Exec Module FreeRADIUS Version 2.1.8

Craig Campbell craig.campbell at ccraft.ca
Mon Jan 31 14:17:59 CET 2011 

Hi Hollman,

    I too have failed to grasp the nuances of the 'new' exec mechanisms.  In 
the end I admitted defeat, and stuck to the 'old way' - which I fear may 
become deprecated at some point.  In any case, here is what I have done and 
have working at this point.

1. Restore all the config files to their state before your exec 
modifications.

2. In the ..../raddb/users file, add an entry similar to the following..

        DEFAULT Auth-Type := Accept
            Exec-Program-Wait = "/usr/local/sbin/auth -L -X -U  --  
%{User-Name} %{User-Password} %{%{Called-Station-Id}:-Missing} 
%{%{NAS-IP-Address}:-Missing} %{%{Calling-Station-Id}:-Missing} 
%{%{NAS-Port-Type}:-Missing} %{Vendor-Specific}" ,
            Fall-Through = no

3. My program (auth) required some command line parameters (for legacy 
reasons).   Radius dictionary name/value pairs are (should be) stored in the 
environment.  Environment variables are radius dictionary names converted to 
upper case only and all '-' changed to '_' characters.

4. The auth program in my case is responsible for returning (on stdout) all 
the replay Name/Value pairs.  These need to be 'comma separated.  Beware 
<cr> characters and magically appearing commas.  My code has the following 
comment/warning ,

  "/* Need comma separated for freeradisu 2.1.8 */
   /* EXCEPT for first value pair - freeradius adds it's own comma there for 
some reason..."

A trailing comma seems to be harmless at this point.  I THINK multiple comma 
MAY also be harmless at this point.

If your reply value pairs are constant, you should be able to add them on 
the last line before the "Fall-Through = no" entry.
Your auth program should return 0 for successful authentication, I return 
255 for deny of login.  (Perhaps any non 0 would work.  Cannot recall.)


I would LOVE to understand the NEW and more correct way of achieving the 
same result.

If you figure it out, please let me know how to do it.

Good Luck,
-craig

----- Original Message ----- 
From: "hollman.diaz" <hollman.diaz at gmail.com>
To: <freeradius-users at lists.freeradius.org>
Sent: Sunday, January 30, 2011 8:50 PM
Subject: Exec Module FreeRADIUS Version 2.1.8


>
> Hi everybody
>
> I'm trying to change the Auth-Type attribute with an external application.
> I'm using FreeRADIUS Version 2.1.8 and Ubuntu 10.04
>
> What files do I should modify?
> I have tried with:
>
> /etc/freeradius/radiusd.conf:
> ...
> instantiate {
> #
> #  Allows the execution of external scripts.
> #  The entire command line (and output) must fit into 253 bytes.
> #
> #  e.g. Framed-Pool = `%{exec:/bin/echo foo}`
> exec ven{
> wait = yes
>                program = "/etc/disconnect/php return.php
> %{Calling-Station-Id}"
> input_pairs = request
>                output_pairs = reply
>                shell_escape = yes
> }
>
> /etc/freeradius/sites-enabled/default
> post-auth {
> ...
> exec ven{
> wait = yes
>                program = "/etc/disconnect/php return.php
> %{Calling-Station-Id}"
> input_pairs = request
>                output_pairs = reply
>                shell_escape = yes
> }
>
> /etc/freeradius/modules/exec
> ...
> #  See also "echo" for more sample configuration.
> #
> exec ven{
> wait = yes
>                program = "/etc/disconnect/php return.php
> %{Calling-Station-Id}"
> input_pairs = request
>                output_pairs = reply
>                shell_escape = yes
> }
>
> And /etc/freeradius/users:
> ...
> DEFAULT        Auth-Type := '%{exec:/etc/disconnect/php return.php
> %{Calling-Station-Id}}'
>                      Fall-Through = No
>
> External application is /etc/disconnect/return.php and it returns Accept 
> or
> Reject values.
>
> I have read several forums but I do not understand the procedure. I would
> appreciate a step by step procedure :)
>
>
> Running freeradius -X, I get (with no modifications in
> /etc/freeradius/users):
> ...
> Module: Checking session {...} for more modules to load
> Module: Checking post-proxy {...} for more modules to load
> Module: Checking post-auth {...} for more modules to load
> /etc/freeradius/sites-enabled/default[464]: Failed to find module "exec".
> /etc/freeradius/sites-enabled/default[435]: Errors parsing post-auth
> section.
>
> Line 464 is
> exec ven{
>
> and line 435 is
> post-auth {
>
> Thanks in advance,
>
> Hollman Diaz
> -- 
> View this message in context: 
> http://freeradius.1045715.n5.nabble.com/Exec-Module-FreeRADIUS-Version-2-1-8-tp3363953p3363953.html
> Sent from the FreeRadius - User mailing list archive at Nabble.com.
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
> __________ Information from ESET Smart Security, version of virus 
> signature database 5832 (20110130) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
> 


__________ Information from ESET Smart Security, version of virus signature database 5833 (20110131) __________

The message was checked by ESET Smart Security.

http://www.eset.com

More information about the Freeradius-Users mailing list