Outpairs not working on external script when user is located in MYSQL

Thomas Raabo - Zitcom A/S tr at zitcom.dk
Mon Oct 8 23:56:31 CEST 2012 

Need som help getting my external script to work

Here is my External module

        exec MOTP {
        wait = yes
        program = "/etc/raddb/otpverify.sh %{User-Name} %{User-Password} %{reply:Secret} %{reply:Pin} %{reply:Offset}"
        input_pairs = request
        output_pairs = reply
        }


>From radcheck

(211, 'test', 'Pin', ':=', '0201'),
(212, 'test', 'Secret', ':=', '43ab97e05b3a11cb'),
(213, 'test', 'Offset', ':=', '0'),
(214, 'test', 'Auth-Type', ':=', 'External');

Output from debug.

rad_recv: Access-Request packet from host 172.16.24.4 port 38043, id=190, length=74
        User-Name = "test"
        User-Password = "ce3e3e3ebdbf"
        NAS-IP-Address = 172.16.24.4
        NAS-Port = 1
        Message-Authenticator = 0x3492fb805715bd7da5ec0371282f71b5
Mon Oct  8 23:52:57 2012 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default
Mon Oct  8 23:52:57 2012 : Info: +- entering group authorize {...}
Mon Oct  8 23:52:57 2012 : Info: ++[preprocess] returns ok
Mon Oct  8 23:52:57 2012 : Info: ++[chap] returns noop
Mon Oct  8 23:52:57 2012 : Info: ++[mschap] returns noop
Mon Oct  8 23:52:57 2012 : Info: [suffix] No '@' in User-Name = "test", looking up realm NULL
Mon Oct  8 23:52:57 2012 : Info: [suffix] No such realm "NULL"
Mon Oct  8 23:52:57 2012 : Info: ++[suffix] returns noop
Mon Oct  8 23:52:57 2012 : Info: [eap] No EAP-Message, not doing EAP
Mon Oct  8 23:52:57 2012 : Info: ++[eap] returns noop
Mon Oct  8 23:52:57 2012 : Info: ++[unix] returns notfound
Mon Oct  8 23:52:57 2012 : Info: ++[files] returns noop
Mon Oct  8 23:52:57 2012 : Info: [sql]  expand: %{User-Name} -> test
Mon Oct  8 23:52:57 2012 : Info: [sql] sql_set_user escaped user --> 'test'
Mon Oct  8 23:52:57 2012 : Debug: rlm_sql (sql): Reserving sql socket id: 4
Mon Oct  8 23:52:57 2012 : Info: [sql]  expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'test'           ORDER BY id
Mon Oct  8 23:52:57 2012 : Debug: rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'test'           ORDER BY id
Mon Oct  8 23:52:57 2012 : Info: [sql] User found in radcheck table
Mon Oct  8 23:52:57 2012 : Info: [sql]  expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'test'           ORDER BY id
Mon Oct  8 23:52:57 2012 : Debug: rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'test'           ORDER BY id
Mon Oct  8 23:52:57 2012 : Info: [sql]  expand: SELECT groupname           FROM usergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM usergroup           WHERE username = 'test'           ORDER BY priority
Mon Oct  8 23:52:57 2012 : Debug: rlm_sql_mysql: query:  SELECT groupname           FROM usergroup           WHERE username = 'test'           ORDER BY priority
Mon Oct  8 23:52:57 2012 : Info: [sql]  expand: SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = 'test'           ORDER BY id
Mon Oct  8 23:52:57 2012 : Debug: rlm_sql_mysql: query:  SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = 'test'           ORDER BY id
Mon Oct  8 23:52:57 2012 : Info: [sql] User found in group test
Mon Oct  8 23:52:57 2012 : Info: [sql]  expand: SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = 'test'           ORDER BY id
Mon Oct  8 23:52:57 2012 : Debug: rlm_sql_mysql: query:  SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = 'test'           ORDER BY id
Mon Oct  8 23:52:57 2012 : Debug: rlm_sql (sql): Released sql socket id: 4
Mon Oct  8 23:52:57 2012 : Info: ++[sql] returns ok
Mon Oct  8 23:52:57 2012 : Info: ++[expiration] returns noop
Mon Oct  8 23:52:57 2012 : Info: ++[logintime] returns noop
Mon Oct  8 23:52:57 2012 : Info: [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
Mon Oct  8 23:52:57 2012 : Info: ++[pap] returns noop
Mon Oct  8 23:52:57 2012 : Info: Found Auth-Type = External
Mon Oct  8 23:52:57 2012 : Info: # Executing group from file /etc/raddb/sites-enabled/default
Mon Oct  8 23:52:57 2012 : Info: +- entering group External {...}
Mon Oct  8 23:52:57 2012 : Info: [MOTP]         expand: %{User-Name} -> test
Mon Oct  8 23:52:57 2012 : Info: [MOTP]         expand: %{User-Password} -> ce3e3e3ebdbf
Mon Oct  8 23:52:57 2012 : Info: [MOTP]         expand: %{reply:Secret} ->
Mon Oct  8 23:52:57 2012 : Info: [MOTP]         expand: %{reply:Pin} ->
Mon Oct  8 23:52:57 2012 : Info: [MOTP]         expand: %{reply:Offset} ->
Mon Oct  8 23:52:57 2012 : Debug: Exec-Program output: FAIL
Mon Oct  8 23:52:57 2012 : Debug: Exec-Program-Wait: plaintext: FAIL
Mon Oct  8 23:52:57 2012 : Debug: Exec-Program: returned: 13
Mon Oct  8 23:52:57 2012 : Info: ++[MOTP] returns fail
Mon Oct  8 23:52:57 2012 : Info: Failed to authenticate the user.
Mon Oct  8 23:52:57 2012 : Info: Using Post-Auth-Type Reject
Mon Oct  8 23:52:57 2012 : Info: # Executing group from file /etc/raddb/sites-enabled/default
Mon Oct  8 23:52:57 2012 : Info: +- entering group REJECT {...}
Mon Oct  8 23:52:57 2012 : Info: [attr_filter.access_reject]    expand: %{User-Name} -> test
Mon Oct  8 23:52:57 2012 : Debug: attr_filter: Matched entry DEFAULT at line 11
Mon Oct  8 23:52:57 2012 : Info: ++[attr_filter.access_reject] returns updated
Mon Oct  8 23:52:57 2012 : Info: Delaying reject of request 0 for 1 seconds
Mon Oct  8 23:52:57 2012 : Debug: Going to the next request
Mon Oct  8 23:52:57 2012 : Debug: Waking up in 0.9 seconds.
Mon Oct  8 23:52:58 2012 : Info: Sending delayed reject for request 0
Sending Access-Reject of id 190 to 172.16.24.4 port 38043
Mon Oct  8 23:52:58 2012 : Debug: Waking up in 4.9 seconds.


As you can see it dosent seem to get the reply vars

Mon Oct  8 23:52:57 2012 : Info: [MOTP]         expand: %{User-Name} -> test
Mon Oct  8 23:52:57 2012 : Info: [MOTP]         expand: %{User-Password} -> ce3e3e3ebdbf
Mon Oct  8 23:52:57 2012 : Info: [MOTP]         expand: %{reply:Secret} ->
Mon Oct  8 23:52:57 2012 : Info: [MOTP]         expand: %{reply:Pin} ->
Mon Oct  8 23:52:57 2012 : Info: [MOTP]         expand: %{reply:Offset} ->


In /usr/share/freeradius/dictionary I have

$INCLUDE dictionary.motp

And from my

Dictionary.motp

#
ATTRIBUTE       Secret                  960     string
ATTRIBUTE       Pin                     961     string
ATTRIBUTE       Offset                  962     string


All my configuration is based on

http://nicoblog.goralski.fr/tag/Radius


Med venlig hilsen | Best regards
Thomas Raabo
Senior Network Engineer CCIE #33466



_____________________________________________
tr at zitcom.dk | Direkte: +45 69 10 60 18 | Tlf.: +45 70 23 55 66

More information about the Freeradius-Users mailing list