Exec-Program-Wait not working

Alan DeKok aland at deployingradius.com
Wed Jun 19 21:34:13 CEST 2019 

On Jun 19, 2019, at 2:18 PM, Gianni Costanzi <gianni.costanzi at gmail.com> wrote:
> Hi Alan, the user is accepted by realm Imp proxy, then I force an analysis
> of users file even if the realm authentication succeeds, because there can
> be a user that is authenticated by the realm but must not be accepted by
> radius (you must be accepted by realm imp and be defined in the users file
> in order to have an access accept).

  Why not just check the "users" file *before* proxying?

authorize {
	...
	files
	if (notfound) {
		reject
	}
	...
}

  It's *always* better to reject as soon as possible, instead of accepting the user, and then going "whoops, they were supposed to be rejected!"

  If the "users" file isn't well-suited for this, you can use any number of other modules to load users from databases or text files.

> So if realm authentication returns access Accept and I don’t put a default
> access reject for users with realm imp, every user authenticated by realm
> imp would be accepted by radius even without being defined in users file.

  See above.

  Again, describing the problem *correctly* will let us help you.  Giving wrong or incomplete information is a waste of everyones time.

  Right now, you're giving out information in bits and pieces.  Stop it.

> When I put the exec-program-wait with := as you suggested the user entry is
> matched but the program is not executed at all, otherwise I would get an
> entry in /var/log/messages.

  You'd also get a message in the debug output.  Which we recommend reading.

> I gave a look at the echo example but I don’t understand how I should use
> it in the way I was using exec-program-wait in release 2.0

  You don't.  You can create a module.  You can control when modules are called through if / then / else conditions.

  You're stuck on implementing a *particular* solution.  Which means you're ignoring alternative solutions.

> (where it worked
> even if not placed on the first line as a check condition and was invoked
> correctly).

  You've said that already.  We understand.

> I need to invoke that program only for some specific users and
> after having received an access accept by realm imp. Then I can return
> access accept to the device that authenticated the user.

  See above:

a) reject users BEFORE proxying
b) then run the program for ALL users on Access-Accept

> Hope I have clarified a bit our configuration.

  I sincerely hope that this is the last clarification.

  Alan DeKok.

More information about the Freeradius-Users mailing list