external auth script

Pshem Kowalczyk pshem.k at gmail.com
Fri Jul 22 13:25:18 CEST 2016 

Hi,

If you're to use rest - have a look in mods-available - should be there, a
sample config can look like this:

rest check_access_rest {
    connect_uri = "http://127.0.0.1:8080"

    connect_timeout = 4.0

    authorize {
        uri = "${..connect_uri}/auth/%{User-Name}"
        method = 'get'
    }
    authenticate {
    }

    accounting {
    }
    post-auth {
    }

    pool {
        start = ${thread[pool].start_servers}
        min = ${thread[pool].min_spare_servers}
        max = ${thread[pool].max_servers}

        spare = ${thread[pool].max_spare_servers}

        uses = 0
        lifetime = 0
        idle_timeout = 60
    }
}

and then the authorize section:

authorize {
  check_access_rest
}

Since you want to return 'Auth-Type := Accept' make sure  response is of
the correct type (application/json) and you return code is 200. The
response should look something like this:
 {
          "Auth-Type": {
                    "op": ":=",
                    "value": "Accept"
}
More info here:
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-available/rest


kind regards
Pshem




On Fri, 22 Jul 2016 at 23:12 Janis Heller <janis.heller at outlook.de> wrote:

> I’m using Freeradius v 3.0.11.
> Sorry, there is no „rest“ file in mods-enabled folder
> (etc/freeradius/mods-enabled).
>
> I’ve reread your post, here’s my current config:
>
> authorize {
>                 Auth-Type  exec {
>              exec
>                 }
> }
>
> authenticate {
>
> }
>
> Now when I try to start radius these lines are printed in red color.
>
> /etc/freeradius/sites-enabled/default[18]: Failed to find "Auth-Type" as a
> module or policy.
> /etc/freeradius/sites-enabled/default[18]: Please verify that the
> configuration exists in /etc/freeradius/mods-enabled/Auth-Type.
> /etc/freeradius/sites-enabled/default[17]: Errors parsing authorize
> section.
>
> All the best;
>
> janis
>
> > Am 22.07.2016 um 12:27 schrieb Matthew Newton <mcn4 at leicester.ac.uk>:
> >
> > On Fri, Jul 22, 2016 at 10:18:10AM +0000, Janis Heller wrote:
> >> I’m a newbie to RADIUS.
> >
> > I suggest you read through doc/concepts/aaa.rst.
> >
> > Otherwise you're just guessing where you should put things.
> >
> >> I’ve taken a look into my modules folder, there’s no rest module. How
> can I built this fast? Many of you told me to use rest instead of exec to
> perform a simple web request to some script.
> >
> > If you've got a "modules" folder then you're using version 2,
> > which is end of life and not supported any more. You need version
> > 3.
> >
> > We would have known this if you'd sent the full output of radiusd
> > -X...
> >
> >> authorize {
> >>
> >> }
> >>
> >> authenticate {
> >>      Auth-Type exec {
> >>      exec
> >>      }
> >> }
> >>
> >> I get this error all the time (provided username & password are correct)
> >>
> >> (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
> Reject
> >>
> >> I’m a bit confused about this. I think I only need to use
> >> authorize to validate username & password. My accounts won’t
> >> have custom permissions etc.
> >
> > That's not the right place for what you are trying to do, and not
> > what I put in the previous e-mails.
> >
> >  Put exec in authorize, nothing in authenticate.
> >
> >  Make your script output "Auth-Type := Accept" on stdout. This
> >  skips the authenticate section and directly accepts the request.
> >
> >  Use "output_pairs = config" as well as your existing exec config.
> >
> > It works. I tested it here. No other config changes than those.
> >
> > You still shouldn't use exec like this in production.
> >
> > I suggest you play around with concepts like this first (even if
> > you shouldn't use it) before trying to use something like rest, so
> > that you learn how FreeRADIUS works.
> >
> > And read all the debug output. It shows how packets flow through
> > the server, and which modules are hit when. Debug output in
> > version 3.0.11 is clearer than in version 2.
> >
> > Matthew
> >
> >
> >
> > --
> > Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
> >
> > Systems Specialist, Infrastructure Services,
> > I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
> >
> > For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list