Problem with external authentication script
Hello. I have some trouble to call an external authentication script in freeradius. I want to use MOTP for authentication. MOTP uses a shell-script (/usr/local/bin/otpverify.sh) to verify the given password. The script needs five arguments (User, One-Time-Password, Secret, PIN and Offset). My system is a fresh installation of freeradius on a Debian/Lenny system. I did the following changes on the following config-files: 1. A new dictionary-file (included in /etc/freeradius/dictionary): /etc/freeradius/dictionary.motp ------------------------------- ATTRIBUTE Secret 960 string ATTRIBUTE PIN 961 string ATTRIBUTE Offset 962 string 2. A new module in /etc/freeradius/radiusd.conf (modules-section): ---------------------------- [...] exec motp { wait = yes program = "/usr/local/bin/otpverify.sh %{User-Name} %{User-Password} %{Secret} %{PIN} %{Offset}" input_pairs = request output_pairs = config } [...] 3. /etc/freeradius/sites-enabled/default (section authenticate) ------------------------------------- [...] Auth-Type MOTP { motp } 4. /etc/freeradius/users --------------------- DEFAULT Auth-Type = Accept Exec-Program-Wait = "/usr/local/bin/otpverify.sh '%{User-Name}' '%{User-Password}' '%{Secret}' '%{PIN}' '%{Offset}'", Fall-Through = Yes stefan Secret = 143a5c6fa125ac1f, PIN = 1234, Offset = 0 The main-problem is: freeradius didn't call the script with all the needed arguments - so the authentication failes: [...] expand: /usr/local/bin/otpverify.sh '%{User-Name}' '%{User-Password}' '%{Secret}' '%{PIN}' '%{Offset}' -> /usr/local/bin/otpverify.sh 'stefan' '123' '' '' '' [...] Can anybody tell me where I did the mistake in my configuration ?? Thanks a lot Stefan P.S. Here is the complete debugging output: FreeRADIUS Version 2.0.4, for host x86_64-pc-linux-gnu, built on Sep 7 2008 at 17:42:33 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/snmp.conf including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/freeradius/freeradius.pid" user = "freerad" group = "freerad" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.82.41 { require_message_authenticator = no secret = "testing123" } client 192.168.82.40 { require_message_authenticator = no secret = "testing123" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Instantiating motp exec motp { wait = yes program = "/usr/local/bin/otpverify.sh %{User-Name} %{User-Password} %{Secret} %{PIN} %{Offset}" input_pairs = "request" output_pairs = "config" shell_escape = yes } Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } rlm_eap: Ignoring EAP-Type/tls because we do not have OpenSSL support. rlm_eap: Ignoring EAP-Type/ttls because we do not have OpenSSL support. rlm_eap: Ignoring EAP-Type/peap because we do not have OpenSSL support. Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } } server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } main { snmp = no smux_password = "" snmp_write_access = no } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.82.40 port 1026, id=43, length=78 User-Name = "stefan" User-Password = "123" Service-Type = Authenticate-Only NAS-Identifier = "ubuntu.kuegler.org" NAS-IP-Address = 192.168.82.40 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "stefan", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated users: Matched entry DEFAULT at line 2 expand: /usr/local/bin/otpverify.sh '%{User-Name}' '%{User-Password}' '%{Secret}' '%{PIN}' '%{Offset}' -> /usr/local/bin/otpverify.sh 'stefan' '123' '' '' '' users: Matched entry stefan at line 9 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Login OK: [stefan/123] (from client 192.168.82.40 port 0) +- entering group post-auth Exec-Program output: FAIL Exec-Program-Wait: plaintext: FAIL Exec-Program: returned: 3 Login incorrect (external check said so) ++[exec] returns reject Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> stefan attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.82.40 port 1026, id=43, length=78 Waiting to send Access-Reject to client 192.168.82.40 port 1026 - ID: 43 Sending delayed reject for request 0 Sending Access-Reject of id 43 to 192.168.82.40 port 1026 Waking up in 4.9 seconds.
Stefan Kuegler wrote:
I want to use MOTP for authentication. MOTP uses a shell-script (/usr/local/bin/otpverify.sh) to verify the given password. The script needs five arguments (User, One-Time-Password, Secret, PIN and Offset).
Where do those arguments come from?
My system is a fresh installation of freeradius on a Debian/Lenny system.
I did the following changes on the following config-files:
1. A new dictionary-file (included in /etc/freeradius/dictionary): /etc/freeradius/dictionary.motp ------------------------------- ATTRIBUTE Secret 960 string ATTRIBUTE PIN 961 string ATTRIBUTE Offset 962 string
That defines the attributes. Now, where do the values get populated?
2. A new module in /etc/freeradius/radiusd.conf (modules-section): ---------------------------- [...] exec motp { wait = yes program = "/usr/local/bin/otpverify.sh %{User-Name} %{User-Password} %{Secret} %{PIN} %{Offset}" input_pairs = request output_pairs = config } [...]
The %{...} syntax replaces the given string with the *value* of the named attributed. Where are you setting these values?
The main-problem is: freeradius didn't call the script with all the needed arguments - so the authentication failes:
[...] expand: /usr/local/bin/otpverify.sh '%{User-Name}' '%{User-Password}' '%{Secret}' '%{PIN}' '%{Offset}' -> /usr/local/bin/otpverify.sh 'stefan' '123' '' '' ''
Because you haven't define any values for those attributes. Alan DeKok.
Hi Alan.
I want to use MOTP for authentication. MOTP uses a shell-script (/usr/local/bin/otpverify.sh) to verify the given password. The script needs five arguments (User, One-Time-Password, Secret, PIN and Offset).
Where do those arguments come from? OK - that's what I forgot to say. The first two arguments (user and password) come directly from the user. The next three arguments (secret, pin and offset) are per-user-values. So I wanted to configure these values in the 'users'-file (/etc/freeradius/users)
For example: [...] user1 Secret = 143a5c6fa125ac1f, PIN = 1234, Offset = 0
My system is a fresh installation of freeradius on a Debian/Lenny system.
I did the following changes on the following config-files:
1. A new dictionary-file (included in /etc/freeradius/dictionary): /etc/freeradius/dictionary.motp ------------------------------- ATTRIBUTE Secret 960 string ATTRIBUTE PIN 961 string ATTRIBUTE Offset 962 string
That defines the attributes. Now, where do the values get populated?
In the users file (see above).
2. A new module in /etc/freeradius/radiusd.conf (modules-section): ---------------------------- [...] exec motp { wait = yes program = "/usr/local/bin/otpverify.sh %{User-Name} %{User-Password} %{Secret} %{PIN} %{Offset}" input_pairs = request output_pairs = config } [...]
The %{...} syntax replaces the given string with the *value* of the named attributed. Where are you setting these values?
Also in the users file.
The main-problem is: freeradius didn't call the script with all the needed arguments - so the authentication failes:
[...] expand: /usr/local/bin/otpverify.sh '%{User-Name}' '%{User-Password}' '%{Secret}' '%{PIN}' '%{Offset}' -> /usr/local/bin/otpverify.sh 'stefan' '123' '' '' ''
Because you haven't define any values for those attributes.
Can you tell me, where I have to define them ?? Thank you very much, Stefan
I want to use MOTP for authentication. MOTP uses a shell-script (/usr/local/bin/otpverify.sh) to verify the given password. The script needs five arguments (User, One-Time-Password, Secret, PIN and Offset). Where do those arguments come from? OK - that's what I forgot to say. The first two arguments (user and password) come directly from the user. The next three arguments (secret, pin and offset) are per-user-values. So I wanted to configure these values in the 'users'-file (/etc/freeradius/users)
For example: [...] user1 Secret = 143a5c6fa125ac1f, PIN = 1234, Offset = 0 ...
The %{...} syntax replaces the given string with the *value* of the named attributed. Where are you setting these values? Also in the users file.
Well, if that is your user entry, you haven't set those attributes. They are configured as reply, not check attributes. Should be something like: user1 Secret:=143a5c6fa125ac1f, PIN:=1234, Offset:=0 Ivan Kalik Kalik Informatika ISP
Stefan Kuegler wrote:
OK - that's what I forgot to say. The first two arguments (user and password) come directly from the user. The next three arguments (secret, pin and offset) are per-user-values. So I wanted to configure these values in the 'users'-file (/etc/freeradius/users)
For example: [...] user1 Secret = 143a5c6fa125ac1f, PIN = 1234, Offset = 0
So... they are REPLY attributes. See "man unlang" for how to refer to attributes in the reply list. %{Secret} isn't it. Alan DeKok.
Hi Alan.
Stefan Kuegler wrote:
OK - that's what I forgot to say. The first two arguments (user and password) come directly from the user. The next three arguments (secret, pin and offset) are per-user-values. So I wanted to configure these values in the 'users'-file (/etc/freeradius/users)
For example: [...] user1 Secret = 143a5c6fa125ac1f, PIN = 1234, Offset = 0
So... they are REPLY attributes. See "man unlang" for how to refer to attributes in the reply list. %{Secret} isn't it.
OK. I think, I have to use the word "reply" to use these attributes. I changed my config-files accordingly. /etc/freeradius/radiusd.conf (modules-section): exec motp { wait = yes program = "/usr/local/bin/otpverify.sh %{User-Name} %{User-Password} %{reply:Secret} %{reply:PIN} %{reply:Offset}" input_pairs = request output_pairs = config } /etc/freeradius/users: DEFAULT Auth-Type = Accept Exec-Program-Wait = "/usr/local/bin/otpverify.sh '%{User-Name}' '%{User-Password}' '%{reply:Secret}' '%{reply:PIN}' '%{reply:Offset}'", Fall-Through = Yes user1 Secret:=143a5c6fa125ac1f, PIN:=1234, Offset:=0 I hope that these changes are correct ?? But this is the part of the debug-log after a new test. When the script has been called by freeradius, you can see, that the needed arguments Secret, PIN, Offset) are still missing. [...] expand: /usr/local/bin/otpverify.sh '%{User-Name}' '%{User-Password}' '%{reply:Secret}' '%{reply:PIN}' '%{reply:Offset}' -> /usr/local/bin/otpverify.sh 'user1' 'secret' '' '' '' [...] Any ideas ?? Best regards, Stefan
exec motp { wait = yes program = "/usr/local/bin/otpverify.sh %{User-Name} %{User-Password} %{reply:Secret} %{reply:PIN} %{reply:Offset}" input_pairs = request output_pairs = config }
You have changed them to reply items ...
/etc/freeradius/users: DEFAULT Auth-Type = Accept Exec-Program-Wait = "/usr/local/bin/otpverify.sh '%{User-Name}' '%{User-Password}' '%{reply:Secret}' '%{reply:PIN}' '%{reply:Offset}'", Fall-Through = Yes
user1 Secret:=143a5c6fa125ac1f, PIN:=1234, Offset:=0
... but configured them as check items. Revert to original exec line and place user entry *above* DEFAULT entry. Ivan Kalik Kalik Informatika ISP
Hi Ivan.
exec motp { wait = yes program = "/usr/local/bin/otpverify.sh %{User-Name} %{User-Password} %{reply:Secret} %{reply:PIN} %{reply:Offset}" input_pairs = request output_pairs = config }
You have changed them to reply items ...
/etc/freeradius/users: DEFAULT Auth-Type = Accept Exec-Program-Wait = "/usr/local/bin/otpverify.sh '%{User-Name}' '%{User-Password}' '%{reply:Secret}' '%{reply:PIN}' '%{reply:Offset}'", Fall-Through = Yes
user1 Secret:=143a5c6fa125ac1f, PIN:=1234, Offset:=0
... but configured them as check items. Revert to original exec line and place user entry *above* DEFAULT entry.
Thanks for your advice. I configured the users-file described above, but it didn't work. Now I can see, that freeradius never calls the external script. It seems, that freeradius never uses the "MOTP"-Auth-type: [...] Ready to process requests. rad_recv: Access-Request packet from host 192.168.82.40 port 1026, id=109, length=78 User-Name = "user1" User-Password = "secret" Service-Type = Authenticate-Only NAS-Identifier = "debian.local" NAS-IP-Address = 192.168.82.40 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "user1", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated users: Matched entry user1 at line 3 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "secret" rlm_pap: Using CRYPT encryption. rlm_pap: Passwords don't match ++[pap] returns reject auth: Failed to validate the user. Login incorrect (rlm_pap: CRYPT password check failed): [user1/secret] (from client 192.168.82.40 port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> user1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.82.40 port 1026, id=109, length=78 Waiting to send Access-Reject to client 192.168.82.40 port 1026 - ID: 109 Sending delayed reject for request 0 Sending Access-Reject of id 109 to 192.168.82.40 port 1026 Waking up in 4.9 seconds. Cleaning up request 0 ID 109 with timestamp +17 Ready to process requests. Do I need to configure something in the authorize-section or somewhere else ?? Thank you for your help. Stefan
On Mon, 15 Jun 2009, Stefan Kuegler wrote:
exec motp { wait = yes program = "/usr/local/bin/otpverify.sh %{User-Name} %{User-Password} %{reply:Secret} %{reply:PIN} %{reply:Offset}" input_pairs = request output_pairs = config }
Silly thought: The exec is named 'mopt' with an 'm'. But your script is 'optverify' with no 'm'. Just want to be sure that's not a silly typo.... :)
It seems, that freeradius never uses the "MOTP"-Auth-type: auth: type "PAP" +- entering group PAP
Not an expert on motp. But should it be mistaken for 'PAP'? Perhaps you need to put your check for 'motp' in the auth section *before* PAP? Or remove the reference to PAP altogether if you never use it....?
Do I need to configure something in the authorize-section or somewhere else ??
A line with the single word 'motp', probably just above the 'pap' line, if tht is causing trouble.... - Charles
On Mon, 15 Jun 2009, Stefan Kuegler wrote:
exec motp { wait = yes program = "/usr/local/bin/otpverify.sh %{User-Name} %{User-Password} %{reply:Secret} %{reply:PIN} %{reply:Offset}" input_pairs = request output_pairs = config } It seems, that freeradius never uses the "MOTP"-Auth-type: auth: type "PAP" +- entering group PAP
Not an expert on motp. But should it be mistaken for 'PAP'?
It got "mistaken" for pap because user1 line in users file had a crypt password in it (I don't know what it's doing there - probably shouldn't be).
Perhaps you need to put your check for 'motp' in the auth section *before* PAP?
Forcing Auth-Type in users file should work. If you need both pap (password known to the server) and MOTP (password to be verified by external script) working user entry can be replaced with unlang statement after pap in authorize (both can't be made to work in 1.x).
Or remove the reference to PAP altogether if you never use it....?
The policy of the list is "that you should make minimal changes to default configuration until you make things work; then remove one by one things you think you don't need, making sure everything you need still works". In that way, if you mess up it is easy to backtrack. Listing motp in authorize before pap is likely to achieve - nothing. There is nothing to suggest that something called "otpverify" can set Auth-Type to MOTP. So, better not go that way. Ivan Kalik Kalik Informatika ISP
Hello Ivan.
Forcing Auth-Type in users file should work. Thanks for this advice. I changed my users file to use MOTP as the DEFAULT-Auth-Type (first entry of the users file).
/etc/freeradius/users --------------------- DEFAULT Auth-Type = MOTP Exec-Program-Wait = "/usr/local/bin/otpverify.sh '%{User-Name}' '%{User-Password}' '%{Secret}' '%{PIN}' '%{Offset}'", Fall-Through = yes user1 Secret:=143a5c6fa125ac1f, PIN:=1234, Offset:=0 This part of my problem seems to be solved. Freeradius now uses MOTP as the Auth-Type. But the "old" problem is always present: freeradius doesn't call the external authentication script (otpverify.sh) with the needed arguments (Secret, PIN and Offset): [...] Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.82.40 port 1026, id=35, length=77 User-Name = "user1" User-Password = "secret" Service-Type = Authenticate-Only NAS-Identifier = "linux.local" NAS-IP-Address = 192.168.82.40 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "user1", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound users: Matched entry DEFAULT at line 2 expand: /usr/local/bin/otpverify.sh '%{User-Name}' '%{User-Password}' '%{Secret}' '%{PIN}' '%{Offset}' -> /usr/local/bin/otpverify.sh 'user1' 'secret' '' '' '' users: Matched entry user1 at line 6 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rad_check_password: Found Auth-Type MOTP auth: type "MOTP" +- entering group MOTP expand: %{User-Name} -> user1 expand: %{User-Password} -> secret expand: %{Secret} -> expand: %{PIN} -> expand: %{Offset} -> expr: syntax error Usage: printf [ options ] format [string ...] Exec-Program output: FAIL Exec-Program-Wait: plaintext: FAIL Exec-Program: returned: 1 ++[motp] returns reject auth: Failed to validate the user. Login incorrect: [user1/secret] (from client 192.168.82.40 port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> user1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Any ideas ?? Thank you all, Stefan
On Wed, 17 Jun 2009, Stefan Kuegler wrote:
/etc/freeradius/users --------------------- DEFAULT Auth-Type = MOTP Exec-Program-Wait = "/usr/local/bin/otpverify.sh '%{User-Name}' '%{User-Password}' '%{Secret}' '%{PIN}' '%{Offset}'", Fall-Through = yes
user1 Secret:=143a5c6fa125ac1f, PIN:=1234, Offset:=0
If this is correctly represents the order of your entries, then your program execution command is getting 'constructed' on the DEFAULT entry *before* you assign those values on the 'user1' entry. Try moving the user1 line before the DEFAULT (and reverse the 'fall through' specifications).... - Charles
Hello to all.
Try moving the user1 line before the DEFAULT (and reverse the 'fall through' specifications)....
Thank you Charles for your advice. But the problem in this case is: If I move the user-lines before DEFAULT, freeradius tries to authenticate with any other Auth-Method, exept MOTP. [...] rad_recv: Access-Request packet from host 192,168.82.41 port 33260, id=216, length=58 User-Name = "user1" User-Password = "aa8809" NAS-IP-Address = 192,168.82.41 NAS-Port = 0 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "user1", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated users: Matched entry user1 at line 2 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop auth: type Crypt auth: Failed to validate the user. Login incorrect: [user1/aa8809] (from client 192,168.82.41 port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> user1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated [...] So, it seems that I have to use the DEFAULT-line at first to use MOTP as the default Auth-Type. But now some new good news: After changing the module configuration in radiusd.conf to exec motp { wait = yes program = "/usr/local/bin/otpverify.sh %{User-Name} %{User-Password} %{control:Secret} %{control:PIN} %{control:Offset}" input_pairs = request output_pairs = config } ...tested with radtest, everything works fine (thank you, Ivan) :-) auth: type "MOTP" +- entering group MOTP expand: %{User-Name} -> user1 expand: %{User-Password} -> eaec5f expand: %{control:Secret} -> 143a5c6fa125ac1f expand: %{control:PIN} -> 1234 expand: %{control:Offset} -> 0 Exec-Program output: ACCEPT Exec-Program-Wait: plaintext: ACCEPT Exec-Program: returned: 0 ++[motp] returns ok What a nice adventure... Now, I have another problem with mod_auth_radius. But this is another story. Best regards, Stefan
Try moving the user1 line before the DEFAULT (and reverse the 'fall through' specifications)....
Thank you Charles for your advice. But the problem in this case is: If I move the user-lines before DEFAULT, freeradius tries to authenticate with any other Auth-Method, exept MOTP.
It will work if you add Fall-Through to it (and remove it from the DEFAULT entry, as suggested). But that's not very economical: you would need to add Fall-Through to every user line; like this you use it only once in DEFAULT entry. Ivan Kalik Kalik Informatika ISP
Stefan Kuegler wrote:
Thanks for your advice. I configured the users-file described above, but it didn't work. Now I can see, that freeradius never calls the external script.
Because the user was rejected. Ensure that the user is accepted, follow Ivan's instructions for configuring the "users" file, and it will work. Alan DeKok.
participants (4)
-
Alan DeKok -
Charles Gregory -
Ivan Kalik -
Stefan Kuegler