Exec-Program-Wait not working

Gianni Costanzi gianni.costanzi at gmail.com
Wed Jun 19 18:55:01 CEST 2019 

On Wed, Jun 19, 2019 at 6:40 PM Alan DeKok <aland at deployingradius.com>
wrote:

> On Jun 19, 2019, at 12:03 PM, Gianni Costanzi <gianni.costanzi at gmail.com>
> wrote:
> > I tried to move the Exec-Program-Wait to the first line but it is still
> not
> > executed.. I can see that the authentication is proxied to realm Imp, it
> > receives an Access accept but then
> > the entry or XXX747 is not matched and the DEFAULT entry with an access
> > Reject is matched. The program is still not executed:
>
>   You can also use raddb/mods-available/exec, which may be a little
> clearer.
>
> > XXX747 Auth-Type = System, Realm == imp, Exec-Program-Wait =
> > "/opt/script/radius/bin/check_operator_access.sh %{NAS-IP-Address}
> > %{User-Name} %{Realm}"
> >        Service-Type := Login-User,
> >        cisco-avpair = "shell:priv-lvl=2"
> >
> > Is the above entry correct, with Exec-Program-Wait on the first line?
>
>   Use ":=" instead of "=" for Exec-Program-Wait.
>
> > Some logs:
> > ...
> > (3) Received Access-Accept Id 126 from 10.240.24.151:1812 to
> > 10.240.0.5:34919 length 49
> > (3)   Reply-Message = "Pass"
> > (3)   Message-Authenticator = 0x4e57018f18713865960677d6ccf7002b
> > (3)   Proxy-State = 0x313438
> > (3) # Executing section post-proxy from file
> > /etc/raddb/sites-enabled/default
>
>   That's good.
>
> > (3)   post-proxy {
> > (3) attr_filter.post-proxy: EXPAND %{Realm}
> > (3) attr_filter.post-proxy:    --> imp
> > (3) attr_filter.post-proxy: Matched entry imp at line 110
> > (3)     [attr_filter.post-proxy] = updated
> > (3)   } # post-proxy = updated
> > (3) Found Auth-Type = Reject
>
>   Uh... why are you dong that?
>
> > (3) Auth-Type = Reject, rejecting user
> > (3) Failed to authenticate the user
> > (3) Login incorrect: [XXX747 at imp] (from client r-AA port 132)
> > (3) Using Post-Auth-Type Reject
>
>   Exec-Program-Wait isn't run for rejected packets.
>
>   Why are you forcing "Auth-Type = Reject"?
>
>   Alan DeKok.
>
>
Auth-Type reject is forced by the default entry, which is examined because
the user entry was not matched with Exec-Program-Wait = "xxxx" (basically I
need
to reject the user if it receives an access accept but it is not matched by
a specific entry in the users file). Now I tried with a simpler user, which
is not authenticated
on another realm and has a simple cleartext password. This time the entry
for testgianni user is matched, but the program is not invoked:

testgianni Cleartext-Password := "test123", Exec-Program-Wait :=
"/opt/script/radius/bin/check_operator_access.sh %{NAS-IP-Address}
%{User-Name} %{Realm}"
        Service-Type := Login-User,
        cisco-avpair = "shell:priv-lvl=2"

DEFAULT         Realm == imp, Auth-Type := reject

(1) suffix: No '@' in User-Name = "testgianni", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) files: EXPAND /opt/script/radius/bin/check_operator_access.sh
%{NAS-IP-Address} %{User-Name} %{Realm}
(1) files:    --> /opt/script/radius/bin/check_operator_access.sh
10.122.159.2 testgianni
(1) files: users: Matched entry testgianni at line 512
(1)     [files] = ok
[...]
(1) Found Auth-Type = PAP
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1)   Auth-Type PAP {
(1) pap: Login attempt with password
(1) pap: Comparing with "known good" Cleartext-Password
(1) pap: User authenticated successfully
(1)     [pap] = ok
(1)   } # Auth-Type PAP = ok
(1) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(1)   post-auth {
(1)     update {
(1)       No attributes updated
(1)     } # update = noop
(1)     [exec] = noop
(1)     policy remove_reply_message_if_eap {
(1)       if (&reply:EAP-Message && &reply:Reply-Message) {
(1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(1)       else {
(1)         [noop] = noop
(1)       } # else = noop
(1)     } # policy remove_reply_message_if_eap = noop
(1)     if ( &request:Realm && (request:Realm == "imp" || request:Realm ==
"sw" || request:Realm == "sas" )) {
(1)     if ( &request:Realm && (request:Realm == "imp" || request:Realm ==
"sw" || request:Realm == "sas" ))  -> FALSE
(1)   } # post-auth = noop
(1) Login OK: [testgianni] (from client r-PE port 132)
(1) Sent Access-Accept Id 223 from 10.120.0.5:1812 to 10.122.159.2:1645
length 0
(1)   Service-Type = Login-User
(1)   Cisco-AVPair = "shell:priv-lvl=2"
(1) Finished request

More information about the Freeradius-Users mailing list