Problem writing config attributes from script

Yannick Deltroo deltroo at gmail.com
Wed Dec 21 11:32:34 CET 2005


Hereafter is the debug output for an access request (freeradius 1.0.5).
My external script "authorize_prepaid_account" writes this to the output
Post-auth-Type := new_prepaid_account
Password == test

However these config attributes are not taken into account for
processing by other modules. The chap authentication module does not
see any password.
Which is actually true, my second dump script just dump the config
attributes ... there's no Post-Auth-Type or Password attribute.

I guess my output format is not correct, and not parsed by freeradius.
What should be the output format for config attributes ?

Thanks for your help

====================================================
Starting - reading configuration files ...
....

Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: authtype = "MS-CHAP"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
......
 exec: wait = yes
 exec: program = "/etc/raddb/scripts/authorize %{User-Name}"
 exec: input_pairs = "request"
 exec: output_pairs = "config"
 exec: packet_type = "Access-Request"
Module: Instantiated exec (authorize_prepaid_account)
.....
 exec: wait = yes
 exec: program = "/etc/raddb/scripts/dump %{User-Name}"
 exec: input_pairs = "config"
 exec: output_pairs = "reply"
 exec: packet_type = "Access-Request"
Module: Instantiated exec (dump)
.....
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.16.0.2:2121, id=0, length=240
	User-Name = "prepaid1"
	CHAP-Challenge = 0x4f8d8594b5f54d2ed0b4d5e2677cf6f7
	CHAP-Password = 0x00427a8e6d6f41280fd0974fbbab1f4fcc
	NAS-IP-Address = 0.0.0.0
	Service-Type = Login-User
	Framed-IP-Address = 192.168.182.13
	Calling-Station-Id = "00-04-23-6C-89-87"
	Called-Station-Id = "00-0F-66-A3-24-71"
	NAS-Identifier = "deltroo_1"
	Acct-Session-Id = "43a926ed00000000"
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 0
	Message-Authenticator = 0xf7d949b9e72693fe8c1f85e47afe3131
	WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:  '/var/log/radius/radacct/172.16.0.2/auth-detail-20051221'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to ....
  modcall[authorize]: module "auth_log" returns ok for request 0
  rlm_chap: Setting 'Auth-Type := CHAP'
  modcall[authorize]: module "chap" returns ok for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
radius_xlat:  '/etc/raddb/scripts/authorize prepaid1'
Exec-Program: /etc/raddb/scripts/authorize prepaid1
Exec-Program output: Post-Auth-Type := new_prepaid_account Password == test
Exec-Program-Wait: plaintext: Post-Auth-Type := new_prepaid_account
Password == test
Exec-Program: returned: 0
  modcall[authorize]: module "authorize_prepaid_account" returns ok
for request 0
    users: Matched entry DEFAULT at line 148
  modcall[authorize]: module "files" returns ok for request 0
radius_xlat:  'prepaid1'
rlm_sql (sql): sql_set_user escaped user --> 'prepaid1'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = 'prepaid1' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): User prepaid1 not found in radcheck
radius_xlat:  'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
 FROM .....
radius_xlat:  'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
 FROM .....
rlm_sql (sql): User prepaid1 not found in radgroupcheck
rlm_sql (sql): User not found
rlm_sql (sql): Released sql socket id: 4
  modcall[authorize]: module "sql" returns notfound for request 0
radius_xlat:  '/etc/raddb/scripts/dump prepaid1'
Exec-Program: /etc/raddb/scripts/dump prepaid1
Exec-Program output: Reply-Message += " Dump script executed "
Exec-Program-Wait: value-pairs: Reply-Message += " Dump script executed "
Exec-Program: returned: 0
  modcall[authorize]: module "dump" returns ok for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type CHAP
auth: type "CHAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
  rlm_chap: login attempt by "prepaid1" with CHAP password
  rlm_chap: Could not find clear text password for user prepaid1
  modcall[authenticate]: module "chap" returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.
Login incorrect (rlm_chap: Clear text password not available):
[prepaid1/<CHAP-Password>] (from client WRT54G port 0 cli
00-04-23-6C-89-87)
rad_lowerpair:  User-Name now 'prepaid1'
rad_rmspace_pair:  User-Name now 'prepaid1'
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:  '/var/log/radius/radacct/172.16.0.2/auth-detail-20051221'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to ....
  modcall[authorize]: module "auth_log" returns ok for request 0
  rlm_chap: Setting 'Auth-Type := CHAP'
  modcall[authorize]: module "chap" returns ok for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
radius_xlat:  '/etc/raddb/scripts/authorize prepaid1'
Exec-Program: /etc/raddb/scripts/authorize prepaid1
Exec-Program output: Post-Auth-Type := new_prepaid_account Password == test
Exec-Program-Wait: plaintext: Post-Auth-Type := new_prepaid_account
Password == test
Exec-Program: returned: 0
  modcall[authorize]: module "authorize_prepaid_account" returns ok
for request 0
    users: Matched entry DEFAULT at line 148
  modcall[authorize]: module "files" returns ok for request 0
radius_xlat:  'prepaid1'
rlm_sql (sql): sql_set_user escaped user --> 'prepaid1'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = 'prepaid1' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): User prepaid1 not found in radcheck
radius_xlat:  'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
 FROM ...
radius_xlat:  'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
 FROM ...
rlm_sql (sql): User prepaid1 not found in radgroupcheck
rlm_sql (sql): User not found
rlm_sql (sql): Released sql socket id: 3
  modcall[authorize]: module "sql" returns notfound for request 0
radius_xlat:  '/etc/raddb/scripts/dump prepaid1'
Exec-Program: /etc/raddb/scripts/dump prepaid1
Exec-Program output: Reply-Message += " Dump script executed "
Exec-Program-Wait: value-pairs: Reply-Message += " Dump script executed "
Exec-Program: returned: 0
  modcall[authorize]: module "dump" returns ok for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type CHAP
auth: type "CHAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
  rlm_chap: login attempt by "prepaid1" with CHAP password
  rlm_chap: Could not find clear text password for user prepaid1
  modcall[authenticate]: module "chap" returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.
Login incorrect (rlm_chap: Clear text password not available):
[prepaid1/<CHAP-Password>] (from client WRT54G port 0 cli
00-04-23-6C-89-87)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Request packet from host 172.16.0.2:2121, id=0, length=240
Sending Access-Reject of id 0 to 172.16.0.2:2121
	Reply-Message += " Dump script executed "
--- Walking the entire request list ---
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 0 with timestamp 43a92a36
Nothing to do.  Sleeping until we see a request.
====================================================

On 12/21/05, Alan DeKok <aland at ox.org> wrote:
> Ignacio DelTroo <deltroo at gmail.com> wrote:
> > It seems that my authorization script cannot write anything beyond
> > Password. IT works fine when it justs output PAssword="XXXX".
> > For instance, if it writes Post-Auth-Type= create_prepaid_account and
> > Password = "XXX"  to config attributes, the chap authentication
> > modules does not get anything (log says clear text password not
> > available)
>
>   It would help to show *precisely* what is going on.  i.e. debug mode.
>
>   Alan Dekok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>




More information about the Freeradius-Users mailing list