Hi all,
I'd like to use a script to authenticate eap users.
If I write in users:
DEFAULT Auth-Type := Accept
Exec-Program-Wait = "/etc/freeradius/auth.sh"
everything works fine without eap.
If I use eap/peap, and I write static entries in the users file
(i.e. user User-Password == "pass"), again everything works fine.
Is there a way to use a script instead of static entry?
I tried to define in radiusd.conf
exec login {
wait = yes
program = "/etc/freeradius/auth.sh"
input_pairs = request
output_pairs = config
}
authorize {
preprocess
auth_log
eap
login
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
eap
}
This is the last part of the debug I obtain:
-------------------
rad_recv: Access-Request packet from host 172.27.1.2:2048, id=0,
length=222
User-Name = "user"
NAS-IP-Address = 172.27.1.2
Called-Station-Id = "001217bcf177"
Calling-Station-Id = "000cf102223f"
NAS-Identifier = "001217bcf177"
NAS-Port = 31
Framed-MTU = 1400
State = 0x6e3920e40ad9946c1c33e00a383508f6
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x02080050190017030100201692cc07d9feeb5af7cd044abdd6b07bc1bc4a3bbdf4e2e698647a87b57d56cd1703010020f466325cf16a7c3594d254f1a78462e494863c04b254dcb4cdd42f5f23c5e955
Message-Authenticator = 0x381e97fa3b15a2dbf5d6412071febe63
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
modsingle[authorize]: calling preprocess (rlm_preprocess) for request
8
modsingle[authorize]: returned from preprocess (rlm_preprocess) for
request 8 modcall[authorize]: module "preprocess" returns ok for
request 8
modsingle[authorize]: calling auth_log (rlm_detail) for request 8
radius_xlat:
'/var/log/freeradius/radacct/172.27.1.2/auth-detail-20050210'
rlm_detail:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/172.27.1.2/auth-detail-20050210
modsingle[authorize]: returned from auth_log (rlm_detail) for request
8
modcall[authorize]: module "auth_log" returns ok for request 8
modsingle[authorize]: calling eap (rlm_eap) for request 8
rlm_eap: EAP packet type response id 8 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modsingle[authorize]: returned from eap (rlm_eap) for request 8
modcall[authorize]: module "eap" returns updated for request 8
modsingle[authorize]: calling login (rlm_exec) for request 8
radius_xlat: '/etc/freeradius/auth.sh'
Exec-Program: /etc/freeradius/auth.sh
Exec-Program output:
Exec-Program: returned: 0
modsingle[authorize]: returned from login (rlm_exec) for request 8
modcall[authorize]: module "login" returns ok for request 8
modcall: group authorize returns updated for request 8
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
modsingle[authenticate]: calling eap (rlm_eap) for request 8
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
PEAP tunnel data in 0000: 02 08 00 0b 21 80 03 00 02 00 02
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure, rejecting.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modsingle[authenticate]: returned from eap (rlm_eap) for request 8
modcall[authenticate]: module "eap" returns invalid for request 8
modcall: group authenticate returns invalid for request 8
auth: Failed to validate the user.
Thu Feb 10 18:10:38 2005 : Auth: Login incorrect: [user]
(from client wis-network port 31 cli 000cf102223f)
Delaying request 8 for 1 seconds
Finished request 8
Going to the next request
rl_next: returning NULL
-------------------
What I'm doing wrong ?
Thank you,
--
Marco
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
