Exec-Program-Wait not working
Alan DeKok
aland at deployingradius.com
Wed Jun 19 18:39:43 CEST 2019
On Jun 19, 2019, at 12:03 PM, Gianni Costanzi <gianni.costanzi at gmail.com> wrote:
> I tried to move the Exec-Program-Wait to the first line but it is still not
> executed.. I can see that the authentication is proxied to realm Imp, it
> receives an Access accept but then
> the entry or XXX747 is not matched and the DEFAULT entry with an access
> Reject is matched. The program is still not executed:
You can also use raddb/mods-available/exec, which may be a little clearer.
> XXX747 Auth-Type = System, Realm == imp, Exec-Program-Wait =
> "/opt/script/radius/bin/check_operator_access.sh %{NAS-IP-Address}
> %{User-Name} %{Realm}"
> Service-Type := Login-User,
> cisco-avpair = "shell:priv-lvl=2"
>
> Is the above entry correct, with Exec-Program-Wait on the first line?
Use ":=" instead of "=" for Exec-Program-Wait.
> Some logs:
> ...
> (3) Received Access-Accept Id 126 from 10.240.24.151:1812 to
> 10.240.0.5:34919 length 49
> (3) Reply-Message = "Pass"
> (3) Message-Authenticator = 0x4e57018f18713865960677d6ccf7002b
> (3) Proxy-State = 0x313438
> (3) # Executing section post-proxy from file
> /etc/raddb/sites-enabled/default
That's good.
> (3) post-proxy {
> (3) attr_filter.post-proxy: EXPAND %{Realm}
> (3) attr_filter.post-proxy: --> imp
> (3) attr_filter.post-proxy: Matched entry imp at line 110
> (3) [attr_filter.post-proxy] = updated
> (3) } # post-proxy = updated
> (3) Found Auth-Type = Reject
Uh... why are you dong that?
> (3) Auth-Type = Reject, rejecting user
> (3) Failed to authenticate the user
> (3) Login incorrect: [XXX747 at imp] (from client r-AA port 132)
> (3) Using Post-Auth-Type Reject
Exec-Program-Wait isn't run for rejected packets.
Why are you forcing "Auth-Type = Reject"?
Alan DeKok.
More information about the Freeradius-Users
mailing list