external auth script

Matthew Newton mcn4 at leicester.ac.uk
Thu Jul 21 22:59:21 CEST 2016

On Thu, Jul 21, 2016 at 08:21:53PM +0000, Janis Heller wrote:
> I would like to use RADIUS to process the authentification of
> users to my VPN servers using a PHP script which is called by
> RADIUS processing the auth process.

That's generally a bad idea, and won't scale well. Forking a new
process for each auth is really slow.

You are probably better to just get FreeRADIUS to look directly at
whatever authentication database your PHP script is looking at.

> For this reason I added the following part into my exec file:
> 	exec { wait = yes program = "/usr/bin/php -f /usr/local/auth.php %{User-Name} %{User-Password}" input_pairs = request shell_escape = yes timeout = 10 }
> When I test the script by executing:
> radtest testing password localhost -4 testing123
> I get this error:
> (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject

Your script didn't set Auth-Type, so FreeRADIUS doesn't know how
to authenticate the request.

You could try a couple of things.

Use output_pairs = config, then get your script to print
"Auth-Type := Accept" or "Auth-Type := Reject" on success/failure.

Or follow the usual PAP/ntlm_auth examples at
and do it properly with its own Auth-Type.

> I attached my 

Not useful. The output of radiusd -X would be. But try the above

But really, I'd forget the PHP script if possible.


Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Users mailing list