using external script in virtual server config

the2nd at the2nd at
Fri Jan 16 19:32:16 CET 2015

Okay thanks for the explanation.

Here is the configuration that works for me:

        authorize {
                 if (!control:Auth-Type) {
                         update control {
                                 Auth-Type := `/usr/local/bin/otpme-auth 
-l verify %{User-Name} %{User-Password} %{NAS-Identifier} 

But is this the correct way to call an external script? I thought it 
should be done in the authenticate section. But if i try it with the 
config below it does not work:

         authorize {
                 if (!control:Auth-Type) {
                         update control {
                             Auth-Type := OTPme

         authenticate {
                 Auth-Type OTPme {
                        update control {
                                Auth-Type := `/usr/local/bin/otpme-auth 
-l verify %{User-Name} %{User-Password} %{NAS-Identifier} 

radiusd -X shows the following:

Ready to process requests.

rad_recv: Access-Request packet from host port 52764, 
id=187, length=58
         User-Name = "testuser"
         User-Password = "2b3491"
         NAS-Identifier = "SSO"
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] No EAP-Message, not doing EAP
++[eap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> TRUE
++? if (!control:Auth-Type) -> TRUE
++if (!control:Auth-Type) {
+++update control {
+++} # update control = noop
++} # if (!control:Auth-Type) = noop
+} # group authorize = noop
Found Auth-Type = OTPme
# Executing group from file /etc/raddb/sites-enabled/otpme
+group OTPme {
++update control {
         expand: %{User-Name} -> testuser
         expand: %{User-Password} -> 2b3491
         expand: %{NAS-Identifier} -> SSO
         expand: %{Client-IP-Address} ->
Exec output: Accept
Exec plaintext: Accept
Exec: program returned: 0
++} # update control = noop
+} # group OTPme = noop
Failed to authenticate the user.
Login incorrect: [testuser] (from client radius1 port 0)
} # server otpme
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.7 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 187 to port 52764
Waking up in 4.9 seconds.

i'm sorry if this is a dumb question. i've mostly read the documentation 
and also some howtos. but im still not clear about whats the right way 
to do it...


On 2015-01-16 16:46, Alan DeKok wrote:
> On Jan 16, 2015, at 10:28 AM, the2nd at wrote:
>> i have two questions regarding this setup.
>> 1. for clear-text requests i always get "Auth: Invalid user: 
>> [heiko.baumann" on authentication failure. for ntlm request an "Auth: 
>> Login incorrect" is logged.
>>    i was using the script (exec) module before which logged "Auth: 
>> Login incorrect" on failure but i liked the idea of having the 
>> complete config in the virtual host file.
>   The log messages are different because we haven’t double-checked all
> of them.  It shouldn’t be much of a problem, though.
>>    i also tried to call my script from the authenticate section of my 
>> vhost but this was not working.
>   See the FAQ for “it doesn’t work”.
>> 2. is it possible to call the script for ntlm/mschap authentication 
>> from the vhost config? currently its called from the mschap module.
>   The MS-CHAP module calls ntlm_auth.  You *cannot* put that
> configuration into the virtual server.
>> both are just cosmetic issues but it would be great to have everything 
>> in on file. :)
>   Each piece of the configuration exists for a reason.  They exist as
> independent pieces for a reason.  Jamming them together in one file
> means you won’t be able to tell them apart.. and they won’t work.
>> also it would be great if someone with good freeradius skills could 
>> have a look at the example config because i'm not sure if its the best 
>> way to do external authentication with freeradius.
>   If authentication works, then you have a working configuration.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See 

More information about the Freeradius-Users mailing list