Exec Module FreeRADIUS Version 2.1.8
Hi everybody I'm trying to change the Auth-Type attribute with an external application. I'm using FreeRADIUS Version 2.1.8 and Ubuntu 10.04 What files do I should modify? I have tried with: /etc/freeradius/radiusd.conf: ... instantiate { # # Allows the execution of external scripts. # The entire command line (and output) must fit into 253 bytes. # # e.g. Framed-Pool = `%{exec:/bin/echo foo}` exec ven{ wait = yes program = "/etc/disconnect/php return.php %{Calling-Station-Id}" input_pairs = request output_pairs = reply shell_escape = yes } /etc/freeradius/sites-enabled/default post-auth { ... exec ven{ wait = yes program = "/etc/disconnect/php return.php %{Calling-Station-Id}" input_pairs = request output_pairs = reply shell_escape = yes } /etc/freeradius/modules/exec ... # See also "echo" for more sample configuration. # exec ven{ wait = yes program = "/etc/disconnect/php return.php %{Calling-Station-Id}" input_pairs = request output_pairs = reply shell_escape = yes } And /etc/freeradius/users: ... DEFAULT Auth-Type := '%{exec:/etc/disconnect/php return.php %{Calling-Station-Id}}' Fall-Through = No External application is /etc/disconnect/return.php and it returns Accept or Reject values. I have read several forums but I do not understand the procedure. I would appreciate a step by step procedure :) Running freeradius -X, I get (with no modifications in /etc/freeradius/users): ... Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load /etc/freeradius/sites-enabled/default[464]: Failed to find module "exec". /etc/freeradius/sites-enabled/default[435]: Errors parsing post-auth section. Line 464 is exec ven{ and line 435 is post-auth { Thanks in advance, Hollman Diaz -- View this message in context: http://freeradius.1045715.n5.nabble.com/Exec-Module-FreeRADIUS-Version-2-1-8... Sent from the FreeRadius - User mailing list archive at Nabble.com.
hollman.diaz wrote:
I'm trying to change the Auth-Type attribute with an external application.
Why?
I'm using FreeRADIUS Version 2.1.8 and Ubuntu 10.04
What files do I should modify?
Read "man unlang".
I have tried with:
Pretty much all of the is *completely* wrong.
And /etc/freeradius/users: ... DEFAULT Auth-Type := '%{exec:/etc/disconnect/php return.php %{Calling-Station-Id}}' Fall-Through = No
And that won't work. Alan DeKok.
Thanks for you reply!
Why?
I want to change Auth-Type from Accept to Reject based on the account expiration date from a user. All users have the same username and password but they are identified by the calling-station-id. So the external application verifies in a database the expiration date of the calling-station-id and changes the Auth-Type attribute. Can I change this attribute? Is it possible?
Pretty much all of the is *completely* wrong.
Yeah, I new with Freeradius :s. I changed the files and now only /etc/freeradius/exec is modified: exec { wait = yes input_pairs = request output_pairs = reply program = "/usr/bin/php /etc/disconnect/return.php %{Calling-Station-Id}" shell_escape = yes } In this way, Freeradius accepts the authentication requests, runs the external application but it does not change the Auth-Type attribute: ... [files] users: Matched entry DEFAULT at line 71 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = Accept Auth-Type = Accept, accepting the user +- entering group post-auth {...} [exec] expand: %{Calling-Station-Id} -> 57300 PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/cli/conf.d/mcrypt.ini on line 1 in Unknown on line 0 Exec-Program output: Reject Exec-Program-Wait: plaintext: Reject Exec-Program: returned: 0 ++[exec] returns ok Sending Access-Accept of id 27 to 192.168.0.3 port 2265 Finished request 0. Going to the next request The external application responds "Reject" for Calling-Station-Id==57300 but send an Acces-Accept because the Auth-Type is not changed.
Read "man unlang".
I have already read the man unlang but I don't know where I should modify the attribute: radiusd.conf or default or exec or what file. Thanks again, Hollman Diaz -- View this message in context: http://freeradius.1045715.n5.nabble.com/Exec-Module-FreeRADIUS-Version-2-1-8... Sent from the FreeRadius - User mailing list archive at Nabble.com.
hollman.diaz wrote:
I want to change Auth-Type from Accept to Reject based on the account expiration date from a user. All users have the same username and password but they are identified by the calling-station-id. So the external application verifies in a database the expiration date of the calling-station-id and changes the Auth-Type attribute.
Can I change this attribute?
Read raddb/modules/exec. This is documented.
Is it possible?
Yes.
In this way, Freeradius accepts the authentication requests, runs the external application but it does not change the Auth-Type attribute:
Have your script return "Accept" or "Reject", and follow the documentation in "man unlang". It says how to assign values by executing programs. Put the following into the "authorize" section: update control { Auth-Type := `/path/to/program args...` } And it *will* work. Alan DeKok.
Thank you very much Alan. I just modified /etc/freeradius/sites-available/default like you told me: authorize { ... update control { Auth-Type := `/usr/bin/php /etc/disconnect/return.php %{Calling-Station-Id}` } ... The file /freeradius/modules/exec was not modified, I restored it to the original configuration. Craig, thank you for your help. May be you can use the information provided by Alan in man unlang. Best regards, Hollman Díaz -- View this message in context: http://freeradius.1045715.n5.nabble.com/Exec-Module-FreeRADIUS-Version-2-1-8... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi Hollman, I too have failed to grasp the nuances of the 'new' exec mechanisms. In the end I admitted defeat, and stuck to the 'old way' - which I fear may become deprecated at some point. In any case, here is what I have done and have working at this point. 1. Restore all the config files to their state before your exec modifications. 2. In the ..../raddb/users file, add an entry similar to the following.. DEFAULT Auth-Type := Accept Exec-Program-Wait = "/usr/local/sbin/auth -L -X -U -- %{User-Name} %{User-Password} %{%{Called-Station-Id}:-Missing} %{%{NAS-IP-Address}:-Missing} %{%{Calling-Station-Id}:-Missing} %{%{NAS-Port-Type}:-Missing} %{Vendor-Specific}" , Fall-Through = no 3. My program (auth) required some command line parameters (for legacy reasons). Radius dictionary name/value pairs are (should be) stored in the environment. Environment variables are radius dictionary names converted to upper case only and all '-' changed to '_' characters. 4. The auth program in my case is responsible for returning (on stdout) all the replay Name/Value pairs. These need to be 'comma separated. Beware <cr> characters and magically appearing commas. My code has the following comment/warning , "/* Need comma separated for freeradisu 2.1.8 */ /* EXCEPT for first value pair - freeradius adds it's own comma there for some reason..." A trailing comma seems to be harmless at this point. I THINK multiple comma MAY also be harmless at this point. If your reply value pairs are constant, you should be able to add them on the last line before the "Fall-Through = no" entry. Your auth program should return 0 for successful authentication, I return 255 for deny of login. (Perhaps any non 0 would work. Cannot recall.) I would LOVE to understand the NEW and more correct way of achieving the same result. If you figure it out, please let me know how to do it. Good Luck, -craig ----- Original Message ----- From: "hollman.diaz" <hollman.diaz@gmail.com> To: <freeradius-users@lists.freeradius.org> Sent: Sunday, January 30, 2011 8:50 PM Subject: Exec Module FreeRADIUS Version 2.1.8
Hi everybody
I'm trying to change the Auth-Type attribute with an external application. I'm using FreeRADIUS Version 2.1.8 and Ubuntu 10.04
What files do I should modify? I have tried with:
/etc/freeradius/radiusd.conf: ... instantiate { # # Allows the execution of external scripts. # The entire command line (and output) must fit into 253 bytes. # # e.g. Framed-Pool = `%{exec:/bin/echo foo}` exec ven{ wait = yes program = "/etc/disconnect/php return.php %{Calling-Station-Id}" input_pairs = request output_pairs = reply shell_escape = yes }
/etc/freeradius/sites-enabled/default post-auth { ... exec ven{ wait = yes program = "/etc/disconnect/php return.php %{Calling-Station-Id}" input_pairs = request output_pairs = reply shell_escape = yes }
/etc/freeradius/modules/exec ... # See also "echo" for more sample configuration. # exec ven{ wait = yes program = "/etc/disconnect/php return.php %{Calling-Station-Id}" input_pairs = request output_pairs = reply shell_escape = yes }
And /etc/freeradius/users: ... DEFAULT Auth-Type := '%{exec:/etc/disconnect/php return.php %{Calling-Station-Id}}' Fall-Through = No
External application is /etc/disconnect/return.php and it returns Accept or Reject values.
I have read several forums but I do not understand the procedure. I would appreciate a step by step procedure :)
Running freeradius -X, I get (with no modifications in /etc/freeradius/users): ... Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load /etc/freeradius/sites-enabled/default[464]: Failed to find module "exec". /etc/freeradius/sites-enabled/default[435]: Errors parsing post-auth section.
Line 464 is exec ven{
and line 435 is post-auth {
Thanks in advance,
Hollman Diaz -- View this message in context: http://freeradius.1045715.n5.nabble.com/Exec-Module-FreeRADIUS-Version-2-1-8... Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Information from ESET Smart Security, version of virus signature database 5832 (20110130) __________
The message was checked by ESET Smart Security.
__________ Information from ESET Smart Security, version of virus signature database 5833 (20110131) __________ The message was checked by ESET Smart Security. http://www.eset.com
participants (3)
-
Alan DeKok -
Craig Campbell -
hollman.diaz