custom script for access

d.tom.schmitt at L-3com.com d.tom.schmitt at L-3com.com
Tue Nov 24 00:49:24 CET 2009


Just getting back to this project.

I want the request to come from a standard radius request from another server (or the same server).
I was to do some external checks with a bash shell script and then have the script allow or deny access to the user.

I am using the flatfile for user entries.
I currently have external scripts that write entries to the flatfile for authentication.
I can create a regular entry and have radtest verify that the entry is fine.

I cannot figure what would have to be in that authentication entry to tell radius to execute the script.
Also, I assume that the script must be setup in a configs file so that it can be called on just these special accounts. (not all accounts)

The shell script works and is tested when you run it manually.

The description of a script that would return ODD and EVEN - allow and deny access
was just a simple example trying to explain the challenge.

I am trying to give as much info as possible - I upgraded a second system to CentOS 5.3 freeRadius 2.1.7 (was running 1.1.3).

Sorry, maybe I am not describing the situation well enough.

         Thanks,
         
         Tom Schmitt
         Senior IT Staff - R&D
         Phone (801) 594-3030
         Cell      (801) 231-7230


-----Original Message-----
From: freeradius-users-bounces+d.tom.schmitt=l-3com.com at lists.freeradius.org [mailto:freeradius-users-bounces+d.tom.schmitt=l-3com.com at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Thursday, October 29, 2009 4:55 AM
To: FreeRadius users mailing list
Subject: Re: custom script for access

d.tom.schmitt at L-3com.com wrote:
> *I tried to post a similar message on the 26^th of October but got no
> responses – thought maybe I messed it up as my first posting.*

  Or no one was sure how to help.

> I then need to have freeRADIUS call a bash shell (or Perl) script that
> checks additional credentials before allowing or rejecting  the user’s
> access.

  This can be done.  See scripts/exec-program-wait.  (At least, I think
that's where it is in 1.1.3)

> This check can take a multiple seconds to complete so I don’t want the
> original radius request to timeout (not sure if it will though).

  It won't, but it's a *bad* idea to take that long for authentication.

> An easy script for testing could be as simple as:
> 
>                 If the minute is EVEN = allow in and say an appropriate
> message
> 
>                 If the minute is ODD   = do not allow access and say an
> appropriate message
> 
>  
> 
> I have read most of the .conf files but am still confused about proxy,
> etc. 

  You're not proxying, so it doesn't matter.

> Is there a HOW-TO that shows a simple script example?

  In 2.1.7, it's in scripts/exec-program-wait.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 8.5.423 / Virus Database: 270.14.34/2462 - Release Date: 10/29/09 07:38:00




More information about the Freeradius-Users mailing list