Performing an additional check on the credentials

Romeo Mihalcea romeo.mihalcea at gmail.com
Thu Apr 11 23:29:37 CEST 2013


I successfully managed to deploy a freeradius server and created a python
script which does an additional check on the user (incoming request). I
checked the internet (resources for freeradius are pretty horrible) and
only found a thread which explains some basics about adding a python script
to the process.

Right now I have it inside /etc/freeradius/sites-enabled/default under the
authorize section:

update control {
       Auth-Type := `/usr/bin/python /etc/test.py '%{User-Name}'
'%{User-Password}'`
}
My test.py file spits Reject or Accept. I also have sql authentication
setup with freeradius and the problem is that, if my script returns Accept
any other authorization request under is ignored; response will still be an
Accept even if sql check rejects the user.

>From what I understand I should pass a noop instead of Accept to allow
freeradius to continue and only pass Reject if I need to reject the user
but If I respond with noop the server complains (probably because it
expects a reply for Auth-Type as I coded it).

Someone on serverfault suggested I shouldnt use unlang to call a python
script and I should use rlm_python but I really have no idea how to even
start calling my script.

Any ideas? Maybe I need to add my code to the Authentication. section? How?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130412/99413542/attachment.html>


More information about the Freeradius-Users mailing list