XT Radius to Free Radius
Hi I am currently trying to migrate XT Radius to Freeradius and running into a few problems when trying to run an External Script. The external script in XT Radius checks the username and password against a postgres database and if username and password match it returns the details for that user e.g. IP address, Framed-Address etc etc. We are using the default xradiusd.conf file with the port number changed to 1645. We have changed the users file to the following: DEFAULT Auth-Type := External Exec-Program = "/etc/raddb/checkpassword.pl %u %{User-Password}" If we run the scipt manually it works as expected with IP address etc etc returned. These details are stored in our postgres database. We are using the Ntradping tool as suggested by the radius book. When we startup radius using radiusd -X we get the following errors. Does anyone have any ideas what we are doing wrong? Thanks in advance. Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1645 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1645 Listening on accounting *:1646 Listening on proxy *:1647 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1:1926, id=4, length=68 User-Name = "user@adslgateway.co.uk" User-Password = "test" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "adslgateway.co.uk" for User-Name = "user@adslgateway.co.uk" rlm_realm: No such realm "adslgateway.co.uk" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched DEFAULT at 4 radius_xlat: '/etc/raddb/checkpassword.pl user@adslgateway.co.uk test' modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 4 to 192.168.1.1:1926 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 4 with timestamp 44fe9d6f Nothing to do. Sleeping until we see a request.
relists <relists@cqm.co.uk> wrote:
The external script in XT Radius checks the username and password against a postgres database and if username and password match it returns the details for that user e.g. IP address, Framed-Address etc etc.
We are using the default xradiusd.conf file with the port number changed to 1645. We have changed the users file to the following:
DEFAULT Auth-Type := External Exec-Program = "/etc/raddb/checkpassword.pl %u %{User-Password}"
You should use "Auth-Type := Accept" here. That should work. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan DeKok wrote:
relists <relists@cqm.co.uk> wrote:
The external script in XT Radius checks the username and password against a postgres database and if username and password match it returns the details for that user e.g. IP address, Framed-Address etc etc.
We are using the default xradiusd.conf file with the port number changed to 1645. We have changed the users file to the following:
DEFAULT Auth-Type := External Exec-Program = "/etc/raddb/checkpassword.pl %u %{User-Password}"
You should use "Auth-Type := Accept" here. That should work.
Alan DeKok.
Hi, thanks for the reply. The problem with your suggestion is that you can enter the wrong password and it will still authenticate you. We need this to obviously accept when the password is correct and reject when the password is incorrect.
relists <relists@cqm.co.uk> wrote:
The problem with your suggestion is that you can enter the wrong password and it will still authenticate you. We need this to obviously accept when the password is correct and reject when the password is incorrect.
Really? I thought I understood how the server works. Please go try my suggestion. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan DeKok wrote:
relists <relists@cqm.co.uk> wrote:
The problem with your suggestion is that you can enter the wrong password and it will still authenticate you. We need this to obviously accept when the password is correct and reject when the password is incorrect.
Really? I thought I understood how the server works.
Please go try my suggestion.
Alan DeKok. --
We did try your suggestion before posting back and you can enter any pasword and it will accept it. We tried it again and here is the output: rad_recv: Access-Request packet from host 192.168.1.1:1224, id=1, length=84 User-Name = "user@adslgateway.co.uk" User-Password = "kjhtlhrfrdjkshgfdhkgj" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: Looking up realm "adslgateway.co.uk" for User-Name = "user@adslgateway.co.uk" rlm_realm: No such realm "adslgateway.co.uk" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched DEFAULT at 4 radius_xlat: '/etc/raddb/checkpassword.pl user@adslgateway.co.uk kjhtlhrfrdjkshgfdhkgj' modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user radius_xlat: '/etc/raddb/checkpassword.pl user@adslgateway.co.uk kjhtlhrfrdjkshgfdhkgj' Exec-Program: /etc/raddb/checkpassword.pl user@adslgateway.co.uk kjhtlhrfrdjkshgfdhkgj Sending Access-Accept of id 1 to 192.168.1.1:1224 Finished request 1 You will note that from our original post our password was "test". Any ideas? Thanks
relists <relists@cqm.co.uk> wrote:
We did try your suggestion before posting back and you can enter any pasword and it will accept it. We tried it again and here is the output:
Yes... because your "Exec-Program-Wait" script is supposed to do the authentication. It is accepting the user with a bad password. Fix it. And you *do* have to use Exec-Program-Wait. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Hi, I just looked at it in 1.1.3. I found the same behaviour you noted, when the script had not the execute permission. If you put the equivalent into an exec stanza in the main config file, that does loudly complain about not being able to run the script and then denies access therefore. After fixing that, I retried with users file again and then it behaved as wanted, allowing on exit code 0, denying on other codes (ok, just tested -1). hth K. Hoercher
Hi,
We did try your suggestion before posting back and you can enter any pasword and it will accept it. We tried it again and here is the output:
rad_recv: Access-Request packet from host 192.168.1.1:1224, id=1, length=84 User-Name = "user@adslgateway.co.uk" User-Password = "kjhtlhrfrdjkshgfdhkgj" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: Looking up realm "adslgateway.co.uk" for User-Name = "user@adslgateway.co.uk" rlm_realm: No such realm "adslgateway.co.uk" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched DEFAULT at 4 radius_xlat: '/etc/raddb/checkpassword.pl user@adslgateway.co.uk kjhtlhrfrdjkshgfdhkgj' modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user radius_xlat: '/etc/raddb/checkpassword.pl user@adslgateway.co.uk kjhtlhrfrdjkshgfdhkgj' Exec-Program: /etc/raddb/checkpassword.pl user@adslgateway.co.uk kjhtlhrfrdjkshgfdhkgj Sending Access-Accept of id 1 to 192.168.1.1:1224 Finished request 1
You will note that from our original post our password was "test".
Any ideas?
Well, according to the README you should be using Exec-Program-Wait, not Exec-Program. Then your script must simply return with a non-zero return code if his password is wrong and the user will be denied access. For your convenience, here's the relevant section of the README file that accompanies FreeRADIUS: The output from Exec-Program-Wait is parsed by the radius server. If it looks like Attribute/Value pairs, they are decoded and added to the reply sent to the NAS. This way, you can for example set Session-Timeout. If Exec-Program-Wait returns a non-zero exit status, access will be denied to the user. With a zero-exit status, access is granted. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg
participants (4)
-
Alan DeKok -
K. Hoercher -
relists -
Stefan Winter