On Wed, Jun 19, 2019 at 6:40 PM Alan DeKok <aland@deployingradius.com> wrote:
On Jun 19, 2019, at 12:03 PM, Gianni Costanzi <gianni.costanzi@gmail.com> wrote:
I tried to move the Exec-Program-Wait to the first line but it is still not executed.. I can see that the authentication is proxied to realm Imp, it receives an Access accept but then the entry or XXX747 is not matched and the DEFAULT entry with an access Reject is matched. The program is still not executed:
You can also use raddb/mods-available/exec, which may be a little clearer.
XXX747 Auth-Type = System, Realm == imp, Exec-Program-Wait = "/opt/script/radius/bin/check_operator_access.sh %{NAS-IP-Address} %{User-Name} %{Realm}" Service-Type := Login-User, cisco-avpair = "shell:priv-lvl=2"
Is the above entry correct, with Exec-Program-Wait on the first line?
Use ":=" instead of "=" for Exec-Program-Wait.
Some logs: ... (3) Received Access-Accept Id 126 from 10.240.24.151:1812 to 10.240.0.5:34919 length 49 (3) Reply-Message = "Pass" (3) Message-Authenticator = 0x4e57018f18713865960677d6ccf7002b (3) Proxy-State = 0x313438 (3) # Executing section post-proxy from file /etc/raddb/sites-enabled/default
That's good.
(3) post-proxy { (3) attr_filter.post-proxy: EXPAND %{Realm} (3) attr_filter.post-proxy: --> imp (3) attr_filter.post-proxy: Matched entry imp at line 110 (3) [attr_filter.post-proxy] = updated (3) } # post-proxy = updated (3) Found Auth-Type = Reject
Uh... why are you dong that?
(3) Auth-Type = Reject, rejecting user (3) Failed to authenticate the user (3) Login incorrect: [XXX747@imp] (from client r-AA port 132) (3) Using Post-Auth-Type Reject
Exec-Program-Wait isn't run for rejected packets.
Why are you forcing "Auth-Type = Reject"?
Alan DeKok.
Auth-Type reject is forced by the default entry, which is examined because the user entry was not matched with Exec-Program-Wait = "xxxx" (basically I need to reject the user if it receives an access accept but it is not matched by a specific entry in the users file). Now I tried with a simpler user, which is not authenticated on another realm and has a simple cleartext password. This time the entry for testgianni user is matched, but the program is not invoked: testgianni Cleartext-Password := "test123", Exec-Program-Wait := "/opt/script/radius/bin/check_operator_access.sh %{NAS-IP-Address} %{User-Name} %{Realm}" Service-Type := Login-User, cisco-avpair = "shell:priv-lvl=2" DEFAULT Realm == imp, Auth-Type := reject (1) suffix: No '@' in User-Name = "testgianni", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) files: EXPAND /opt/script/radius/bin/check_operator_access.sh %{NAS-IP-Address} %{User-Name} %{Realm} (1) files: --> /opt/script/radius/bin/check_operator_access.sh 10.122.159.2 testgianni (1) files: users: Matched entry testgianni at line 512 (1) [files] = ok [...] (1) Found Auth-Type = PAP (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Auth-Type PAP { (1) pap: Login attempt with password (1) pap: Comparing with "known good" Cleartext-Password (1) pap: User authenticated successfully (1) [pap] = ok (1) } # Auth-Type PAP = ok (1) # Executing section post-auth from file /etc/raddb/sites-enabled/default (1) post-auth { (1) update { (1) No attributes updated (1) } # update = noop (1) [exec] = noop (1) policy remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) { (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else { (1) [noop] = noop (1) } # else = noop (1) } # policy remove_reply_message_if_eap = noop (1) if ( &request:Realm && (request:Realm == "imp" || request:Realm == "sw" || request:Realm == "sas" )) { (1) if ( &request:Realm && (request:Realm == "imp" || request:Realm == "sw" || request:Realm == "sas" )) -> FALSE (1) } # post-auth = noop (1) Login OK: [testgianni] (from client r-PE port 132) (1) Sent Access-Accept Id 223 from 10.120.0.5:1812 to 10.122.159.2:1645 length 0 (1) Service-Type = Login-User (1) Cisco-AVPair = "shell:priv-lvl=2" (1) Finished request