Exec-Program-Wait not working

Alan DeKok aland at deployingradius.com
Wed Jun 19 18:39:43 CEST 2019


On Jun 19, 2019, at 12:03 PM, Gianni Costanzi <gianni.costanzi at gmail.com> wrote:
> I tried to move the Exec-Program-Wait to the first line but it is still not
> executed.. I can see that the authentication is proxied to realm Imp, it
> receives an Access accept but then
> the entry or XXX747 is not matched and the DEFAULT entry with an access
> Reject is matched. The program is still not executed:

  You can also use raddb/mods-available/exec, which may be a little clearer.

> XXX747 Auth-Type = System, Realm == imp, Exec-Program-Wait =
> "/opt/script/radius/bin/check_operator_access.sh %{NAS-IP-Address}
> %{User-Name} %{Realm}"
>        Service-Type := Login-User,
>        cisco-avpair = "shell:priv-lvl=2"
> 
> Is the above entry correct, with Exec-Program-Wait on the first line?

  Use ":=" instead of "=" for Exec-Program-Wait.

> Some logs:
> ...
> (3) Received Access-Accept Id 126 from 10.240.24.151:1812 to
> 10.240.0.5:34919 length 49
> (3)   Reply-Message = "Pass"
> (3)   Message-Authenticator = 0x4e57018f18713865960677d6ccf7002b
> (3)   Proxy-State = 0x313438
> (3) # Executing section post-proxy from file
> /etc/raddb/sites-enabled/default

  That's good.

> (3)   post-proxy {
> (3) attr_filter.post-proxy: EXPAND %{Realm}
> (3) attr_filter.post-proxy:    --> imp
> (3) attr_filter.post-proxy: Matched entry imp at line 110
> (3)     [attr_filter.post-proxy] = updated
> (3)   } # post-proxy = updated
> (3) Found Auth-Type = Reject

  Uh... why are you dong that?

> (3) Auth-Type = Reject, rejecting user
> (3) Failed to authenticate the user
> (3) Login incorrect: [XXX747 at imp] (from client r-AA port 132)
> (3) Using Post-Auth-Type Reject

  Exec-Program-Wait isn't run for rejected packets.

  Why are you forcing "Auth-Type = Reject"?

  Alan DeKok.





More information about the Freeradius-Users mailing list