Poet Auth Reject not working after reject using exec Module

Muhammed Buvaydani muhammed.buvaydani at netcom.com.tr
Mon Nov 2 14:06:23 CET 2020


thank you for replay Jorge  actually this is my code , it is very simple  and not doing any request from database , I removed all queries to check ,

<?php

$error = "User not found";
echo 'Reply-Message="'.$error.'"';
exit(1);

?>


but still not success , this is the result that  I have again

(0)   Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: User authenticated successfully
(0)     [pap] = ok
(0)   } # Auth-Type PAP = ok
(0) # Executing section session from file /usr/local/etc/raddb/sites-enabled/default
(0)   session {
(0) sql: EXPAND %{User-Name}
(0) sql:    --> Aboserifaban
(0) sql: SQL-User-Name set to 'Aboserifaban'
rlm_sql (sql): Reserved connection (2)
(0) sql: EXPAND SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
(0) sql:    --> SELECT COUNT(*) FROM radacct WHERE username = 'Aboserifaban' AND acctstoptime IS NULL
(0) sql: Executing select query: SELECT COUNT(*) FROM radacct WHERE username = 'Aboserifaban' AND acctstoptime IS NULL
rlm_sql (sql): Released connection (2)
(0)     [sql] = ok
(0)   } # session = ok
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(0)   post-auth {
(0) exec: Executing: /usr/bin/php /var/www/html/cloudradius/captiveportal/auth_new.php "Aboserifaban" "123456" "4e:f9:5e:77:0c:9a" "" "103.200.57.138" "PPP" "192.168.0.1":
(0) exec: ERROR: Program returned code (1) and output 'Reply-Message := "Your Account has been expired."'
(0)     [exec] = reject
(0)   } # post-auth = reject
(0) Delaying response for 1.000000 seconds
Waking up in 0.9 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 42 from 127.0.0.1:1812 to 127.0.0.1:44306 length 52
(0)   Reply-Message := "Your Account has been expired."
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 42 with timestamp +30
Ready to process requests

Best Regards


________________________________
From: Jorge Pereira <jpereira at freeradius.org>
Sent: Monday, November 2, 2020 3:49:15 PM
To: FreeRadius users mailing list
Cc: Muhammed Buvaydani
Subject: Re: Poet Auth Reject not working after reject using exec Module

Looks like your script is doing something on the database and the next task executing these SQL queries is not affecting anything. Even the problem doesn’t appear to be in FreeRADIUS.

Try.

1. Execute your script with expected parameters. e.g: /var/www/html/cloudradius/captiveportal/auth_new.php "Aboserifaban" "123456" "4e:f9:5e:77:0c:9a" "" "103.200.57.138" "PPP" "192.168.0.1”:

2. Create a script to perform the exact SQL query. e.g: SELECT groupname FROM radusergroup WHERE username = 'Aboserifaban' ORDER BY priority

3. Do the same call as you expect e.g: /var/www/html/cloudradius/captiveportal/auth_new.php "Aboserifaban" "123456" "4e:f9:5e:77:0c:9a" "" "103.200.57.138" "PPP" "192.168.0.1”:

Always when you have something be called externally, the best way is to isolate the problem. Then, you go to poke the server.

Keep in mind that the “ram_exec” expects to the script return 0 for true and 1 for false.
---
Jorge Pereira
jpereira at freeradius.org<mailto:jpereira at freeradius.org>




On 31 Oct 2020, at 04:53, Muhammed Buvaydani via Freeradius-Users <freeradius-users at lists.freeradius.org<mailto:freeradius-users at lists.freeradius.org>> wrote:

I have
FreeRADIUS Version 3.0.21   and  I am trying to authenticate users using External  Php script , the script is working fine ,
my problem  it is not insert in radpostauth table after getting reject from the script , this is the debug mode when I get reject user
(0) Received Access-Request Id 71 from 127.0.0.1:47913 to 127.0.0.1:1812 length 100
(0)   User-Name = "Aboserifaban"
(0)   User-Password = "123456"
(0)   Calling-Station-Id = "4e:f9:5e:77:0c:9a"
(0)   NAS-Port = 102
(0)   NAS-IP-Address = 103.200.57.138
(0)   Framed-Protocol = PPP
(0)   Framed-IP-Address = 192.168.0.1
(0)   NAS-Identifier = "nas"
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "Aboserifaban", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) files: users: Matched entry DEFAULT at line 48
(0) files: EXPAND /usr/bin/php /var/www/html/cloudradius/captiveportal/auth_new.php "%{User-Name}" "%{User-Password}" "%{Calling-Station-Id}" "%{NAS-Port-Id}" "%{NAS-IP-Address}" "%{Framed-Protocol}" "%{Framed-IP-Address}"
(0) files:    --> /usr/bin/php /var/www/html/cloudradius/captiveportal/auth_new.php "Aboserifaban" "123456" "4e:f9:5e:77:0c:9a" "" "103.200.57.138" "PPP" "192.168.0.1"
(0)     [files] = ok
(0) sql: EXPAND %{User-Name}
(0) sql:    --> Aboserifaban
(0) sql: SQL-User-Name set to 'Aboserifaban'
rlm_sql (sql): Reserved connection (0)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'Aboserifaban' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'Aboserifaban' ORDER BY id
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql:   Cleartext-Password := "123456"
(0) sql:   Simultaneous-Use := 1
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql:    --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'Aboserifaban' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'Aboserifaban' ORDER BY id
rlm_sql (sql): Reserved connection (1)
rlm_sql (sql): Released connection (1)
Need 6 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'cloudradius' on Localhost via UNIX socket, server version 5.5.65-MariaDB, protocol version 10
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'Aboserifaban' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'Aboserifaban' ORDER BY priority
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (0)
(0)     [sql] = ok
(0)     if (User-Name =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) {
(0)     if (User-Name =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i)  -> FALSE
(0)     [pap] = updated
(0)   } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: User authenticated successfully
(0)     [pap] = ok
(0)   } # Auth-Type PAP = ok
(0) # Executing section session from file /usr/local/etc/raddb/sites-enabled/default
(0)   session {
(0) sql: EXPAND %{User-Name}
(0) sql:    --> Aboserifaban
(0) sql: SQL-User-Name set to 'Aboserifaban'
rlm_sql (sql): Reserved connection (2)
(0) sql: EXPAND SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
(0) sql:    --> SELECT COUNT(*) FROM radacct WHERE username = 'Aboserifaban' AND acctstoptime IS NULL
(0) sql: Executing select query: SELECT COUNT(*) FROM radacct WHERE username = 'Aboserifaban' AND acctstoptime IS NULL
rlm_sql (sql): Released connection (2)
(0)     [sql] = ok
(0)   } # session = ok
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(0)   post-auth {
(0) exec: Executing: /usr/bin/php /var/www/html/cloudradius/captiveportal/auth_new.php "Aboserifaban" "123456" "4e:f9:5e:77:0c:9a" "" "103.200.57.138" "PPP" "192.168.0.1":
(0) exec: ERROR: Program returned code (1) and output 'Reply-Message := "Your Account has been expired."'
(0)     [exec] = reject
(0)   } # post-auth = reject
(0) Delaying response for 1.000000 seconds
Waking up in 0.1 seconds.
Waking up in 0.7 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 71 from 127.0.0.1:1812 to 127.0.0.1:47913 length 52
(0)   Reply-Message := "Your Account has been expired."
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 71 with timestamp +3
Ready to process requests


as  you see above it rejected the user but it seems the SQL module not running  ,
this is my configuration in  POST-Auth section in default file
post-auth {

 exec
 sql
Post-Auth-Type REJECT {

update reply {
           Reply-Message = "Rejected: invalid username or password..!"
}

               # log failed authentications in SQL, too.
exec
sql

}



}


when I stop exec in Post-auth  section and it is working fine and it insert the result in radpostauth table
Please help me to fix this issue
Thanks in Advance
Best Regards


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OutlookEmoji-156231405059399a62d21-4de8-49db-bbb9-f922e2e3e3e1.png
Type: image/png
Size: 39094 bytes
Desc: OutlookEmoji-156231405059399a62d21-4de8-49db-bbb9-f922e2e3e3e1.png
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20201102/1fcd4a4e/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OutlookEmoji-15623140505937fde2cfd-9eeb-481f-aec5-fc911c6a213d.png
Type: image/png
Size: 39094 bytes
Desc: OutlookEmoji-15623140505937fde2cfd-9eeb-481f-aec5-fc911c6a213d.png
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20201102/1fcd4a4e/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OutlookEmoji-15623140505934b99be12-d8b4-4647-9175-88a0183aa52d.png
Type: image/png
Size: 39094 bytes
Desc: OutlookEmoji-15623140505934b99be12-d8b4-4647-9175-88a0183aa52d.png
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20201102/1fcd4a4e/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OutlookEmoji-15623140505932bbc85a0-28b9-4f86-8b3e-d50f088e8209.png
Type: image/png
Size: 39094 bytes
Desc: OutlookEmoji-15623140505932bbc85a0-28b9-4f86-8b3e-d50f088e8209.png
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20201102/1fcd4a4e/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OutlookEmoji-1562314050593f93d5ba7-6923-4144-9494-4c4348bae7b0.png
Type: image/png
Size: 39094 bytes
Desc: OutlookEmoji-1562314050593f93d5ba7-6923-4144-9494-4c4348bae7b0.png
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20201102/1fcd4a4e/attachment-0009.png>


More information about the Freeradius-Users mailing list