Reply with Access-Reject from exec

Adnan Miljkovic adnan at green.ba
Sat Nov 30 23:59:15 CET 2013


Hello,

I am using exec to check users again an external script. Up until now I am
able to successfully authenticating the user and send back several
attributes that are used by the NAS. So when user data are OK, everything
is fine.

My problem is how to deny access to the user, how to send "Access-Reject"?
What should I send back in my exec program.

Possible my setup is wrong? my current setup:

authorize {
.....
    update control {
        Auth-Type := CheckUser
    }
.....
}

authenticate {
....
        Auth-Type CheckUser {
                checkuser
        }
.....
}


The output "Access-Accept" is always send back to NAS:
==================================================
++[sql] = notfound
++update control {
++} # update control = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = CheckUser
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group CheckUser {
[checkuser]     expand: %{User-Name} -> student.name
[checkuser]     expand: %{User-Password} -> password
Exec output: fail     = 1
Exec plaintext: fail     = 1
[checkuser] Exec: program returned: 0
++[checkuser] = ok
+} # group CheckUser = ok
# Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
+group post-auth {
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 117 to 127.0.0.1 port 57009
==================================================

I am using version 2.2.2.

All help is much appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20131130/18378012/attachment-0001.html>


More information about the Freeradius-Users mailing list