Hello! Today I update my radiusd (01/09/18) to latest snapshot.
It's good feature to use Exec-Program-Wait output as additional AV-pair or as Reply-Message. AV-pair transmitted ok. Reply-Message is not. in doc/README: ------------------------------ For backwards compatibility, if the output doesn't look like valid radius A/V pairs, the output is taken as a message and added to the reply sent to the NAS as Port-Message. ------------------------------ What's on practice: ------------------------------ Ready to process requests. rad_recv: Access-Request packet from host x.x.x.x:1749, id=248, length=162 User-Name = "mmike" Password = "\0240\242\351>\320i\034\027\257\315\035}\233\274\257" NAS-IP-Address = x.x.x.x NAS-Port = 20109 NAS-Port-Type = Async Service-Type = Login-User Calling-Station-Id = "00000000" Ascend-Calling-Id-Type-Of-Num = Unknown Ascend-Calling-Id-Number-Plan = ISDN-Telephony Ascend-Calling-Id-Presentatn = Allowed Ascend-Calling-Id-Screening = User-Not-Screened Acct-Session-Id = "367234457" Ascend-Data-Rate = 33600 Ascend-Xmit-Rate = 31200 Exec-Program: /etc/ppp/radauth Exec-Program-Wait: value-pairs: Limit exceeded Exec-Program: returned: 1 Login incorrect (external check failed): [mmike] (from nas local port 20109 cli 00000000) Sending Access-Reject of id 248 to x.x.x.x:1749 Reply-Message = "\r\nAccess denied (external check failed)." ------------------------------ i.e. Exec-Program: /etc/ppp/radauth Exec-Program-Wait: value-pairs: Limit exceeded <--------+ Exec-Program: returned: 1 | my NAS had to receive this string as Reply-Message ----+ but it got Reply-Message = "\r\nAccess denied (external check failed)." instead bug was is near userparse(). old (v0.2) code: ----------------------- ... do { previous_token = last_token; if ((vp = pairread(&p, &last_token)) == NULL) { return -1; } pairadd(first_pair, vp); ... ----------------------- new one: ----------------------- ... do { previous_token = last_token; if ((vp = pairread(&p, &last_token)) == NULL) { return T_INVALID; } pairadd(first_pair, vp); } while (*p && (last_token == T_COMMA)); ... ----------------------- Difference is: 'return -1;' and 'return T_INVALID;' T_INVALID declared as 'T_INVALID = 0,' in src/include/token.h in radius_exec_program() fragment ---------------------------------------------------- vp = NULL; n = userparse(answer, &vp); if (vp) pairfree(&vp); if (n < 0) { radlog(L_DBG, "Exec-Program-Wait: plaintext: %s", answer); ----------------------------------------------------- '(n < 0)' always FALSE. I think, LRAD_TOKEN must be expanded with "-1" value. I'll try change 'if (n < 0) {' in radius_exec_program() to 'if (n == T_INVALID)'. "AVP"-like responses becomes "Reply-Message". :( I'll try change 'return T_INVALID;' to 'return -1' in 'userparse()' - it's not working good too (possible type mismatch). Mike. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html