Exec-Program-Wait not working
Gianni Costanzi
gianni.costanzi at gmail.com
Wed Jun 19 18:55:01 CEST 2019
On Wed, Jun 19, 2019 at 6:40 PM Alan DeKok <aland at deployingradius.com>
wrote:
> On Jun 19, 2019, at 12:03 PM, Gianni Costanzi <gianni.costanzi at gmail.com>
> wrote:
> > I tried to move the Exec-Program-Wait to the first line but it is still
> not
> > executed.. I can see that the authentication is proxied to realm Imp, it
> > receives an Access accept but then
> > the entry or XXX747 is not matched and the DEFAULT entry with an access
> > Reject is matched. The program is still not executed:
>
> You can also use raddb/mods-available/exec, which may be a little
> clearer.
>
> > XXX747 Auth-Type = System, Realm == imp, Exec-Program-Wait =
> > "/opt/script/radius/bin/check_operator_access.sh %{NAS-IP-Address}
> > %{User-Name} %{Realm}"
> > Service-Type := Login-User,
> > cisco-avpair = "shell:priv-lvl=2"
> >
> > Is the above entry correct, with Exec-Program-Wait on the first line?
>
> Use ":=" instead of "=" for Exec-Program-Wait.
>
> > Some logs:
> > ...
> > (3) Received Access-Accept Id 126 from 10.240.24.151:1812 to
> > 10.240.0.5:34919 length 49
> > (3) Reply-Message = "Pass"
> > (3) Message-Authenticator = 0x4e57018f18713865960677d6ccf7002b
> > (3) Proxy-State = 0x313438
> > (3) # Executing section post-proxy from file
> > /etc/raddb/sites-enabled/default
>
> That's good.
>
> > (3) post-proxy {
> > (3) attr_filter.post-proxy: EXPAND %{Realm}
> > (3) attr_filter.post-proxy: --> imp
> > (3) attr_filter.post-proxy: Matched entry imp at line 110
> > (3) [attr_filter.post-proxy] = updated
> > (3) } # post-proxy = updated
> > (3) Found Auth-Type = Reject
>
> Uh... why are you dong that?
>
> > (3) Auth-Type = Reject, rejecting user
> > (3) Failed to authenticate the user
> > (3) Login incorrect: [XXX747 at imp] (from client r-AA port 132)
> > (3) Using Post-Auth-Type Reject
>
> Exec-Program-Wait isn't run for rejected packets.
>
> Why are you forcing "Auth-Type = Reject"?
>
> Alan DeKok.
>
>
Auth-Type reject is forced by the default entry, which is examined because
the user entry was not matched with Exec-Program-Wait = "xxxx" (basically I
need
to reject the user if it receives an access accept but it is not matched by
a specific entry in the users file). Now I tried with a simpler user, which
is not authenticated
on another realm and has a simple cleartext password. This time the entry
for testgianni user is matched, but the program is not invoked:
testgianni Cleartext-Password := "test123", Exec-Program-Wait :=
"/opt/script/radius/bin/check_operator_access.sh %{NAS-IP-Address}
%{User-Name} %{Realm}"
Service-Type := Login-User,
cisco-avpair = "shell:priv-lvl=2"
DEFAULT Realm == imp, Auth-Type := reject
(1) suffix: No '@' in User-Name = "testgianni", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) files: EXPAND /opt/script/radius/bin/check_operator_access.sh
%{NAS-IP-Address} %{User-Name} %{Realm}
(1) files: --> /opt/script/radius/bin/check_operator_access.sh
10.122.159.2 testgianni
(1) files: users: Matched entry testgianni at line 512
(1) [files] = ok
[...]
(1) Found Auth-Type = PAP
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Auth-Type PAP {
(1) pap: Login attempt with password
(1) pap: Comparing with "known good" Cleartext-Password
(1) pap: User authenticated successfully
(1) [pap] = ok
(1) } # Auth-Type PAP = ok
(1) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(1) post-auth {
(1) update {
(1) No attributes updated
(1) } # update = noop
(1) [exec] = noop
(1) policy remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else {
(1) [noop] = noop
(1) } # else = noop
(1) } # policy remove_reply_message_if_eap = noop
(1) if ( &request:Realm && (request:Realm == "imp" || request:Realm ==
"sw" || request:Realm == "sas" )) {
(1) if ( &request:Realm && (request:Realm == "imp" || request:Realm ==
"sw" || request:Realm == "sas" )) -> FALSE
(1) } # post-auth = noop
(1) Login OK: [testgianni] (from client r-PE port 132)
(1) Sent Access-Accept Id 223 from 10.120.0.5:1812 to 10.122.159.2:1645
length 0
(1) Service-Type = Login-User
(1) Cisco-AVPair = "shell:priv-lvl=2"
(1) Finished request
More information about the Freeradius-Users
mailing list