Using EXEC authentication sources

Alan DeKok aland at
Mon Sep 30 17:18:29 CEST 2019

On Sep 30, 2019, at 11:06 AM, Nate . <nate2077developer at> wrote:
> Hello, I'm trying to test something different in my environment. I read
> that you can use external authenticators using EXEC. I have tried a basic
> setup and am running into a problem. I'm not super clear on what the logs
> are trying to tell me. I feel like the documents I'm reading must be
> outdated or wrong like many of the website out there.
> I am simply trying to use a PHP script to return Accept; no matter what is
> called. Just to test this out.
> *auth.php contents:*

  You can't just return "accept' when the client is using EAP.  You MUST allow the full EAP conversation to run to completion.

> I feel like I must have the Executing script in the wrong location maybe? I
> am running using TTLS-PAP on the client(ignoring the certificate on the
> clients end) and it gives me an authentication failure.

  Put the accept into the inner-tunnel virtual server.  It will work for TTLS + PAP, but not for TTLS + MS-CHAP, or PEAP.

  Alan DeKok.

More information about the Freeradius-Users mailing list