Hi! Is there some way to execute a shell with freeradius? here’s my scenario: - Users login to cisco wi-fi with 3 BSSID (teachers, students or employees) with LDAP credentials; - I verify if user is at group X, Y or Z (LDAP-Group); - *** Now, i need to verify in ldap (ldapsearch/shell) if the objectclass “userenalbled” is enabled or “expiredate” is “less” than "now” *** - Then grant or not access to wifi lan. This is what I did so far (eg. From students network)… Authenticate { post-auth { # if (LDAP-Group == “teachers" || LDAP-Group == “employees") { # reject # else { # noop # } # } } } Same file above: Authorize { update control { Auth-Type := `bash /opt/verify_date.sh '%{User-Name}'` } } Content of “verify_date.sh” file is an ldapsearch with filters to return the values of “expiredate” or “userenabled” with “if” statements to check the results, my question is: How can I work with the results of this script to allow or deny access to networks? Thank You!
Same file above:
Authorize { update control { Auth-Type := `bash /opt/verify_date.sh '%{User-Name}'` } }
Content of “verify_date.sh” file is an ldapsearch with filters to return the values of “expiredate” or “userenabled” with “if” statements to check the results, my question is:
How can I work with the results of this script to allow or deny access to networks?
Well if you're intent on ABSOLUTELY CRIPPLING THE PERFORMANCE OF THE RADIUS SERVER FOR NO GOOD REASON, then call the exec module instead of using backticks. Different exit codes map to different FreeRADIUS rcodes. See raddb/mods-available/echo for the mappings. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Ok, My bash script returns (echo) the values 8 for ³valid dates" and 1 (reject) for ³out range dates", right? But the control are always ³ok² and even if I change the ³if² statement to any other value.. Than 8 or 1 are always "OK" Mon Jan 13 10:53:48 2014 : Debug: Exec-Program output: 8 Mon Jan 13 10:53:48 2014 : Debug: Exec-Program-Wait: plaintext: 8 Mon Jan 13 10:53:48 2014 : Debug: Exec-Program: returned: 0 How can I work with reject or allow with this script... Manually execution.. root@radius:/etc/freeradius/externals# /etc/freeradius/externals/check_date.sh 61888498536 8 What I am trying to do is: Check user passowrd and group in LDAP Verify the expire date at LDAP Reject or allow the user based with this result. This is my configuration file: http://pastebin.com/Bmgd4srE And This is the debug.. http://pastebin.com/kRcJeKkW Thank You! On 13/01/14 09:39, "Phil Mayers" <p.mayers@imperial.ac.uk> wrote:
On 13/01/14 10:52, Jean Carlos Coelho wrote:
Hi!
Is there some way to execute a shell with freeradius?
Yes. See the "exec" module that comes with the server, including the extensive comments in the example configs describing error codes and how they map to FR module codes. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jean Carlos Coelho wrote:
My bash script returns (echo) the values 8 for ³valid dates" and 1 (reject) for ³out range dates", right? But the control are always ³ok² and even if I change the ³if² statement to any other value.. Than 8 or 1 are always "OK"
Mon Jan 13 10:53:48 2014 : Debug: Exec-Program output: 8 Mon Jan 13 10:53:48 2014 : Debug: Exec-Program-Wait: plaintext: 8 Mon Jan 13 10:53:48 2014 : Debug: Exec-Program: returned: 0
Your config says: update control { Auth-Type == "%{exec:/etc/freeradius/externals/check_date.sh '%{User-Name}'}" Fall-Through = No } Don't do that. You've got that completely wrong: - setting Auth-Type is almost always wrong. Don't do it. - you use "==" instead of "=" or ":=" in an "update" section. This is wrong. See "man unlang" - you use "Fall-Through" in an "update" section. This is completely useless. Fall-Through is only for the "users" file and the SQL radreply tables. Your configuration is completely wrong. Most of it should be deleted, and replace with a working one.
What I am trying to do is:
Check user passowrd and group in LDAP
You can do this in the default configuration with LDAP.
Verify the expire date at LDAP
You can write an LDAP query to do this.
Reject or allow the user based with this result.
You need do this in addition to checking their password in ldap. Something like this may work: authorize { ... ldap if (ok) { if ("%{ldap: ...}" == ...) { reject } } ... } Write an LDAP query that will return OK / fail for the date check. Put it into the "if" statement above. Alan DeKok.
On 13.01.2014 11:52, Jean Carlos Coelho wrote:
Hi!
Is there some way to execute a shell with freeradius? here’s my scenario:
- Users login to cisco wi-fi with 3 BSSID (teachers, students or employees) with LDAP credentials; - I verify if user is at group X, Y or Z (LDAP-Group); - *** Now, i need to verify in ldap (ldapsearch/shell) if the objectclass “userenalbled” is enabled or “expiredate” is “less” than "now” ***
Why ooh why do you want to call a script for that ?? Just adapt your filter in your ldap module, in the user {} section. For example : filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(userEnabled=enabled)(expireDate<%lZ)" (this is an example and should be adapted/tested against your directory) Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: olivier@heliosnet.org
participants (5)
-
Alan DeKok -
Arran Cudbard-Bell -
Jean Carlos Coelho -
Olivier Beytrison -
Phil Mayers