using external script in virtual server config
the2nd at otpme.org
the2nd at otpme.org
Fri Jan 16 19:32:16 CET 2015
Okay thanks for the explanation.
Here is the configuration that works for me:
authorize {
if (!control:Auth-Type) {
update control {
Auth-Type := `/usr/local/bin/otpme-auth
-l verify %{User-Name} %{User-Password} %{NAS-Identifier}
%{Client-IP-Address}`
}
}
But is this the correct way to call an external script? I thought it
should be done in the authenticate section. But if i try it with the
config below it does not work:
authorize {
if (!control:Auth-Type) {
update control {
Auth-Type := OTPme
}
}
authenticate {
Auth-Type OTPme {
update control {
Auth-Type := `/usr/local/bin/otpme-auth
-l verify %{User-Name} %{User-Password} %{NAS-Identifier}
%{Client-IP-Address}`
}
}
radiusd -X shows the following:
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.1 port 52764,
id=187, length=58
User-Name = "testuser"
User-Password = "2b3491"
NAS-Identifier = "SSO"
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] No EAP-Message, not doing EAP
++[eap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> TRUE
++? if (!control:Auth-Type) -> TRUE
++if (!control:Auth-Type) {
+++update control {
+++} # update control = noop
++} # if (!control:Auth-Type) = noop
+} # group authorize = noop
Found Auth-Type = OTPme
# Executing group from file /etc/raddb/sites-enabled/otpme
+group OTPme {
++update control {
expand: %{User-Name} -> testuser
expand: %{User-Password} -> 2b3491
expand: %{NAS-Identifier} -> SSO
expand: %{Client-IP-Address} -> 192.168.1.1
Exec output: Accept
Exec plaintext: Accept
Exec: program returned: 0
++} # update control = noop
+} # group OTPme = noop
Failed to authenticate the user.
Login incorrect: [testuser] (from client radius1 port 0)
} # server otpme
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.7 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 187 to 192.168.1.1 port 52764
Waking up in 4.9 seconds.
i'm sorry if this is a dumb question. i've mostly read the documentation
and also some howtos. but im still not clear about whats the right way
to do it...
regards
the2nd
On 2015-01-16 16:46, Alan DeKok wrote:
> On Jan 16, 2015, at 10:28 AM, the2nd at otpme.org wrote:
>> i have two questions regarding this setup.
>>
>> 1. for clear-text requests i always get "Auth: Invalid user:
>> [heiko.baumann" on authentication failure. for ntlm request an "Auth:
>> Login incorrect" is logged.
>> i was using the script (exec) module before which logged "Auth:
>> Login incorrect" on failure but i liked the idea of having the
>> complete config in the virtual host file.
>
> The log messages are different because we haven’t double-checked all
> of them. It shouldn’t be much of a problem, though.
>
>> i also tried to call my script from the authenticate section of my
>> vhost but this was not working.
>
> See the FAQ for “it doesn’t work”.
>
>> 2. is it possible to call the script for ntlm/mschap authentication
>> from the vhost config? currently its called from the mschap module.
>
> The MS-CHAP module calls ntlm_auth. You *cannot* put that
> configuration into the virtual server.
>
>> both are just cosmetic issues but it would be great to have everything
>> in on file. :)
>
> Each piece of the configuration exists for a reason. They exist as
> independent pieces for a reason. Jamming them together in one file
> means you won’t be able to tell them apart.. and they won’t work.
>
>> also it would be great if someone with good freeradius skills could
>> have a look at the example config because i'm not sure if its the best
>> way to do external authentication with freeradius.
>
> If authentication works, then you have a working configuration.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list