external script problem

Tarık Kabak tarikkabak at gmail.com
Thu Sep 20 21:56:14 CEST 2012 

Hi Arran,

Can you tell me please what is wrong with this php script below. Or is
there any working example script?
Note that this script is just for simplifying at all.
Thanks.

#!/usr/local/bin/php-5.3
<?php

$f = fopen("php://stdin", "r");
while ($line = fgets($f)) {
        $line = trim($line);
        $fields = explode(' ', $line);
        $username = rawurldecode($fields[0]);
        $password = rawurldecode($fields[1]);
        if ($username == 'hello'
            and $password == 'world') {
                fwrite(STDOUT, "Access-Accept\n");
        } else if ($username == 'foo'
            and $password == 'bar') {
                fwrite(STDOUT, "Access-Accept\n");
        } else {
                fwrite(STDOUT, "Access-Reject\n");
        }
}
?>

Connection is failed. (It asks for user/pass again) Here is output of
radiusd -X command:

Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.35.100 port 10587,
id=5, length=144
        User-Name = "foo"
        NAS-IP-Address = 192.168.35.100
        NAS-Port = 0
        Called-Station-Id = "74-EA-3A-AE-9E-FB:Radius"
        Calling-Station-Id = "C4-85-08-11-59-EA"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 0Mbps 802.11"
        EAP-Message = 0x0201000801666f6f
        Message-Authenticator = 0x71d5d45adea35cdd7c4d6cbeb425b08d
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[auth_log]      expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/192.168.35.100/auth-detail-20120920
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.35.100/auth-detail-20120920
[auth_log]      expand: %t -> Thu Sep 20 22:39:07 2012
++[auth_log] returns ok
++[mschap] returns noop
[files] users: Matched entry DEFAULT at line 60
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = TEST
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group TEST {...}
[php]   expand: %{mschap:User-Name} -> foo
[php]   expand: %{User-Password} ->
Exec-Program output:
Exec-Program-Wait: plaintext:
Exec-Program: returned: 0
++[php] returns ok
Login OK: [foo/<via Auth-Type = TEST>] (from client myAp port 0 cli
C4-85-08-11-59-EA)
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
[reply_log]     expand:
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d ->
/var/log/radius/radacct/192.168.35.100/reply-detail-20120920
[reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.35.100/reply-detail-20120920
[reply_log]     expand: %t -> Thu Sep 20 22:39:07 2012
++[reply_log] returns ok
[sql_log] Processing sql_log_postauth
[sql_log]       expand: %{User-Name} -> foo
[sql_log]       expand: %{%{User-Name}:-DEFAULT} -> foo
[sql_log] sql_set_user escaped user --> 'foo'
[sql_log] WARNING: Deprecated conditional expansion ":-".  See "man
unlang" for details
[sql_log]       ... expanding second conditional
[sql_log]       expand: Chap-Password -> Chap-Password
[sql_log]       expand: INSERT INTO radpostauth
  (username, pass, reply, authdate) VALUES
('%{User-Name}', '%{User-Password:-Chap-Password}',
'%{reply:Packet-Type}', '%S'); -> INSERT INTO radpostauth
         (username, pass, reply, authdate) VALUES
  ('foo', 'Chap-Password',                'Access-Accept', '2012-09-20
22:39:07');
[sql_log]       expand: /var/log/radius/radacct/sql-relay ->
/var/log/radius/radacct/sql-relay
++[sql_log] returns ok
++[exec] returns noop
Sending Access-Accept of id 5 to 192.168.35.100 port 10587
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 5 with timestamp +9
Ready to process requests.


2012/9/20 Arran Cudbard-Bell <a.cudbardb at freeradius.org>

>
> On 20 Sep 2012, at 18:00, Tarık Kabak <tarikkabak at gmail.com> wrote:
>
> > Hello again,
> >
> >
> > Thanks for your help. So external script support is possible for only
> PAP? I wanted to authenticate windows 7 wireless interfaces via radius
> server cause of an old/non-supported sql db so i had to use my own
> external/customized php script.
>
> you can do it, if your old unsupport database has the passwords available
> in cleartext, or the nt hashes of the passwords...
>
> -Arran
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120920/f50cc8c3/attachment.html>

More information about the Freeradius-Users mailing list