Good Morning! I will pay $75.00 USD (via PayPal) to the first person who can send me the documentation and working configuration files for external authentication using a PHP script. Thanks, Craig
Alan, I've read the documents indicated repeatedly. (And again just now.) I have not yet been able to port the 'deprecated' method of EXEC-PROGRAM-WAIT="/usr/local/bin/auth -A parameter" to the new method. I guess I'm missing how to bind the program using the new method to the entries in the users file. This is not urgent, since I am still successfully using the old (and at this point more straight forward) method. I understand how to add the CAPABILITY to use the program to the modules, but how to connect it to the users file escapes me. This is NOT urgent for me, but if you get a moment to clarify, I'd appreciate it. I'd like to leave the deprecated methods behind. Thanks, -craig (a different one than the original poster) ----- Original Message ----- From: "Alan DeKok" <aland@deployingradius.com> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Monday, March 21, 2011 9:46 AM Subject: Re: $75.00 USD Bounty
Craig Smith wrote:
I will pay $75.00 USD (via PayPal) to the first person who can send me the documentation and working configuration files for external authentication using a PHP script.
Read scripts/exec-program-wait
This is documented.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Information from ESET Smart Security, version of virus signature database 5970 (20110321) __________
The message was checked by ESET Smart Security.
__________ Information from ESET Smart Security, version of virus signature database 5970 (20110321) __________ The message was checked by ESET Smart Security. http://www.eset.com
On 21/03/11 15:04, Craig Campbell wrote:
Alan, I've read the documents indicated repeatedly. (And again just now.)
I have not yet been able to port the 'deprecated' method of
EXEC-PROGRAM-WAIT="/usr/local/bin/auth -A parameter"
Why do you say it's deprecated?
to the new method.
I guess I'm missing how to bind the program using the new method to the entries in the users file.
You don't. Calling a script in a "users" file entry by using the magic "Exec-Program-Wait" is different from defining an exec "module" and calling that in the "authorize" section. They work differently and serve different needs. If you can be more specific about what you're trying to do and show why it isn't working, people might be able to offer specific advice - but it's better to start a different thread, specific to your question.
re: "Why do you say it's deprecated?"
From the source code, ..scripts/exec-program-wait # Before version 2.0 of FreeRADIUS, the script could be run from the # deprecated attributes 'Exec-Program' and 'Exec-Program-Wait'. # However, these attributes are no longer supported and you have to # use the module 'rlm_exec' instead. # # An entry for the module 'rlm_exec' must be added to the file # 'radiusd.conf' with the path of the script. hence my attempts during my last upgrade to migrate to the new and improved method that will be used going forward.
re: "If you can be more specific about what you're trying to do" My specific requirement is to port the logic of multiple entries in the users file to the new method. The existing entries are like, DEFAULT Auth-Type := Accept Exec-Program-Wait = "/usr/local/sbin/auth -X -U -- %{User-Name} %{User-Password} %{%{Called-Station-Id}:-Missing} %{%{NAS-IP-Address}:-Missing} %{%{Calling-Station-Id}:-Missing} %{%{NAS-Port-Type}:-Missing} %{Vendor-Specific}" , Fall-Through = no I'd like to migrate to the 'new and improved' method before I hit an upgrade where it becomes non optional. I am not the original (also craig) poster who has a similar but more immediate requirement using a perl script. Thanks, -the other craig ----- Original Message ----- From: "Phil Mayers" <p.mayers@imperial.ac.uk> To: <freeradius-users@lists.freeradius.org> Sent: Monday, March 21, 2011 12:51 PM Subject: Re: $75.00 USD Bounty
On 21/03/11 15:04, Craig Campbell wrote:
Alan, I've read the documents indicated repeatedly. (And again just now.)
I have not yet been able to port the 'deprecated' method of
EXEC-PROGRAM-WAIT="/usr/local/bin/auth -A parameter"
Why do you say it's deprecated?
to the new method.
I guess I'm missing how to bind the program using the new method to the entries in the users file.
You don't. Calling a script in a "users" file entry by using the magic "Exec-Program-Wait" is different from defining an exec "module" and calling that in the "authorize" section.
They work differently and serve different needs.
If you can be more specific about what you're trying to do and show why it isn't working, people might be able to offer specific advice - but it's better to start a different thread, specific to your question. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Information from ESET Smart Security, version of virus signature database 5971 (20110321) __________
The message was checked by ESET Smart Security.
__________ Information from ESET Smart Security, version of virus signature database 5971 (20110321) __________ The message was checked by ESET Smart Security. http://www.eset.com
Send it to Alan - he wrote the thing! :) The rest of us are just hacks! :) -the other craig ----- Original Message ----- From: "Leander S." <info@netocean.de> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Monday, March 21, 2011 2:05 PM Subject: Re: $75.00 USD Bounty
Now who got the 75 Bucks?
;) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Information from ESET Smart Security, version of virus signature database 5971 (20110321) __________
The message was checked by ESET Smart Security.
__________ Information from ESET Smart Security, version of virus signature database 5971 (20110321) __________ The message was checked by ESET Smart Security. http://www.eset.com
ja .... guess he more then deserves it, hey .. ;)) good luck Am 21.03.11 19:39, schrieb Craig Campbell:
Send it to Alan - he wrote the thing! :)
The rest of us are just hacks!
:) -the other craig ----- Original Message ----- From: "Leander S." <info@netocean.de> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Monday, March 21, 2011 2:05 PM Subject: Re: $75.00 USD Bounty
Now who got the 75 Bucks?
;) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Information from ESET Smart Security, version of virus signature database 5971 (20110321) __________
The message was checked by ESET Smart Security.
__________ Information from ESET Smart Security, version of virus signature database 5971 (20110321) __________
The message was checked by ESET Smart Security.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Craig, Craig here too... I am not very knacky with PERL, but I can tell you what you need to know. 1. in the file file users you will need a line like, DEFAULT Auth-Type := Accept Exec-Program-Wait = "/usr/local/sbin/auth -X -U -- %{User-Name} %{User-Password} %{%{Called-Station-Id}:-Missing} %{%{NAS-IP-Address}:-Missing} %{%{Calling-Station-Id}:-Missing} %{%{NAS-Port-Type}:-Missing} %{Vendor-Specific}" , Fall-Through = no Where /usr/local/sbin/auth is your perl authorization script. You may either pass the authentication request parameters via command line as in the example above, or they may be collected from environmental variables. Note the '-' characters are replaced with '_' characters in the environmental variable names. The -X and -U are specific to MY auth program. The '--' denotes an end to command line switches. The Parameter substitution for some variables ensures the word "Missing" in the event a value pair variable is not defined. (Again just for the needs of my script.) Beware: There is a line length limit - much longer than this and you should use the environmental variable option to collect the parameters. The example above EVOLVED form ancient radius software. I'd likely drop the command line parameters entirely if I was writing it fresh today. 2. The auth script MUST return a return code == 0 (zero) for success. Non zero and authentication is denied. 3. stdout from the auth script should be any value pairs you wish returned to the NAS. (From memory) these value pairs need to be comma,' separated. Returning an INVALID value pair for the NAS results in NO value pairs being returned and the stdout becomes a log message as I recall - very misleading. I suggest you test by adding 1 value pair at a time to the successful logins. There's my 5 minute memory dump. Hope it helps, -craig ----- Original Message ----- From: Craig Smith To: freeradius-users@lists.freeradius.org Sent: Monday, March 21, 2011 8:14 AM Subject: $75.00 USD Bounty Good Morning! I will pay $75.00 USD (via PayPal) to the first person who can send me the documentation and working configuration files for external authentication using a PHP script. Thanks, Craig ------------------------------------------------------------------------------ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __________ Information from ESET Smart Security, version of virus signature database 5970 (20110321) __________ The message was checked by ESET Smart Security. http://www.eset.com -------------------------------------------------------------------------------- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __________ Information from ESET Smart Security, version of virus signature database 5970 (20110321) __________ The message was checked by ESET Smart Security. http://www.eset.com __________ Information from ESET Smart Security, version of virus signature database 5970 (20110321) __________ The message was checked by ESET Smart Security. http://www.eset.com
On 21/03/11 12:14, Craig Smith wrote:
Good Morning!
I will pay $75.00 USD (via PayPal) to the first person who can send me the documentation and working configuration files for external authentication using a PHP script.
Well, your question is not as simple as you imagine; you haven't defined which authentication method(s) (PAP, CHAP, EAP) you want to handle, and how you want to determine success or failure If you want to handle CHAP/EAP or something else using challenge/response; don't. You won't be able to do this in an external script. Assuming it's PAP or something else similar which doesn't involve any challenge/response (e.g. macauth) you simply do the following: /etc/raddb/modules/my_exec: exec my_exec { program = "/..." wait = yes input_pairs = request output_pairs = reply } /etc/raddb/sites-enabled/default: authorize { ... my_exec if (ok) { update control { Auth-Type := Accept } } ... } ...then write your script. It will receive User-Name=x Other-Attr=y ...on stdin. You can print out reply variables on stdout: Reply-Message="some string" Vendor-Vlan=1234 ...and you return exit codes as demonstrated in scripts/exec-program-wait. I don't code in PHP so can't give you an example of the script.
participants (5)
-
Alan DeKok -
Craig Campbell -
Craig Smith -
Leander S. -
Phil Mayers