Is there a way to add a custom auth script just for PAP? If have the following authorize { filter_username preprocess mschap eap { ok = return } -ldap pap } authenticate { Auth-Type PAP { pap } Auth-Type MS-CHAP { mschap } mschap eap } I tried the following solution but it handles all auth methods https://stackoverflow.com/a/13870838/935122 <https://stackoverflow.com/a/13870838/935122>
Does that go in authorize or authenticate? Kind regards, Christian Salway IT Consultant - Naimuri T: +44 7463 331432 E: christian.salway@naimuri.com A: Naimuri Ltd, Chandlers Point, Manchester M50 2UW
On 16 Nov 2018, at 11:39, Alan DeKok <aland@deployingradius.com> wrote:
On Nov 16, 2018, at 6:03 AM, Christian Salway via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Is there a way to add a custom auth script just for PAP?
Yes.
if (User-Password) { ... run script ... }
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Nov 16, 2018, at 6:40 AM, Christian Salway via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Does that go in authorize or authenticate?
At some point, it helps to understand the system you're configuring. Read the technical guide here: https://networkradius.com/freeradius-documentation/ You shouldn't just ask a question every time you run into a problem. Alan DeKok.
Hi Alan, I have read all 58 pages of the Technical Guide and scanned through the "main page" (which is basically a copy). I still don't know how to implement a custom authorisation. What I am trying to achieve is to: a) log in with eap-mschapv2 and only if Access-Accept, run a custom script to do an MFA which could cause the result to become an Access-Reject. b) log in with pap and run a custom auth script (which does MFA) which results in an access-Accept or Reject. I couldn't find anywhere in the documentation to help me with this. Could you point me to the page? I think I understand that it is probably best done in the Authenticate section Christian Salway
On 16 Nov 2018, at 11:45, Alan DeKok <aland@deployingradius.com> wrote:
On Nov 16, 2018, at 6:40 AM, Christian Salway via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Does that go in authorize or authenticate?
At some point, it helps to understand the system you're configuring. Read the technical guide here:
https://networkradius.com/freeradius-documentation/
You shouldn't just ask a question every time you run into a problem.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Nov 16, 2018, at 8:54 AM, Christian Salway via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I have read all 58 pages of the Technical Guide and scanned through the "main page" (which is basically a copy).
I still don't know how to implement a custom authorisation.
What I am trying to achieve is to:
a) log in with eap-mschapv2 and only if Access-Accept, run a custom script to do an MFA which could cause the result to become an Access-Reject. b) log in with pap and run a custom auth script (which does MFA) which results in an access-Accept or Reject.
I couldn't find anywhere in the documentation to help me with this. Could you point me to the page? I think I understand that it is probably best done in the Authenticate section
There is no documentation that says "how to implement Christian Salways configuration". You have to put the pieces together yourself. The RADIUS ecosystem is complex enough that it is *impossible* to give guides for every possible thing that everyone could possibly want to do. There *is* documentation that says: a) how to check for things b) how to do things I gave you an example of how to check for User-Password (i.e. PAP), and do something. If you read the configuration and examples, you will see that there is detailed documentation for how to run external programs. See the "exec" module. Then, put the two pieces together. "If user password, run my custom exec module". Yes, I could give you line by line instructions for how to do this. And yes, I could spend *24 hours a day* doing that for people. And yes, you would not learn anything. And yes, you would be unable to maintain the system you built. This is not just me being obtuse. This is me insisting that you *understand* not only how to configure the server, but also how to *solve problems*. Just asking questions on the mailing list isn't an option. Alan DeKok.
I don't want to come across ungrateful. You and the team are doing a fantastic job at looking after freeRadius and no, I'm not expecting documentation on "how to implement Christian Salways configuration" (although that would be awesome if i could put a request in). I know there is an exec module. I used it to add AD Groups to a Reply in the Class field post-auth { foreach &reply:memberOf { update { &reply:Class += "%{exec:/etc/raddb/extract-ad-group.sh %{Foreach-Variable-0}}" } } } but this exec is inside quotes. what you have explained sounds like it can go out of quotes which i doubt since exec can also stand on its own. authorize { if (User-Name) { exec: "/path/to/file '%{User-Name}' '%{User-Password}'" <-- im guessing this is meant to return an exit code that means Accept/Reject } } There is no where I could find in the docs or examples that gives this format. "you would not learn anything".. I learn, as I'm sure most do, by example, not documentation alone as it is normally limited in context. "you would be unable to maintain the system you built." .. that depends on your character. Just because someone gives me some example, doesnt mean I dont examine line by line and try to understand it. In fact I'm a stickler for perfection systems so even if someone gave me code, i would still make sure it was the most efficient, secure method. No worries, sorry to bother you. I'll post the question on SO and hope someone isn't so glad it's the weekend.
On 16 Nov 2018, at 14:03, Alan DeKok <aland@deployingradius.com> wrote:
On Nov 16, 2018, at 8:54 AM, Christian Salway via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I have read all 58 pages of the Technical Guide and scanned through the "main page" (which is basically a copy).
I still don't know how to implement a custom authorisation.
What I am trying to achieve is to:
a) log in with eap-mschapv2 and only if Access-Accept, run a custom script to do an MFA which could cause the result to become an Access-Reject. b) log in with pap and run a custom auth script (which does MFA) which results in an access-Accept or Reject.
I couldn't find anywhere in the documentation to help me with this. Could you point me to the page? I think I understand that it is probably best done in the Authenticate section
There is no documentation that says "how to implement Christian Salways configuration".
You have to put the pieces together yourself. The RADIUS ecosystem is complex enough that it is *impossible* to give guides for every possible thing that everyone could possibly want to do.
There *is* documentation that says:
a) how to check for things
b) how to do things
I gave you an example of how to check for User-Password (i.e. PAP), and do something. If you read the configuration and examples, you will see that there is detailed documentation for how to run external programs. See the "exec" module.
Then, put the two pieces together. "If user password, run my custom exec module".
Yes, I could give you line by line instructions for how to do this. And yes, I could spend *24 hours a day* doing that for people. And yes, you would not learn anything. And yes, you would be unable to maintain the system you built.
This is not just me being obtuse. This is me insisting that you *understand* not only how to configure the server, but also how to *solve problems*. Just asking questions on the mailing list isn't an option.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Nov 16, 2018, at 9:19 AM, Christian Salway via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I don't want to come across ungrateful. You and the team are doing a fantastic job at looking after freeRadius and no, I'm not expecting documentation on "how to implement Christian Salways configuration" (although that would be awesome if i could put a request in).
The problem is when you say "there is no documentation saying how to do what I want", that really comes across as "how to implement Christian Salways configuration"
I know there is an exec module. I used it to add AD Groups to a Reply in the Class field
post-auth {
foreach &reply:memberOf { update { &reply:Class += "%{exec:/etc/raddb/extract-ad-group.sh %{Foreach-Variable-0}}"
That's not an "exec" module. That's a dynamic expansion.
but this exec is inside quotes. what you have explained sounds like it can go out of quotes which i doubt since exec can also stand on its own.
authorize { if (User-Name) { exec: "/path/to/file '%{User-Name}' '%{User-Password}'" <-- im guessing this is meant to return an exit code that means Accept/Reject
Nothing in the documentation says that this kind of thing is possible. The "man unlang" documentation is very clear on the format of the configuration files. The hundreds of examples show nothing like what you're doing here. You can't just *invent* syntax and expect it to work.
There is no where I could find in the docs or examples that gives this format.
Because it isn't allowed. The documentation should be VERY clear on what is allowed. This shouldn't be difficult. When I say "use the exec module", you should already understand what a "module" is, and where it's configured. The documentation makes this abundantly clear. See the "mods-available" directory. And perhaps unsurprisingly, there's a file called "exec". Which describes what the "exec" module is, and how to use it. This is really a major problem. If you've read the docs and still aren't clear what a "module" is, or where the module configuration lives, then that's a problem which is difficult for me to solve. Alan DeKok.
participants (2)
-
Alan DeKok -
Christian Salway