XT Radius to Free Radius

Stefan Winter stefan.winter at restena.lu
Thu Sep 7 20:35:33 CEST 2006 

Hi,

> We did try your suggestion before posting back and you can enter any
> pasword and it will accept it. We tried it again and here is the output:
>
> rad_recv: Access-Request packet from host 192.168.1.1:1224, id=1, length=84
>         User-Name = "user at adslgateway.co.uk"
>         User-Password = "kjhtlhrfrdjkshgfdhkgj"
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 1
>   modcall[authorize]: module "preprocess" returns ok for request 1
>   modcall[authorize]: module "chap" returns noop for request 1
>   modcall[authorize]: module "mschap" returns noop for request 1
>     rlm_realm: Looking up realm "adslgateway.co.uk" for User-Name =
> "user at adslgateway.co.uk"
>     rlm_realm: No such realm "adslgateway.co.uk"
>   modcall[authorize]: module "suffix" returns noop for request 1
>   rlm_eap: No EAP-Message, not doing EAP
>   modcall[authorize]: module "eap" returns noop for request 1
>     users: Matched DEFAULT at 4
> radius_xlat:  '/etc/raddb/checkpassword.pl user at adslgateway.co.uk
> kjhtlhrfrdjkshgfdhkgj'
>   modcall[authorize]: module "files" returns ok for request 1
> modcall: group authorize returns ok for request 1
>   rad_check_password:  Found Auth-Type Accept
>   rad_check_password: Auth-Type = Accept, accepting the user
> radius_xlat:  '/etc/raddb/checkpassword.pl user at adslgateway.co.uk
> kjhtlhrfrdjkshgfdhkgj'
> Exec-Program: /etc/raddb/checkpassword.pl user at adslgateway.co.uk
> kjhtlhrfrdjkshgfdhkgj
> Sending Access-Accept of id 1 to 192.168.1.1:1224
> Finished request 1
>
>
> You will note that from our original post our password was "test".
>
> Any ideas?

Well, according to the README you should be using Exec-Program-Wait, not 
Exec-Program. Then your script must simply return with a non-zero return code 
if his password is wrong and the user will be denied access.

For your convenience, here's the relevant section of the README file that 
accompanies FreeRADIUS:

  The output from Exec-Program-Wait is parsed by the radius server. If 
  it looks like Attribute/Value pairs, they are decoded and added to the
  reply sent to the NAS. This way, you can for example set Session-Timeout.

  If Exec-Program-Wait returns a non-zero exit status, access will be
  denied to the user. With a zero-exit status, access is granted.

Greetings,

Stefan Winter

-- 
Stefan WINTER

Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche - Ingénieur de recherche

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

More information about the Freeradius-Users mailing list