SQL query as fallback to auth script?

Alan DeKok aland at deployingradius.com
Fri May 3 18:35:07 CEST 2019

> On May 3, 2019, at 10:40 AM, Wladyslaw Jankowski <wladekj at interia.pl> wrote:

  Learn how to format your messages.  When you make it difficult for us to help you, we're inclined to avoid helping you.

>  *(2)       ERROR: Program returned code (1) and output 'Reject'*

> This is the idea: script should always reject - doing its thing behind the scenes - and allow for SQL fallback.

  That makes no sense whatsoever.  If the script always rejects, then you always need a work-around for that reject.

  Why not just have the script do it's thing, and have it return an "ok" code?

  What you're doing now is nailing your feet to the floor, and then asking for help walking across the room.  Just don't do that.

> I can't "Accept" RADIUS auth with this script as it can't calculate MSCHAP challanges and no cleartext password will be provided to it (can't use PAP).

  Yes, FreeRADIUS does authentication.  Your script doesn't.  That's the way it should work./

> I have changed the exit code script is returning but "sql" under "if(fail)" (desired fallback) still doesn't seem to be used: (0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type

  Perhaps you could set a password?

  Or, set "Auth-Type := Accept" if you want the user to always be accepted.

  The problem here is that you're asking how to fix the "solution" you came up with.  That's bad practice.  Instead, you should be describing your requirements.  We can then offer you advice as to how to meet those requirements.

  So what are you trying to do?  What *problem* are you trying to solve?  And don't answer "run the script and SQL".  That isn't relevant.  What are the users trying to do?  What answers do you want the RADIUS server to return?  And why?

  Alan DeKok.

More information about the Freeradius-Users mailing list