Hi everyone, I have been trying to get RADIUS to run a perl script which would authenticate users (and yes I have tried rlm_perl but I decided against it). So far all I have in the perl script itself is ------------------------------------ #!/usr/bin/perl use strict; use Data::Dumper; exit 3; ---------------------------------- This is what my debug output says when I run radtest: rad_recv: Access-Request packet from host 127.0.0.1 port 33397, id=236, length=56 User-Name = "matt" User-Password = "testing" NAS-IP-Address = 127.0.0.1 NAS-Port = 1645 +- entering group authorize Exec-Program output: Exec-Program: returned: 3 ++[exec] returns ok auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [matt/testing] (from client localhost port 1645) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> matt attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds ------------------------------------------------------------------------------------------------- This is what I have in my radiusd.conf authorize { exec } authentication { Auth-Type Exec { exec } } ----------------------------------------------------------------------------------------------- I would think this should let all users pass through but it doesnt seem to be doing that. What am I missing here? Thanks in advance for your help, -- Tauseef
T Kid82 wrote:
I have been trying to get RADIUS to run a perl script which would authenticate users (and yes I have tried rlm_perl but I decided against it).
Why? It is *much* more efficient than exec'ing a program. ...
Exec-Program output: Exec-Program: returned: 3 ++[exec] returns ok auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
That would seem to be clear.
This is what I have in my radiusd.conf
authorize { exec }
authentication { Auth-Type Exec { exec }
You have put significant effort into butchering the default configuration. Why?
I would think this should let all users pass through but it doesnt seem to be doing that. What am I missing here?
Why would this let all users through? The debug output is clear: you didn't set Auth-Type. So authentication fails. The default configuration Just Does the Right Thing. If you're going to drastically edit the configuration, then you need to understand how the server works. In this case, fix the problem printed out by the debug log: set Auth-Type. If you think this isn't necessary, then you need to spend more time understanding how the server works. Alan DeKok.
You have put significant effort into butchering the default configuration. Why?
I got this from the comments in exec-program-wait (which has been deprecated) where it explains how to use rlm_exec. It says, "An entry for the module 'rlm_exec' must be added to the file 'radiusd.conf' with the path of the script." authorize { ... exec ... } I also added exec { program = "/usr/local/etc/raddb/authenticate" wait = yes input_pairs = request output_pairs = reply } to my radiusd.conf which is also from the comments in exec-program-wait
Why would this let all users through? I thought that since I am always returning 3 to the server, that this would let all users pass through.
you didn't set Auth-Type Where do I set the Auth-Type. Can you provide a sample code snippet on how to do this? Or perhaps a link to the doc.
If you think this isn't necessary, then you need to spend more time understanding how the server works. I dont know either way. Thats why I decided to mail the list. I have looked through quite a bit of documentation but I didnt find much on this particular module
On Wed, Mar 19, 2008 at 1:17 AM, Alan DeKok <aland@deployingradius.com> wrote:
T Kid82 wrote:
I have been trying to get RADIUS to run a perl script which would authenticate users (and yes I have tried rlm_perl but I decided against it).
Why? It is *much* more efficient than exec'ing a program. ...
Exec-Program output: Exec-Program: returned: 3 ++[exec] returns ok auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
That would seem to be clear.
This is what I have in my radiusd.conf
authorize { exec }
authentication { Auth-Type Exec { exec }
You have put significant effort into butchering the default configuration. Why?
I would think this should let all users pass through but it doesnt seem to be doing that. What am I missing here?
Why would this let all users through? The debug output is clear: you didn't set Auth-Type. So authentication fails.
The default configuration Just Does the Right Thing. If you're going to drastically edit the configuration, then you need to understand how the server works. In this case, fix the problem printed out by the debug log: set Auth-Type. If you think this isn't necessary, then you need to spend more time understanding how the server works.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mar 19, 2008, at 11:34, T Kid82 wrote:
You have put significant effort into butchering the default configuration. Why?
I got this from the comments in exec-program-wait (which has been deprecated) where it explains how to use rlm_exec. It says,
"An entry for the module 'rlm_exec' must be added to the file 'radiusd.conf' with the path of the script."
authorize { ... exec ... }
I also added
exec { program = "/usr/local/etc/raddb/authenticate" wait = yes input_pairs = request output_pairs = reply }
to my radiusd.conf which is also from the comments in exec-program- wait
Why would this let all users through? I thought that since I am always returning 3 to the server, that this would let all users pass through.
you didn't set Auth-Type Where do I set the Auth-Type. Can you provide a sample code snippet on how to do this? Or perhaps a link to the doc.
If you think this isn't necessary, then you need to spend more time understanding how the server works. I dont know either way. Thats why I decided to mail the list. I have looked through quite a bit of documentation but I didnt find much on this particular module
Its not obvious what you are really trying to accomplish. However, I suspect you would like to use your own special criteria for determining if access should be permitted. rlm_exec is a very inefficent way to do that. You can make it work, but it will require extensive forks and perform rather poorly. rlm_perl works a whole lot better. However, if you are really concerned about performance, you should consider rolling your own module. There is an example of how to do that in the wiki. That will give you the best performance as you will not incur the perl overhead either. There is a really big difference between authorization and authentication modules. Creating an authorization module is probably all you need to do. Authentication modules require much more than just including them in the list of authentication modules. I understand that you also might have to modify the base radiusd code for them in addition to creating a module that requires some very special structuring. Freeradius separates the concepts of authentication from authorization to relieve you of the details of some of the very complex authentication schemes. Generally all you need to deal with is authorization. If you use the default authentication setup, radiusd will figure out which method to use and take care of it. If you are going to make major mods to the configuration, you will need to start reading the source code. There just isn't that much documented beyond that.
T Kid82 wrote:
I got this from the comments in exec-program-wait (which has been deprecated) where it explains how to use rlm_exec. It says,
"An entry for the module 'rlm_exec' must be added to the file 'radiusd.conf' with the path of the script."
Yes... but from the debug output you posted, it looks like you deleted everything *else*.
Why would this let all users through? I thought that since I am always returning 3 to the server, that this would let all users pass through.
Could you explain why you think that? None of the documentation or default configuration files say that. Note that the module return code "OK" or "success" does NOT mean "let the user in without checking their password".
you didn't set Auth-Type Where do I set the Auth-Type. Can you provide a sample code snippet on how to do this? Or perhaps a link to the doc.
You set Auth-Type just like setting any other attribute. See "man unlang" for examples. Alan DeKok.
Yes... but from the debug output you posted, it looks like you deleted everything *else*
The debug output I pasted was not in its entirety. I did not paste any preceding output since it looked fine to me. No errors.
Could you explain why you think that? None of the documentation or default configuration files say that. Note that the module return code "OK" or "success" does NOT mean "let the user in without checking their password".
That is a revelation to me.
You set Auth-Type just like setting any other attribute. See "man unlang" for examples.
I will definitely look through the documentation. Is there a specfic Auth-Type that would be appropriate for my simple case. I guess what I am asking is, can you give me an example of an Auth-Type other than the Perl example? On Wed, Mar 19, 2008 at 1:59 PM, Alan DeKok <aland@deployingradius.com> wrote:
T Kid82 wrote:
I got this from the comments in exec-program-wait (which has been deprecated) where it explains how to use rlm_exec. It says,
"An entry for the module 'rlm_exec' must be added to the file 'radiusd.conf' with the path of the script."
Yes... but from the debug output you posted, it looks like you deleted everything *else*.
Why would this let all users through? I thought that since I am always returning 3 to the server, that this would let all users pass through.
Could you explain why you think that? None of the documentation or default configuration files say that. Note that the module return code "OK" or "success" does NOT mean "let the user in without checking their password".
you didn't set Auth-Type Where do I set the Auth-Type. Can you provide a sample code snippet on how to do this? Or perhaps a link to the doc.
You set Auth-Type just like setting any other attribute. See "man unlang" for examples.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
T Kid82 wrote:
Could you explain why you think that? None of the documentation or default configuration files say that. Note that the module return code "OK" or "success" does NOT mean "let the user in without checking their password".
That is a revelation to me.
A simple explanation: There are many modules that are executed for each authentication request. If "ok" meant "let the user in", then *any* time a module worked, it would let the user in. This just doesn't make sense.
You set Auth-Type just like setting any other attribute. See "man unlang" for examples.
I will definitely look through the documentation. Is there a specfic Auth-Type that would be appropriate for my simple case. I guess what I am asking is, can you give me an example of an Auth-Type other than the Perl example?
If you want your "exec" module to be run, create an Auth-Type for it. This is the purpose of the Auth-Type sub-sections of "authenticate". Alan DeKok.
participants (3)
-
Alan DeKok -
Doug Hardie -
T Kid82