Using EXEC authentication sources

Nate . nate2077developer at
Fri Oct 4 15:21:28 CEST 2019

The Calling-Station-ID shows up in the outer portion, eap & "default", but
not the inner-tunnel. I just don't understand how I'm supposed to set a
custom variable to pass to the inner tunnel for use like this.

I'll have to look at the python module when I have the free time, sounds
much nicer than what I'm being told to do.. I'm required to use PHP for
this job, so I can't just go with the python module unless it was
warranted unfortunately. I've expressed my concerns about the security of
this method, but they do not care and want it done this way. Their argument
is that the server will be locked down with hardware only access once it is
completed. My task is simply to collect the user login and device identity,
passing it onto their secondary system for processing, then it will respond
with Ok or Fail.

On Thu, Oct 3, 2019 at 9:20 PM Alan DeKok <aland at> wrote:

> On Oct 3, 2019, at 4:30 PM, Nate . <nate2077developer at> wrote:
> >
> > Sorry, things are still busy around here. I did not catch that, thank
> you!
> > I must have edited the wrong file by accident. For the most part things
> are
> > working great. I am only struggling with one last thing; I am trying to
> > pass the variable for the devices mac address to the script. I am able to
> > collect the username, IP, and their entered pap password perfectly fine.
> > It's just the MacAddr that appears to be blank every time.
> >
> > I thought I was referencing it properly using Calling-Station-Id..
>   As always, read the debug output to see where Calling-Station-ID shows
> up.
> > authorize {
> >        update control {
> >                Auth-Type := `/usr/bin/php -f /etc/freeradius/auth.php
> > '%{User-Name}' '%{User-Password}' '%{Client-IP-Address}'
> > '%{Calling-Station-Id}'`
> >        }
> > }
> >
> > A side question I have as well. Do you happen to know of a way to pass
> > these parameters securely? or a way to prevent Injection attacks using
> this
> > execution method?
>   Don't exec a program where anything can read the program arguments.  Use
> an interpreted module like rlm_perl or rlm_pyhthon
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list