Exec-Program-Wait not working

Gianni Costanzi gianni.costanzi at gmail.com
Wed Jun 19 20:18:32 CEST 2019


Il giorno mer 19 giu 2019 alle 19:09 Alan DeKok <aland at deployingradius.com>
ha scritto:

> On Jun 19, 2019, at 12:55 PM, Gianni Costanzi <gianni.costanzi at gmail.com>
> wrote:
> > Auth-Type reject is forced by the default entry, which is examined
> because
> > the user entry was not matched with Exec-Program-Wait = "xxxx"
>
>   No, that's not true.  Exec-Program-Wait doesn't affect how a "users"
> file entry is matched.
>
>   So the problem isn't with Exec-Program-Wait.  It's with matching entries
> in the "users" file.
>
>   Describing the problem *correctly* will let us help you.  Giving wrong
> information is a waste of everyones time.
>
> > (basically I
> > need
> > to reject the user if it receives an access accept but it is not matched
> by
> > a specific entry in the users file).
>
>   That's the default behaviour.  You don't need to add rules to do that.
>
> > Now I tried with a simpler user, which
> > is not authenticated
> > on another realm and has a simple cleartext password. This time the entry
> > for testgianni user is matched, but the program is not invoked:
> >
> > testgianni Cleartext-Password := "test123", Exec-Program-Wait :=
> > "/opt/script/radius/bin/check_operator_access.sh %{NAS-IP-Address}
> > %{User-Name} %{Realm}"
> >        Service-Type := Login-User,
> >        cisco-avpair = "shell:priv-lvl=2"
> >
> > DEFAULT         Realm == imp, Auth-Type := reject
> >
> > (1) suffix: No '@' in User-Name = "testgianni", looking up realm NULL
> > (1) suffix: No such realm "NULL"
> > (1)     [suffix] = noop
> > (1) files: EXPAND /opt/script/radius/bin/check_operator_access.sh
> > %{NAS-IP-Address} %{User-Name} %{Realm}
> > (1) files:    --> /opt/script/radius/bin/check_operator_access.sh
> > 10.122.159.2 testgianni
> > (1) files: users: Matched entry testgianni at line 512
> > (1)     [files] = ok
> > [...]
> > (1) Found Auth-Type = PAP
> > (1) # Executing group from file /etc/raddb/sites-enabled/default
> > (1)   Auth-Type PAP {
> > (1) pap: Login attempt with password
> > (1) pap: Comparing with "known good" Cleartext-Password
> > (1) pap: User authenticated successfully
> > (1)     [pap] = ok
> > (1)   } # Auth-Type PAP = ok
> > (1) # Executing section post-auth from file
> /etc/raddb/sites-enabled/default
> > (1)   post-auth {
> > (1)     update {
> > (1)       No attributes updated
> > (1)     } # update = noop
> > (1)     [exec] = noop
>
>   The "exec" module implements the Exec-Program-Wait functionality.  If
> it's returning "noop", that's because the module doesn't see
> Exec-Program-Wait.
>
>   At this point, just use the "exec" module.  See the "echo" module for
> examples of running a custom program.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



Hi Alan, the user is accepted by realm Imp proxy, then I force an analysis
of users file even if the realm authentication succeeds, because there can
be a user that is authenticated by the realm but must not be accepted by
radius (you must be accepted by realm imp and be defined in the users file
in order to have an access accept).
So if realm authentication returns access Accept and I don’t put a default
access reject for users with realm imp, every user authenticated by realm
imp would be accepted by radius even without being defined in users file.

When I put the exec-program-wait with := as you suggested the user entry is
matched but the program is not executed at all, otherwise I would get an
entry in /var/log/messages.

I gave a look at the echo example but I don’t understand how I should use
it in the way I was using exec-program-wait in release 2.0 (where it worked
even if not placed on the first line as a check condition and was invoked
correctly). I need to invoke that program only for some specific users and
after having received an access accept by realm imp. Then I can return
access accept to the device that authenticated the user.

Hope I have clarified a bit our configuration.

   Gianni
-- 
--< Sent from GMail mobile >--
--------------------------------------------------------------------------------------------------------------
Find me on LinkedIn: http://it.linkedin.com/in/giannicostanzi My blog:
http://networkingpills.wordpress.com My best photos on 500px:
http://500px.com/GianniCostanzi PGP Key Fingerprint: 2404 1798 E01F F6BF
0FA3 AA07 B6D5 040F 2EDD 456A
--------------------------------------------------------------------------------------------------------------


More information about the Freeradius-Users mailing list