Question regarding external script authentication

Patric patrict at bluebottle.com
Fri May 18 08:56:54 CEST 2007


Alan DeKok wrote:
> Patric wrote:
>> I just want to clarify, if I set the reject_delay to 0, and in my 
>> external script the only thing I do is "exit(1);", then freeradius will 
>> return a reject response to the NAS?
> 
>   It will send a reject to the NAS.

Sorry if Im flogging a dead horse here...
I furthered my investigation and found the following interesting results:

After making reject_delay = 0, I ran the freeradius in debug mode on my 
test environment to see what happens, and indeed it does return an 
Access-Reject :

...
rad_recv: Access-Request packet from host 127.0.0.1:32770, id=12, length=95
         User-Name = "test at realm.com"
         User-Password = "TestUser"
         NAS-IP-Address = 255.255.255.255
         NAS-Port = 100
         NAS-Port-Type = Virtual
Exec-Program: /usr/local/freeradius/radauth.php -- u:test at realm.com 
p:TestUser n:100 t:Virtual
Exec-Program: returned: 1
rlm_exec (exec-radauth): External script failed
Sending Access-Reject of id 12 to 127.0.0.1 port 32770
...

All of the above is spot on!

Now riddle me this:
When I make the same changes to my production server and run it in debug 
mode it does all of the above *except* return the Access-Reject!

...
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1820, id=83, 
length=140
         Framed-Protocol = PPP
         User-Name = "test at realm.com"
         User-Password = "TestUser"
         NAS-Port-Type = Virtual
         NAS-Port = 1010101010
         NAS-Port-Id = "x/x/x/xx.xxx"
         Connect-Info = "AutoShapedVC"
         Service-Type = Framed-User
         NAS-IP-Address = xxx.xxx.xxx.xxx
         Proxy-State = 0x323037
Exec-Program: /usr/local/freeradius/radauth.php -- u:test at realm.com 
p:TestUser n:1010101010 t:Virtual
Exec-Program: returned: 1
rlm_exec (exec-radauth): External script failed
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1820, id=170, 
length=140
...

As you can see it goes onto the next access request. I did let the debug 
run longer, but after a minute there was still no Access-Reject.

Test environment is running :

CentOS release 4.4 (Final)
2.6.16.33-xen_3.0.4.1 #1 SMP Fri Jan 5 10:40:15 EST 2007 i686 i686 i386 
GNU/Linux

radiusd: FreeRADIUS Version 1.1.3, for host i686-pc-linux-gnu, built on 
Oct  5 2006 at 10:52:23


Production environment is running :

Red Hat Enterprise Linux ES release 3 (Taroon Update 8)
2.4.21-40.EL #1 Wed Mar 15 14:30:04 EST 2006 i686 i686 i386 GNU/Linux

radiusd: FreeRADIUS Version 1.1.3, for host i686-redhat-linux-gnu, built 
on Sep 20 2006 at 14:13:13


I have searched through the conf file and docs and googled this but I 
cant find any reason why the server is not returning the Access-Reject

Any ideas?

Thanks again
Patrick

----------------------------------------------------------------------
Get a free email address with REAL anti-spam protection.
http://www.bluebottle.com




More information about the Freeradius-Users mailing list