external auth script
Matthew Newton
mcn4 at leicester.ac.uk
Thu Jul 21 22:59:21 CEST 2016
On Thu, Jul 21, 2016 at 08:21:53PM +0000, Janis Heller wrote:
> I would like to use RADIUS to process the authentification of
> users to my VPN servers using a PHP script which is called by
> RADIUS processing the auth process.
That's generally a bad idea, and won't scale well. Forking a new
process for each auth is really slow.
You are probably better to just get FreeRADIUS to look directly at
whatever authentication database your PHP script is looking at.
> For this reason I added the following part into my exec file:
>
> exec { wait = yes program = "/usr/bin/php -f /usr/local/auth.php %{User-Name} %{User-Password}" input_pairs = request shell_escape = yes timeout = 10 }
>
> When I test the script by executing:
>
> radtest testing password localhost -4 testing123
>
> I get this error:
>
> (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
Your script didn't set Auth-Type, so FreeRADIUS doesn't know how
to authenticate the request.
You could try a couple of things.
Use output_pairs = config, then get your script to print
"Auth-Type := Accept" or "Auth-Type := Reject" on success/failure.
Or follow the usual PAP/ntlm_auth examples at
http://wiki.freeradius.org/guide/NTLM%20Auth%20with%20PAP%20HOWTO
and do it properly with its own Auth-Type.
> I attached my
Not useful. The output of radiusd -X would be. But try the above
first.
But really, I'd forget the PHP script if possible.
Matthew
--
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list