Question regarding external script authentication

Patric patrict at bluebottle.com
Fri May 18 14:11:06 CEST 2007 

As per my ramblings below, I ran the server in debug level 3, and one 
can see that it is the correct DEFAULT entry that it is picking up :

rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1820, id=80, 
length=139
         Framed-Protocol = PPP
         User-Name = "test at realm.com"
         User-Password = "TestUser"
         NAS-Port-Type = Virtual
         NAS-Port = 1234567890
         NAS-Port-Id = "1/1/1/1.1"
         Connect-Info = "AutoShapedVC"
         Service-Type = Framed-User
         NAS-IP-Address = xxx.xxx.xxx.xxx
         Proxy-State = 0x3439
Fri May 18 13:39:07 2007 : Debug:   Processing the authorize section of 
radiusd.conf
Fri May 18 13:39:07 2007 : Debug: modcall: entering group authorize for 
request 21
Fri May 18 13:39:07 2007 : Debug:   modsingle[authorize]: calling 
preprocess (rlm_preprocess) for request 21
Fri May 18 13:39:07 2007 : Debug:   modsingle[authorize]: returned from 
preprocess (rlm_preprocess) for request 21
Fri May 18 13:39:07 2007 : Debug:   modcall[authorize]: module 
"preprocess" returns ok for request 21
Fri May 18 13:39:07 2007 : Debug:   modsingle[authorize]: calling chap 
(rlm_chap) for request 21
Fri May 18 13:39:07 2007 : Debug:   modsingle[authorize]: returned from 
chap (rlm_chap) for request 21
Fri May 18 13:39:07 2007 : Debug:   modcall[authorize]: module "chap" 
returns noop for request 21
Fri May 18 13:39:07 2007 : Debug:   modsingle[authorize]: calling mschap 
(rlm_mschap) for request 21
Fri May 18 13:39:07 2007 : Debug:   modsingle[authorize]: returned from 
mschap (rlm_mschap) for request 21
Fri May 18 13:39:07 2007 : Debug:   modcall[authorize]: module "mschap" 
returns noop for request 21
Fri May 18 13:39:07 2007 : Debug:   modsingle[authorize]: calling suffix 
(rlm_realm) for request 21
Fri May 18 13:39:07 2007 : Debug:     rlm_realm: Looking up realm 
"realm.com" for User-Name = "test at realm.com"
Fri May 18 13:39:07 2007 : Debug:     rlm_realm: No such realm "realm.com"
Fri May 18 13:39:07 2007 : Debug:   modsingle[authorize]: returned from 
suffix (rlm_realm) for request 21
Fri May 18 13:39:07 2007 : Debug:   modcall[authorize]: module "suffix" 
returns noop for request 21
Fri May 18 13:39:07 2007 : Debug:   modsingle[authorize]: calling eap 
(rlm_eap) for request 21
Fri May 18 13:39:07 2007 : Debug:   rlm_eap: No EAP-Message, not doing EAP
Fri May 18 13:39:07 2007 : Debug:   modsingle[authorize]: returned from 
eap (rlm_eap) for request 21
Fri May 18 13:39:07 2007 : Debug:   modcall[authorize]: module "eap" 
returns noop for request 21
Fri May 18 13:39:07 2007 : Debug:   modsingle[authorize]: calling files 
(rlm_files) for request 21
*Fri May 18 13:39:07 2007 : Debug:     users: Matched entry DEFAULT at 
line 54*
Fri May 18 13:39:07 2007 : Debug:   modsingle[authorize]: returned from 
files (rlm_files) for request 21
Fri May 18 13:39:07 2007 : Debug:   modcall[authorize]: module "files" 
returns ok for request 21
Fri May 18 13:39:07 2007 : Debug:   modsingle[authorize]: calling 
exec-radauth (rlm_exec) for request 21
Fri May 18 13:39:07 2007 : Debug: radius_xlat:  'u:test at realm.com'
Fri May 18 13:39:07 2007 : Debug: radius_xlat:  'p:TestUser'
Fri May 18 13:39:07 2007 : Debug: radius_xlat:  'n:1234567890'
Fri May 18 13:39:07 2007 : Debug: radius_xlat:  't:Virtual'
Fri May 18 13:39:07 2007 : Debug: Exec-Program output:
Fri May 18 13:39:07 2007 : Debug: Exec-Program: returned: 1
Fri May 18 13:39:07 2007 : Error: rlm_exec (exec-radauth): External 
script failed
Fri May 18 13:39:07 2007 : Debug:   modsingle[authorize]: returned from 
exec-radauth (rlm_exec) for request 21
Fri May 18 13:39:07 2007 : Debug:   modcall[authorize]: module 
"exec-radauth" returns fail for request 21
Fri May 18 13:39:07 2007 : Debug: modcall: leaving group authorize 
(returns fail) for request 21
Fri May 18 13:39:07 2007 : Debug: Finished request 21
Fri May 18 13:39:07 2007 : Debug: Going to the next request
Fri May 18 13:39:07 2007 : Debug: --- Walking the entire request list ---
Fri May 18 13:39:07 2007 : Debug: Waking up in 3 seconds...

Line 54 of my users file contains :

DEFAULT Auth-Type = Accept

I dont know if that helps at all, but this one has me well and truly 
stumped... :~[

Patrick

Patric wrote:
> A.L.M.Buxey at lboro.ac.uk wrote:
>> you have various other attributes in your real production system - perhaps
>> you have matching DEFAULT values (eg in users file) which are aiding the
>> access accept?
> 
> If that were the case, then wouldnt this eliminate the problem:
> 
> My radiusd.conf authorize section contains only this :
> 
> authorize {
> 	files
> 	exec-radauth
> }
> 
> My users file contains only this :
> 
> DEFAULT Auth-Type = Accept
> 
> 
> If I understand it correctly this would mean that the only 
> authentication done is by my script.
> I did the above on the production server, but I am still not returning 
> an access-reject...
> 
> I have now also upgrading freeradius on the production server to 1.1.6, 
> also with the same result - no access-reject returned...
> 
> I am now at a loss as to where else to look, but I suspect its some kind 
> of config setting. Where? I dont know :[
> 
> Thanks guys
> Patrick
> 
> ----------------------------------------------------------------------
> Get a free email address with REAL anti-spam protection.
> http://www.bluebottle.com
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
>

----------------------------------------------------------------------
Find out how you can get spam free email.
http://www.bluebottle.com

More information about the Freeradius-Users mailing list