it this way to authenticate users with an external script? are there any drawbacks using it this way and not using the script/exec module? i also found some hints about rlm_python and as my script is written in python it may be a good idea using rlm_python. are there any benefits, beneath better performance, using rlm_python? regards the2nd
On Jan 18, 2015, at 6:18 AM, the2nd@otpme.org wrote:
ok. my script returns "Accept" and "Reject" and it works without any problems. but is it okay to use it this way to authenticate users with an external script? are there any drawbacks using it this way and not using the script/exec module?
You’re putting passwords on the command-line, where everyone can see them. That’s not always a good idea. And it’s slow.
i also found some hints about rlm_python and as my script is written in python it may be a good idea using rlm_python. are there any benefits, beneath better performance, using rlm_python?
rlm_python will likely be faster than executing a separate script. Alan DeKok.
hi, today i've written an python module for use with rlm_python and it works great for clear-text requests. but i dont know how to handle ntlm/mschap requests. my current config looks like this: authenticate { Auth-Type EAP { eap } Auth-Type MS-CHAP { otpme_ntlm } Auth-Type OTPme { otpme } } authorize { eap if (!control:Auth-Type) { update control { Auth-Type := OTPme } } } mschap otpme_ntlm { ntlm_auth = "/usr/local/bin/otpme-auth -l verify_ntlm '%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}' '%{%{otpme_ntlm:Challenge}:-00}' '%{%{otpme_ntlm:NT-Response}:-00}' '%{NAS-Identifier}' '%{Client-IP-Address}'" } python otpme { module = freeradius mod_instantiate = ${.module} func_instantiate = instantiate mod_detach = ${.module} func_detach = instantiate mod_authenticate = ${.module} func_authenticate = authenticate } any help is appreciated.... the2nd On 2015-01-18 15:55, Alan DeKok wrote:
On Jan 18, 2015, at 6:18 AM, the2nd@otpme.org wrote:
ok. my script returns "Accept" and "Reject" and it works without any problems. but is it okay to use it this way to authenticate users with an external script? are there any drawbacks using it this way and not using the script/exec module?
You’re putting passwords on the command-line, where everyone can see them. That’s not always a good idea. And it’s slow.
i also found some hints about rlm_python and as my script is written in python it may be a good idea using rlm_python. are there any benefits, beneath better performance, using rlm_python?
rlm_python will likely be faster than executing a separate script.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jan 25, 2015, at 1:15 PM, the2nd@otpme.org wrote:
today i've written an python module for use with rlm_python and it works great for clear-text requests. but i dont know how to handle ntlm/mschap requests.
You don’t. FreeRADIUS implements MS-CHAP. You don’t want to re-implement that in python. What do you want to do with the OTP and MS-CHAP? Alan DeKok.
participants (2)
-
Alan DeKok -
the2nd@otpme.org