I am new to using freeRADIUS. I tried to post a similar message on the 26th of October but got no responses - thought maybe I messed it up as my first posting. I can create a flat-file and have get successful access using radtest. I have a CentOS 5.2 system running freeRADIUS version 1.1.3. Soon to be upgraded to 5.3. I need to setup an account on the freeRADIUS server that can be accessed by another system as a radius server - not the problem. I then need to have freeRADIUS call a bash shell (or Perl) script that checks additional credentials before allowing or rejecting the user's access. This check can take a multiple seconds to complete so I don't want the original radius request to timeout (not sure if it will though). Think of it as taking the time to have someone lookup and enter a PIN+TOKEN string but after the fact. A very simple example would be: I need to have freeradius verify the passed login/password. (In this case, the password may not be needed to verify access as the script would do the actual validation. Not sure if this is even possible.) Then have freeradius call the script either on the same or another server. Depending upon the outcome determined by the script - either allow or deny the user access. So even if the login/password were correct, the account could be denied from another source. An easy script for testing could be as simple as: If the minute is EVEN = allow in and say an appropriate message If the minute is ODD = do not allow access and say an appropriate message I have read most of the .conf files but am still confused about proxy, etc. Is there a HOW-TO that shows a simple script example? Thanks, Tom Schmitt Senior IT Staff - R&D
d.tom.schmitt@L-3com.com wrote:
*I tried to post a similar message on the 26^th of October but got no responses – thought maybe I messed it up as my first posting.*
Or no one was sure how to help.
I then need to have freeRADIUS call a bash shell (or Perl) script that checks additional credentials before allowing or rejecting the user’s access.
This can be done. See scripts/exec-program-wait. (At least, I think that's where it is in 1.1.3)
This check can take a multiple seconds to complete so I don’t want the original radius request to timeout (not sure if it will though).
It won't, but it's a *bad* idea to take that long for authentication.
An easy script for testing could be as simple as:
If the minute is EVEN = allow in and say an appropriate message
If the minute is ODD = do not allow access and say an appropriate message
I have read most of the .conf files but am still confused about proxy, etc.
You're not proxying, so it doesn't matter.
Is there a HOW-TO that shows a simple script example?
In 2.1.7, it's in scripts/exec-program-wait. Alan DeKok.
Just getting back to this project. I want the request to come from a standard radius request from another server (or the same server). I was to do some external checks with a bash shell script and then have the script allow or deny access to the user. I am using the flatfile for user entries. I currently have external scripts that write entries to the flatfile for authentication. I can create a regular entry and have radtest verify that the entry is fine. I cannot figure what would have to be in that authentication entry to tell radius to execute the script. Also, I assume that the script must be setup in a configs file so that it can be called on just these special accounts. (not all accounts) The shell script works and is tested when you run it manually. The description of a script that would return ODD and EVEN - allow and deny access was just a simple example trying to explain the challenge. I am trying to give as much info as possible - I upgraded a second system to CentOS 5.3 freeRadius 2.1.7 (was running 1.1.3). Sorry, maybe I am not describing the situation well enough. Thanks, Tom Schmitt Senior IT Staff - R&D Phone (801) 594-3030 Cell (801) 231-7230 -----Original Message----- From: freeradius-users-bounces+d.tom.schmitt=l-3com.com@lists.freeradius.org [mailto:freeradius-users-bounces+d.tom.schmitt=l-3com.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, October 29, 2009 4:55 AM To: FreeRadius users mailing list Subject: Re: custom script for access d.tom.schmitt@L-3com.com wrote:
*I tried to post a similar message on the 26^th of October but got no responses – thought maybe I messed it up as my first posting.*
Or no one was sure how to help.
I then need to have freeRADIUS call a bash shell (or Perl) script that checks additional credentials before allowing or rejecting the user’s access.
This can be done. See scripts/exec-program-wait. (At least, I think that's where it is in 1.1.3)
This check can take a multiple seconds to complete so I don’t want the original radius request to timeout (not sure if it will though).
It won't, but it's a *bad* idea to take that long for authentication.
An easy script for testing could be as simple as:
If the minute is EVEN = allow in and say an appropriate message
If the minute is ODD = do not allow access and say an appropriate message
I have read most of the .conf files but am still confused about proxy, etc.
You're not proxying, so it doesn't matter.
Is there a HOW-TO that shows a simple script example?
In 2.1.7, it's in scripts/exec-program-wait. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.423 / Virus Database: 270.14.34/2462 - Release Date: 10/29/09 07:38:00
d.tom.schmitt@L-3com.com wrote:
Just getting back to this project.
I want the request to come from a standard radius request from another server (or the same server). I was to do some external checks with a bash shell script and then have the script allow or deny access to the user.
I am using the flatfile for user entries. I currently have external scripts that write entries to the flatfile for authentication. I can create a regular entry and have radtest verify that the entry is fine.
I cannot figure what would have to be in that authentication entry to tell radius to execute the script.
See scripts/exec-program-wait Alan DeKok.
You refer to the scripts/exec-program-wait and I read what I could. It is still vague to me. Is there a simple example HOW-TO, etc. showing a simple script (bash shell) That is executed by an entry in a flatfile in radius? I don't need a database for the entries as I build them upon request in the flatfile. This works for a standard radius request with radtest. I found that it must be a 'C' program not a shell script in the comments. I am still unclear if I create a script called 'doit.sh': 1. Do I have to place the script in a certain location? 2. What permissions are required for the script to execute? 3. What do I place in the radiusd.conf file to have the script available and to run it? 4. What would an entry for a user look like to have just that user be sent to the 'doit.sh' script? 5. Is there a location 'default' that would make all users have to run the code for access? I am new at freeRADIUS and currently am very confused. The only thing that needs to come from a radius request is their login - the rest of the credentials will come from a MySql database entry. Password is not even required for a user at this point. I'm sure once this clicks with me, it will go smoothly! Thanks, Tom Schmitt Senior IT Staff - R&D Phone (801) 594-3030 D.Tom.Schmitt@L-3Com.com \\\\||//// \ ~ ~ / | @ @ | --oOo---(_)---oOo-- -----Original Message----- From: freeradius-users-bounces+d.tom.schmitt=l-3com.com@lists.freeradius.org [mailto:freeradius-users-bounces+d.tom.schmitt=l-3com.com@lists.freeradi us.org] On Behalf Of Alan DeKok Sent: Tuesday, November 24, 2009 6:30 AM To: FreeRadius users mailing list Subject: Re: custom script for access d.tom.schmitt@L-3com.com wrote:
Just getting back to this project.
I want the request to come from a standard radius request from another server (or the same server). I was to do some external checks with a bash shell script and then have the script allow or deny access to the user.
I am using the flatfile for user entries. I currently have external scripts that write entries to the flatfile for authentication. I can create a regular entry and have radtest verify that the entry is fine.
I cannot figure what would have to be in that authentication entry to tell radius to execute the script.
See scripts/exec-program-wait Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
d.tom.schmitt@L-3com.com wrote:
You refer to the scripts/exec-program-wait and I read what I could. It is still vague to me. Is there a simple example HOW-TO, etc. showing a simple script (bash shell)
Umm... that file *is* a simple shell script. It contains comments describing how to edit the server configuration in order to run the script.
That is executed by an entry in a flatfile in radius?
Yes... the configuration files are "flat files". See also "man unlang". It describes how to run programs directly from the configuration files.
I found that it must be a 'C' program not a shell script in the comments.
Uh... no. The comments do not say that.
I am still unclear if I create a script called 'doit.sh': 1. Do I have to place the script in a certain location?
It has to be executable by the radius server. Use Unix "pathnames" to point to it.
2. What permissions are required for the script to execute?
Unix execute permissions?
3. What do I place in the radiusd.conf file to have the script available and to run it?
The comments in the sample script try to explain that.
4. What would an entry for a user look like to have just that user be sent to the 'doit.sh' script?
See "man unlang". You will need to create a policy stating this. There are "if" statements, and conditional checks you can do. This is programming, but not very complicated programming.
5. Is there a location 'default' that would make all users have to run the code for access?
Yes. Just follow the comments in the example script. Or, make the "if" condition true for all user.
I am new at freeRADIUS and currently am very confused.
Many of your questions are "unix 101" questions. I suggest a larger familiarity with Unix systems (paths, permissions, etc.) Alan DeKok.
participants (2)
-
Alan DeKok -
d.tom.schmitt@L-3com.com