Using EXEC authentication sources

Nate . nate2077developer at gmail.com
Thu Oct 3 22:30:26 CEST 2019


Sorry, things are still busy around here. I did not catch that, thank you!
I must have edited the wrong file by accident. For the most part things are
working great. I am only struggling with one last thing; I am trying to
pass the variable for the devices mac address to the script. I am able to
collect the username, IP, and their entered pap password perfectly fine.
It's just the MacAddr that appears to be blank every time.

I thought I was referencing it properly using Calling-Station-Id..

authorize {
        update control {
                Auth-Type := `/usr/bin/php -f /etc/freeradius/auth.php
'%{User-Name}' '%{User-Password}' '%{Client-IP-Address}'
'%{Calling-Station-Id}'`
        }
}

A side question I have as well. Do you happen to know of a way to pass
these parameters securely? or a way to prevent Injection attacks using this
execution method?

Thanks again for the help,


On Mon, Sep 30, 2019 at 11:18 AM Alan DeKok <aland at deployingradius.com>
wrote:

> On Sep 30, 2019, at 11:06 AM, Nate . <nate2077developer at gmail.com> wrote:
> >
> > Hello, I'm trying to test something different in my environment. I read
> > that you can use external authenticators using EXEC. I have tried a basic
> > setup and am running into a problem. I'm not super clear on what the logs
> > are trying to tell me. I feel like the documents I'm reading must be
> > outdated or wrong like many of the website out there.
> > I am simply trying to use a PHP script to return Accept; no matter what
> is
> > called. Just to test this out.
> > *auth.php contents:*
>
>   You can't just return "accept' when the client is using EAP.  You MUST
> allow the full EAP conversation to run to completion.
>
> > I feel like I must have the Executing script in the wrong location
> maybe? I
> > am running using TTLS-PAP on the client(ignoring the certificate on the
> > clients end) and it gives me an authentication failure.
>
>   Put the accept into the inner-tunnel virtual server.  It will work for
> TTLS + PAP, but not for TTLS + MS-CHAP, or PEAP.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list