[rad] Re: Problem with external authentication script

Stefan Kuegler freeradius at kuegler.org
Wed Jun 17 21:25:38 CEST 2009

Hello Ivan.

> Forcing Auth-Type in users file should work.
Thanks for this advice. I changed my users file to use MOTP as the
DEFAULT-Auth-Type (first entry of the users file).

DEFAULT   Auth-Type = MOTP
	  Exec-Program-Wait = "/usr/local/bin/otpverify.sh '%{User-Name}'
'%{User-Password}' '%{Secret}' '%{PIN}' '%{Offset}'",
           Fall-Through = yes

user1 Secret:=143a5c6fa125ac1f, PIN:=1234, Offset:=0

This part of my problem seems to be solved. Freeradius now uses MOTP as
the Auth-Type.

But the "old" problem is always present: freeradius doesn't call the
external authentication script (otpverify.sh) with the needed arguments
(Secret, PIN and Offset):

Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host port 1026,
id=35, length=77
	User-Name = "user1"
	User-Password = "secret"
	Service-Type = Authenticate-Only
	NAS-Identifier = "linux.local"
	NAS-IP-Address =
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
     rlm_realm: No '@' in User-Name = "user1", looking up realm NULL
     rlm_realm: No such realm "NULL"
++[suffix] returns noop
   rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
     users: Matched entry DEFAULT at line 2
	expand: /usr/local/bin/otpverify.sh '%{User-Name}' '%{User-Password}'
'%{Secret}' '%{PIN}' '%{Offset}' -> /usr/local/bin/otpverify.sh 'user1'
'secret' '' '' ''
     users: Matched entry user1 at line 6
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
   rad_check_password:  Found Auth-Type MOTP
auth: type "MOTP"
+- entering group MOTP
	expand: %{User-Name} -> user1
	expand: %{User-Password} -> secret
	expand: %{Secret} ->
	expand: %{PIN} ->
	expand: %{Offset} ->
expr: syntax error
Usage: printf [ options ] format [string ...]
Exec-Program output: FAIL
Exec-Program-Wait: plaintext: FAIL
Exec-Program: returned: 1
++[motp] returns reject
auth: Failed to validate the user.
Login incorrect: [user1/secret] (from client port 0)
   Found Post-Auth-Type Reject
+- entering group REJECT
	expand: %{User-Name} -> user1
  attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request

Any ideas ??

Thank you all,


More information about the Freeradius-Users mailing list