rlm_exec question
Hi everyone, I am trying to accomplish a very simple task using RADIUS as an authentication proxy. All I need it to do is use the username/password combo sent in, run a perl script to validate those credentials and return a pass or fail. I have my perl script setup to return all the right codes as the radiusd.conf specifies. ( < 0 : fail, 0 : ok , etc...) I have added the following changes to the radiusd.conf file, everything else is as it is out of the box. authorize { preprocess exec } authenticate { Auth-Type Exec { exec } } In the modules section I added my program name / perl script (the location is just a temp thing to get this going): exec { program = "/usr/bin/authenticate.pl" wait = yes input_pairs = request output_pairs = reply } When i run radtest, this is what I see in the logs User-Name = "tkid" User-Password = "hlsearch" NAS-IP-Address = 127.0.0.1 NAS-Port = 1645 +- entering group authorize ++[preprocess] returns ok Exec-Program output: Error: Password check passed Exec-Program: returned: 0 ++[exec] returns ok auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [tkid/hlsearch] (from client localhost port 1645) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> tkid attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 149 with timestamp +10 Ready to process requests. In essence, all I want is authentication and not authorization. How do I accomplish that here? Thanks for your help in advance. Thanks, -- Tauseef
Add files to authorize and put DEFAULT Auth-Type := Exec in it. Ivan Kalik Kalik Informatika ISP Dana 13/4/2008, "T Kid82" <tkid2000@gmail.com> piše:
Hi everyone,
I am trying to accomplish a very simple task using RADIUS as an authentication proxy. All I need it to do is use the username/password combo sent in, run a perl script to validate those credentials and return a pass or fail. I have my perl script setup to return all the right codes as the radiusd.conf specifies. ( < 0 : fail, 0 : ok , etc...)
I have added the following changes to the radiusd.conf file, everything else is as it is out of the box.
authorize { preprocess exec }
authenticate { Auth-Type Exec { exec } }
In the modules section I added my program name / perl script (the location is just a temp thing to get this going):
exec { program = "/usr/bin/authenticate.pl" wait = yes input_pairs = request output_pairs = reply
}
When i run radtest, this is what I see in the logs
User-Name = "tkid" User-Password = "hlsearch" NAS-IP-Address = 127.0.0.1 NAS-Port = 1645 +- entering group authorize ++[preprocess] returns ok Exec-Program output: Error: Password check passed Exec-Program: returned: 0 ++[exec] returns ok auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [tkid/hlsearch] (from client localhost port 1645) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> tkid attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 149 with timestamp +10 Ready to process requests.
In essence, all I want is authentication and not authorization. How do I accomplish that here?
Thanks for your help in advance. Thanks, -- Tauseef - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Ivan, I tried two variations. First I added a files sub-section the modules section within radiusd.conf files { Auth-Type := Exec } and in the authorize section I put in authorize { preprocess files } This is what I saw in the radius logs User-Name = "tkid" User-Password = "hlsearch" NAS-IP-Address = 127.0.0.1 NAS-Port = 1645 +- entering group authorize ++[preprocess] returns ok ++[files] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [tkid/hlsearch] (from client localhost port 1645) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> tkid attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Waking up in 4.9 seconds. Cleaning up request 0 ID 79 with timestamp +20 Ready to process requests. I also tried adding the DEFAULT as you asked so i made an addition to the files module files { DEFAULT Auth-Type := Exec } I got a radiusd.conf syntax error "Expecting section start brace '{' after "DEFAULT Auth-Type" Let me know what else I need to get going here. It would be great if you can let me know specifically where I have to add config settings since I am not very familiar with freeradius yet. I would really prefer to run a perl script rather than doing a .pm since I tried that before and just kept getting too many errors. I'll consider that once all the options of a perl script have been exhausted. Thanks everyone for your help. -- Tauseef 2008/4/13 Ivan Kalik <tnt@kalik.net>:
Add files to authorize and put DEFAULT Auth-Type := Exec in it.
Ivan Kalik Kalik Informatika ISP
Dana 13/4/2008, "T Kid82" <tkid2000@gmail.com> piše:
Hi everyone,
I am trying to accomplish a very simple task using RADIUS as an authentication proxy. All I need it to do is use the username/password combo sent in, run a perl script to validate those credentials and return a pass or fail. I have my perl script setup to return all the right codes as the radiusd.conf specifies. ( < 0 : fail, 0 : ok , etc...)
I have added the following changes to the radiusd.conf file, everything else is as it is out of the box.
authorize { preprocess exec }
authenticate { Auth-Type Exec { exec } }
In the modules section I added my program name / perl script (the location is just a temp thing to get this going):
exec { program = "/usr/bin/authenticate.pl" wait = yes input_pairs = request output_pairs = reply
}
When i run radtest, this is what I see in the logs
User-Name = "tkid" User-Password = "hlsearch" NAS-IP-Address = 127.0.0.1 NAS-Port = 1645 +- entering group authorize ++[preprocess] returns ok Exec-Program output: Error: Password check passed Exec-Program: returned: 0 ++[exec] returns ok auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [tkid/hlsearch] (from client localhost port 1645) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> tkid attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 149 with timestamp +10 Ready to process requests.
In essence, all I want is authentication and not authorization. How do I accomplish that here?
Thanks for your help in advance. Thanks, -- Tauseef - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
T Kid82 wrote:
First I added a files sub-section the modules section within radiusd.conf
files { Auth-Type := Exec }
There is already a "files" subsection. It configures the "users" file. You should put the "Auth-Type" entry there, instead of in radiusd.conf. Oh, and read the documentation for the "users" file. Alan DeKok.
Thank you Alan, your recommendation worked perfectly. It has permanently cured me of fleas :p Two other things I wanted to ask the experts on here. 1. I have log incoming authentication requests set to yes but they do not seem to be getting logged (in the radiusd.log file). Ideally I would like to see the same level of verbosity as the radiusd -X mode gives on standard out in my logs. Is there anyway to do that without actually running the server in debug mode? 2. Is there a config setting for locking out a user temporarily if they make more than say 5 unsuccessful login attempts in a short time span? Thanks again. -- Tauseef On Sun, Apr 13, 2008 at 11:32 PM, Alan DeKok <aland@deployingradius.com> wrote:
T Kid82 wrote:
First I added a files sub-section the modules section within radiusd.conf
files { Auth-Type := Exec }
There is already a "files" subsection. It configures the "users" file. You should put the "Auth-Type" entry there, instead of in radiusd.conf.
Oh, and read the documentation for the "users" file.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Anybody know about these two things that I asked? 1. I have log incoming authentication requests set to yes but they do not seem to be getting logged (in the radiusd.log file). Ideally I would like to see the same level of verbosity as the radiusd -X mode gives on standard out in my logs. Is there anyway to do that without actually running the server in debug mode? 2. Is there a config setting for locking out a user temporarily if they make more than say 5 unsuccessful login attempts in a short time span? Thanks. On Thu, Apr 17, 2008 at 1:15 AM, T Kid82 <tkid2000@gmail.com> wrote:
Thank you Alan, your recommendation worked perfectly. It has permanently cured me of fleas :p
Two other things I wanted to ask the experts on here. 1. I have log incoming authentication requests set to yes but they do not seem to be getting logged (in the radiusd.log file). Ideally I would like to see the same level of verbosity as the radiusd -X mode gives on standard out in my logs. Is there anyway to do that without actually running the server in debug mode?
2. Is there a config setting for locking out a user temporarily if they make more than say 5 unsuccessful login attempts in a short time span?
Thanks again.
-- Tauseef
On Sun, Apr 13, 2008 at 11:32 PM, Alan DeKok <aland@deployingradius.com> wrote:
T Kid82 wrote:
First I added a files sub-section the modules section within radiusd.conf
files { Auth-Type := Exec }
There is already a "files" subsection. It configures the "users" file. You should put the "Auth-Type" entry there, instead of in radiusd.conf.
Oh, and read the documentation for the "users" file.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
T Kid82 wrote:
1. I have log incoming authentication requests set to yes but they do not seem to be getting logged (in the radiusd.log file). Ideally I would like to see the same level of verbosity as the radiusd -X mode gives on standard out in my logs. Is there anyway to do that without actually running the server in debug mode?
No.
2. Is there a config setting for locking out a user temporarily if they make more than say 5 unsuccessful login attempts in a short time span?
No. This requires that the information is stored in a database. Use a script to read/write the relevant information to the database. Alan DeKok.
Hi,
authorize { preprocess exec }
authenticate { Auth-Type Exec { exec } }
remove all those 'exec' and replace them with 'perl', then read experimental.conf and edit accordingly to activate the perl module you've written. dont worry about the experimental name - its stable and well tested. then read the example supplied perl example and adapt for your own use - ensure you have an authorize() and authenticate() subroutine defined. alan
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Ivan Kalik -
T Kid82