Execute shell script in older version of FreeRADIUS
I’m hoping someone can give me a helping hand. I’ve got an older version of FreeRADIUS (2.2.0) running on an internal legacy system. The server is scheduled to be replaced by the summer so at this point it would be a waste to try to upgrade it. I do however need to make a change to the configuration to hack for a requirement of the server that’s being replaced first… and I’ve been kind of going/googling around in circles. Have tried 4 or 5 different things that I’ve found but I think a few of them may be for newer versions of FreeRADIUS… and the ones I thought were old enough didn’t accomplish anything either 😊 Essentially what I need to do is run one script after a user is authenticated to which will extract the username and the IP address they’ve been assigned (and possibly the NAS IP/port) (in the current test script this info is just echoed to a file so that I can tell when it’s working). And then a different script (with the same parameters) when they log off. From reading I’m guessing accounting-start and accounting-stop is the point where I want to be doing this, but I’m open to input on that as well if there’s somewhere more appropriate. What is the best/right way to accomplish this in FreeRADIUS 2.2.0? Cheers, Mike
On Feb 28, 2018, at 2:39 PM, MLists <mlists@starmania.net> wrote:
I’m hoping someone can give me a helping hand. I’ve got an older version of FreeRADIUS (2.2.0) running on an internal legacy system. The server is scheduled to be replaced by the summer so at this point it would be a waste to try to upgrade it. I do however need to make a change to the configuration to hack for a requirement of the server that’s being replaced first… and I’ve been kind of going/googling around in circles. Have tried 4 or 5 different things that I’ve found but I think a few of them may be for newer versions of FreeRADIUS… and the ones I thought were old enough didn’t accomplish anything either 😊
You should upgrade to 2.2.10. It has a number of fixes, and it's 100% compatible with 2.2.0.
Essentially what I need to do is run one script after a user is authenticated to which will extract the username and the IP address they’ve been assigned (and possibly the NAS IP/port) (in the current test script this info is just echoed to a file so that I can tell when it’s working). And then a different script (with the same parameters) when they log off. From reading I’m guessing accounting-start and accounting-stop is the point where I want to be doing this, but I’m open to input on that as well if there’s somewhere more appropriate.
What is the best/right way to accomplish this in FreeRADIUS 2.2.0?
See raddb/modules/exec, or raddb/modules/echo You can run arbitrary programs using those modules. e.g. if (Acct-Status-Type == Stop) { echo } Just copy "echo" to another file, and change the name "echo" to something else. Alan DeKok.
Thanks Alan, that was just the little prod I needed, got it working great. Cheers, Mike
What is the best/right way to accomplish this in FreeRADIUS 2.2.0?
See raddb/modules/exec, or raddb/modules/echo You can run arbitrary programs using those modules. e.g. if (Acct-Status-Type == Stop) { echo } Just copy "echo" to another file, and change the name "echo" to something else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 28/02/18 19:39, MLists wrote:
What is the best/right way to accomplish this in FreeRADIUS 2.2.0?
As per Alan's reply, I have been using the exec module for a few years now. You should note the warning given in the docs: http://networkradius.com/doc/3.0.10/raddb/mods-available/exec.html "The exec module may look like it works for one or two tests, but in a live situation it can cause the server to become unresponsive under load" and I think we have been suffering from this. See my thread "Perl vs. python vs. Lua?" from a couple of days ago to see Alan's comments on alternatives to using exec. More generally, when you say "what I need to do is run one script after a user is authenticated to which will extract the username and the IP address" what problem are you trying to solve? This information can be had from (or made to appear in) radacct and radpostauth tables.
"The exec module may look like it works for one or two tests, but in a live situation it can cause the server to become unresponsive under load" and I think we have been suffering from this.
Luckily here we're only at maybe 20 or 30 requests in a day, so I'm not tooworried about that :-)
More generally, when you say "what I need to do is run one script after a user is authenticated to which will extract the username and the IP address" what problem are you trying to solve? This information can be had from (or made to appear in) radacct and radpostauth tables.
The new server that we have in place has a strict requirement to work only with DNS and not IP's... that’s not a problem for our local devices as that is all handled on the LAN with the local DHCP server... but the devices which are authenticated by our RADIUS server (which is actually proxy to a 3rd party RADIUS server that we don't control) don’t have those DNS entries... so this is basically a quick and dirty hack to create/update a DNS entry for them when they authenticate. Essentially a legacy system that authenticates to another legacy system that we don’t control that proxies from a legacy system that we do control. All held together with toothpicks and krazy glue. Cheers, Mike
participants (3)
-
Alan DeKok -
Dom Latter -
MLists