[rad] Re: Problem with external authentication script

Stefan Kuegler freeradius at kuegler.org
Thu Jun 18 23:17:36 CEST 2009 

Hello to all.

> Try moving the user1 line before the DEFAULT (and reverse the 'fall 
> through' specifications)....

Thank you Charles for your advice.
But the problem in this case is: If I move the user-lines before
DEFAULT, freeradius tries to authenticate with any other Auth-Method,
exept MOTP.

[...]
rad_recv: Access-Request packet from host 192,168.82.41 port 33260,
id=216, length=58
	User-Name = "user1"
	User-Password = "aa8809"
	NAS-IP-Address = 192,168.82.41
	NAS-Port = 0
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
     rlm_realm: No '@' in User-Name = "user1", looking up realm NULL
     rlm_realm: No such realm "NULL"
++[suffix] returns noop
   rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
     users: Matched entry user1 at line 2
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
auth: type Crypt
auth: Failed to validate the user.
Login incorrect: [user1/aa8809] (from client 192,168.82.41 port 0)
   Found Post-Auth-Type Reject
+- entering group REJECT
	expand: %{User-Name} -> user1
  attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
[...]

So, it seems that I have to use the DEFAULT-line at first to use MOTP as
the default Auth-Type.

But now some new good news: After changing the module configuration in
radiusd.conf to

exec motp {
   wait = yes
   program = "/usr/local/bin/otpverify.sh %{User-Name} %{User-Password}
%{control:Secret} %{control:PIN} %{control:Offset}"
   input_pairs = request
   output_pairs = config
}

...tested with radtest, everything works fine (thank you, Ivan) :-)

auth: type "MOTP"
+- entering group MOTP
	expand: %{User-Name} -> user1
	expand: %{User-Password} -> eaec5f
	expand: %{control:Secret} -> 143a5c6fa125ac1f
	expand: %{control:PIN} -> 1234
	expand: %{control:Offset} -> 0
Exec-Program output: ACCEPT
Exec-Program-Wait: plaintext: ACCEPT
Exec-Program: returned: 0
++[motp] returns ok



What a nice adventure...

Now, I have another problem with mod_auth_radius. But this is another 
story.

Best regards,
Stefan

More information about the Freeradius-Users mailing list