Hi Hollman,
I too have failed to grasp the nuances of the 'new' exec mechanisms. In
the end I admitted defeat, and stuck to the 'old way' - which I fear may
become deprecated at some point. In any case, here is what I have done and
have working at this point.
1. Restore all the config files to their state before your exec
modifications.
2. In the ..../raddb/users file, add an entry similar to the following..
DEFAULT Auth-Type := Accept
Exec-Program-Wait = "/usr/local/sbin/auth -L -X -U --
%{User-Name} %{User-Password} %{%{Called-Station-Id}:-Missing}
%{%{NAS-IP-Address}:-Missing} %{%{Calling-Station-Id}:-Missing}
%{%{NAS-Port-Type}:-Missing} %{Vendor-Specific}" ,
Fall-Through = no
3. My program (auth) required some command line parameters (for legacy
reasons). Radius dictionary name/value pairs are (should be) stored in the
environment. Environment variables are radius dictionary names converted to
upper case only and all '-' changed to '_' characters.
4. The auth program in my case is responsible for returning (on stdout) all
the replay Name/Value pairs. These need to be 'comma separated. Beware
<cr> characters and magically appearing commas. My code has the following
comment/warning ,
"/* Need comma separated for freeradisu 2.1.8 */
/* EXCEPT for first value pair - freeradius adds it's own comma there for
some reason..."
A trailing comma seems to be harmless at this point. I THINK multiple comma
MAY also be harmless at this point.
If your reply value pairs are constant, you should be able to add them on
the last line before the "Fall-Through = no" entry.
Your auth program should return 0 for successful authentication, I return
255 for deny of login. (Perhaps any non 0 would work. Cannot recall.)
I would LOVE to understand the NEW and more correct way of achieving the
same result.
If you figure it out, please let me know how to do it.
Good Luck,
-craig
----- Original Message -----
From: "hollman.diaz" <hollman.d...@gmail.com>
To: <freeradius-users@lists.freeradius.org>
Sent: Sunday, January 30, 2011 8:50 PM
Subject: Exec Module FreeRADIUS Version 2.1.8
Hi everybody
I'm trying to change the Auth-Type attribute with an external application.
I'm using FreeRADIUS Version 2.1.8 and Ubuntu 10.04
What files do I should modify?
I have tried with:
/etc/freeradius/radiusd.conf:
...
instantiate {
#
# Allows the execution of external scripts.
# The entire command line (and output) must fit into 253 bytes.
#
# e.g. Framed-Pool = `%{exec:/bin/echo foo}`
exec ven{
wait = yes
program = "/etc/disconnect/php return.php
%{Calling-Station-Id}"
input_pairs = request
output_pairs = reply
shell_escape = yes
}
/etc/freeradius/sites-enabled/default
post-auth {
...
exec ven{
wait = yes
program = "/etc/disconnect/php return.php
%{Calling-Station-Id}"
input_pairs = request
output_pairs = reply
shell_escape = yes
}
/etc/freeradius/modules/exec
...
# See also "echo" for more sample configuration.
#
exec ven{
wait = yes
program = "/etc/disconnect/php return.php
%{Calling-Station-Id}"
input_pairs = request
output_pairs = reply
shell_escape = yes
}
And /etc/freeradius/users:
...
DEFAULT Auth-Type := '%{exec:/etc/disconnect/php return.php
%{Calling-Station-Id}}'
Fall-Through = No
External application is /etc/disconnect/return.php and it returns Accept
or
Reject values.
I have read several forums but I do not understand the procedure. I would
appreciate a step by step procedure :)
Running freeradius -X, I get (with no modifications in
/etc/freeradius/users):
...
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
/etc/freeradius/sites-enabled/default[464]: Failed to find module "exec".
/etc/freeradius/sites-enabled/default[435]: Errors parsing post-auth
section.
Line 464 is
exec ven{
and line 435 is
post-auth {
Thanks in advance,
Hollman Diaz
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Exec-Module-FreeRADIUS-Version-2-1-8-tp3363953p3363953.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__________ Information from ESET Smart Security, version of virus
signature database 5832 (20110130) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus signature
database 5833 (20110131) __________
The message was checked by ESET Smart Security.
http://www.eset.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
