Conditional only returns False

Bruno de Paula Larini bruno.larini at
Wed Jul 16 20:44:42 CEST 2014

Hi, I'm trying to do an additional check for users contained on an 
Active Directory domain using information stored in a MySQL database. 
I'm using PEAP to check the users' credentials in the domain and that is 
working fine. The FreeRADIUS version is 2.1.12 on a CentOS 6.

But when I add the following code after ntdomain in the file 
raddb/sites-enabled/inner-tunnel (I need the Stripped-User-Name), the 
check returns False even though the script output apparently matches the 

if ("%{exec:/etc/raddb/scripts/ %{Stripped-User-Name}}" == 
"Accept") {
                 update control {
                         Auth-Type := "Accept"
         else {
                 update control {
                         Auth-Type := "Reject"

Running the script manually with one argument shows the expected output.

This is the output of radiusd -X
[ntdomain] Looking up realm "NTDOMAIN" for User-Name = 
[ntdomain] Found realm "NTDOMAIN"
[ntdomain] Adding Stripped-User-Name = "daniel.carrington"
[ntdomain] Adding Realm = "NTDOMAIN"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
++? if ("%{exec:/etc/raddb/scripts/ %{Stripped-User-Name}}" 
== "Accept")
Executing /etc/raddb/scripts/ %{Stripped-User-Name}
         expand: %{Stripped-User-Name} -> daniel.carrington
Exec-Program output: Accept
Exec-Program-Wait: plaintext: Accept
Exec-Program: returned: 0
result 0
         expand: %{exec:/etc/raddb/scripts/ 
%{Stripped-User-Name}} -> Accept
? Evaluating ("%{exec:/etc/raddb/scripts/ 
%{Stripped-User-Name}}" == "Accept") -> FALSE
++? if ("%{exec:/etc/raddb/scripts/ %{Stripped-User-Name}}" 
== "Accept") -> FALSE
++- entering else else {...}
+++[control] returns ok
++- else else returns ok
++[control] returns ok
[eap] EAP packet type response id 7 length 25
[eap] No EAP Start, assuming it's an on-going EAP conversation
[eap] WARNING: Auth-Type already set.  Not setting to EAP
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = Reject
Auth-Type = Reject, rejecting user
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
[peap] Got tunneled reply RADIUS code 3
[peap] Tunneled authentication was rejected.
[peap] FAILURE

And this is the content of raddb/modules/exec:
exec {
         wait = yes
         input_pairs = request
         shell_escape = yes
         output = none

Is there something wrong with this setup?
Thanks in advance!

More information about the Freeradius-Users mailing list