custom auth script just for pap

Christian Salway christian.salway at naimuri.com
Fri Nov 16 15:19:50 CET 2018


I don't want to come across ungrateful. You and the team are doing a fantastic job at looking after freeRadius and no, I'm not expecting documentation on "how to implement Christian Salways configuration" (although that would be awesome if i could put a request in).

I know there is an exec module. I used it to add AD Groups to a Reply in the Class field

post-auth {

foreach &reply:memberOf {
  	    update {
  	        &reply:Class += "%{exec:/etc/raddb/extract-ad-group.sh %{Foreach-Variable-0}}"
  	    }
  	}
}

but this exec is inside quotes. what you have  explained sounds like it can go out of quotes which i doubt since exec can also stand on its own.

authorize {
 if (User-Name) {
   exec: "/path/to/file '%{User-Name}' '%{User-Password}'" <-- im guessing this is meant to return an exit code that means Accept/Reject
 }
}

There is no where I could find in the docs or examples that gives this format.


"you would not learn anything".. I learn, as I'm sure most do, by example, not documentation alone as it is normally limited in context.

"you would be unable to maintain the system you built." .. that depends on your character.  Just because someone gives me some example, doesnt mean I dont examine line by line and try to understand it. In fact I'm a stickler for perfection systems so even if someone gave me code, i would still make sure it was the most efficient, secure method.


No worries, sorry to bother you.  I'll post the question on SO and hope someone isn't so glad it's the weekend.


> On 16 Nov 2018, at 14:03, Alan DeKok <aland at deployingradius.com> wrote:
> 
> On Nov 16, 2018, at 8:54 AM, Christian Salway via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>> 
>> I have read all 58 pages of the Technical Guide and scanned through the "main page" (which is basically a copy).
>> 
>> I still don't know how to implement a custom authorisation.
>> 
>> What I am trying to achieve is to:
>> 
>> a) log in with eap-mschapv2 and only if Access-Accept, run a custom script to do an MFA which could cause the result to become an Access-Reject.
>> b) log in with pap and run a custom auth script (which does MFA) which results in an access-Accept or Reject.
>> 
>> I couldn't find anywhere in the documentation to help me with this.  Could you point me to the page?  I think I understand that it is probably best done in the Authenticate section
> 
>  There is no documentation that says "how to implement Christian Salways configuration". 

> 
>  You have to put the pieces together yourself.  The RADIUS ecosystem is complex enough that it is *impossible* to give guides for every possible thing that everyone could possibly want to do.
> 
> There *is* documentation that says:
> 
> a) how to check for things
> 
> b) how to do things
> 
>  I gave you an example of how to check for User-Password (i.e. PAP), and do something.  If you read the configuration and examples, you will see that there is detailed documentation for how to run external programs.  See the "exec" module.
> 


>  Then, put the two pieces together.  "If user password, run my custom exec module".
> 
>  Yes, I could give you line by line instructions for how to do this.  And yes, I could spend *24 hours a day* doing that for people.  And yes, you would not learn anything.  And yes, you would be unable to maintain the system you built.
> 
>  This is not just me being obtuse.  This is me insisting that you *understand* not only how to configure the server, but also how to *solve problems*.   Just asking questions on the mailing list isn't an option.
> 
>  Alan DeKok.
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list