I did not explain it very good. What I want to do is.
Put phonenumber,etc attributes in radreply for a user. 1. Authenticate user via Radius via Microsoft NPS server 2. Run my exec authorization script to send OTP password 3. Challenge reponse 4. Auth OTP My config... this all works if user is in SQL. authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } Auth-Type zotp { ZOTP } unix eap } authorize { preprocess chap mschap suffix eap { ok = return } unix files sql expiration logintime pap if(control:Auth-Type == 'zotp'){ ZOTP if (updated) { update control { Response-Packet-Type := Access-Challenge } handled } } } Is there a way to do this? Get something from proxy and something from SQL and then Auth and authorize? Here is output from working user. rad_recv: Access-Request packet from host 127.0.0.1 port 39099, id=10, length=45 User-Name = "test2" User-Password = "test2" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [sql] expand: %{User-Name} -> test2 [sql] sql_set_user escaped user --> 'test2' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test2' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test2' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test2' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test2' ORDER BY id [sql] expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM usergroup WHERE username = 'test2' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM usergroup WHERE username = 'test2' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'test2' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'test2' ORDER BY id [sql] User found in group test2 [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'test2' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'test2' ORDER BY id rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing SHA-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop ++? if (control:Auth-Type == 'zotp') ? Evaluating (control:Auth-Type == 'zotp') -> TRUE ++? if (control:Auth-Type == 'zotp') -> TRUE ++- entering if (control:Auth-Type == 'zotp') {...} [ZOTP] expand: %{User-Name} -> test2 [ZOTP] expand: %{User-Password} -> test2 [ZOTP] expand: %{reply:RadiusPassword} -> A45AdlG.TyuCLZWiUtmXIjxXGtHPYdu [ZOTP] expand: %{reply:Secret} -> mmmmmmmmmmmmmmmm [ZOTP] expand: %{reply:Offset} -> 1 [ZOTP] expand: %{reply:OTP-Type} -> SMS [ZOTP] expand: %{reply:OTP-Mobilenumber} -> 30913091 [ZOTP] expand: %{State} -> Exec-Program output: Reply-Message += "Enter SMS.", State = "25128", Exec-Program-Wait: value-pairs: Reply-Message += "Enter SMS.", State = "25128", Exec-Program: returned: 9 +++[ZOTP] returns updated +++? if (updated) ? Evaluating (updated) -> TRUE +++? if (updated) -> TRUE +++- entering if (updated) {...} ++++[control] returns updated ++++[handled] returns handled +++- if (updated) returns handled ++- if (control:Auth-Type == 'zotp') returns handled Sending Access-Challenge of id 10 to 127.0.0.1 port 39099 Framed-IP-Address := 172.20.3.34 Reply-Message += "Enter SMS." State = 0x3235313238 Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 10 with timestamp +58 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 39099, id=11, length=70 Framed-IP-Address = 172.20.3.34 Reply-Message = "Enter SMS." State = 0x3235313238 User-Name = "test2" User-Password = "3fwy7h" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [sql] expand: %{User-Name} -> test2 [sql] sql_set_user escaped user --> 'test2' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test2' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test2' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test2' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test2' ORDER BY id [sql] expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM usergroup WHERE username = 'test2' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM usergroup WHERE username = 'test2' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'test2' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'test2' ORDER BY id [sql] User found in group test2 [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'test2' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'test2' ORDER BY id rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing SHA-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop ++? if (control:Auth-Type == 'zotp') ? Evaluating (control:Auth-Type == 'zotp') -> TRUE ++? if (control:Auth-Type == 'zotp') -> TRUE ++- entering if (control:Auth-Type == 'zotp') {...} [ZOTP] expand: %{User-Name} -> test2 [ZOTP] expand: %{User-Password} -> 3fwy7h [ZOTP] expand: %{reply:RadiusPassword} -> A45AdlG.TyuCLZWiUtmXIjxXGtHPYdu [ZOTP] expand: %{reply:Secret} -> mmmmmmmmmmmmmmmm [ZOTP] expand: %{reply:Offset} -> 1 [ZOTP] expand: %{reply:OTP-Type} -> SMS [ZOTP] expand: %{reply:OTP-Mobilenumber} -> 30913091 [ZOTP] expand: %{State} -> 0x3235313238 Exec-Program output: Reply-Message := "Accepted.", Exec-Program-Wait: value-pairs: Reply-Message := "Accepted.", Exec-Program: returned: 0 +++[ZOTP] returns ok +++? if (updated) ? Evaluating (updated) -> FALSE +++? if (updated) -> FALSE ++- if (control:Auth-Type == 'zotp') returns ok Found Auth-Type = zotp # Executing group from file /etc/raddb/sites-enabled/default +- entering group zotp {...} [ZOTP] expand: %{User-Name} -> test2 [ZOTP] expand: %{User-Password} -> 3fwy7h [ZOTP] expand: %{reply:RadiusPassword} -> A45AdlG.TyuCLZWiUtmXIjxXGtHPYdu [ZOTP] expand: %{reply:Secret} -> mmmmmmmmmmmmmmmm [ZOTP] expand: %{reply:Offset} -> 1 [ZOTP] expand: %{reply:OTP-Type} -> SMS [ZOTP] expand: %{reply:OTP-Mobilenumber} -> 30913091 [ZOTP] expand: %{State} -> 0x3235313238 Exec-Program output: Reply-Message := "Accepted.", Exec-Program-Wait: value-pairs: Reply-Message := "Accepted.", Exec-Program: returned: 0 ++[ZOTP] returns ok WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /etc/raddb/sites-enabled/default Sending Access-Accept of id 11 to 127.0.0.1 port 39099 Framed-IP-Address := 172.20.3.34 Reply-Message := "Accepted." Finished request 2. Med venlig hilsen | Best regards Thomas Raabo Senior Network Engineer CCIE #33466 _____________________________________________ t...@zitcom.dk | Direkte: +45 69 10 60 18 | Tlf.: +45 70 23 55 66 -----Oprindelig meddelelse----- Fra: freeradius-users-bounces+tr=zitcom...@lists.freeradius.org [mailto:freeradius-users-bounces+tr=zitcom...@lists.freeradius.org] På vegne af Alan DeKok Sendt: 16. oktober 2012 14:22 Til: FreeRadius users mailing list Emne: Re: authorize after proxy. Thomas Raabo - Zitcom A/S wrote: > Is it possible to do authentication and then authorization on the SQL db? post-auth { ... sql.authorize ... } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html