Error: Exec-Program: Permission Denied when running via service start
Greetings all, I've been racking my brains out trying to solve/debug the following issue, hopefully someone can provide a new perspective. I've implemented mOTP as en external authentication program by defining it in radiusd.conf with a Program = /etc/raddb/otpverify.sh statement. As I said, it does indeed work properly, except, when I start the radiusd server up as a daemon via init.d radiusd -X - Works properly service radiusd start or /etc/init.d/radiusd start FAILS sh /etc/init.d/radiusd start Works When it works properly, I get proper Accept Replys. When it 'fails', its due to not being able to execute the script and this is logged in radius.log Error: Exec-Program: FAILED to execute /etc/raddb/otpverify.sh: Permission denied In all the above scenarios, I was root when executing the statements. I am *not* in a chroot jail, all the necessary directories are read/write by user 'radiusd' which is what the process is running as. I'm also using the init.d script that came with the CentOS package. My linux platform and freeradius information is as follows: CentOS 5.5 - 2.6.18-194.32.1.el5 #1 SMP x86_64 GNU/Linux running FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu. Thanks for any assistance with this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Exec-Program: Permission Denied when running via service start
On 03/29/2011 03:09 PM, Christopher Athans wrote: Greetings all, I've been racking my brains out trying to solve/debug the following issue, hopefully someone can provide a new perspective. I've implemented mOTP as en external authentication program by defining it in radiusd.conf with a Program = /etc/raddb/otpverify.sh statement. As I said, it does indeed work properly, except, when I start the radiusd server up as a daemon via init.d radiusd -X - Works properly service radiusd start or /etc/init.d/radiusd start FAILS sh /etc/init.d/radiusd start Works When it works properly, I get proper Accept Replys. When it 'fails', its due to not being able to execute the script and this is logged in radius.log Error: Exec-Program: FAILED to execute /etc/raddb/otpverify.sh: Permission denied In all the above scenarios, I was root when executing the statements. I am *not* in a chroot jail, all the necessary directories are read/write by user 'radiusd' which is what the process is running as. I'm also using the init.d script that came with the CentOS package. My linux platform and freeradius information is as follows: CentOS 5.5 - 2.6.18-194.32.1.el5 #1 SMP x86_64 GNU/Linux running FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu. Thanks for any assistance with this. Is SELinux enabled? % getenforce If it's enforcing then set it to permissive mode % setenforce 0 Now does it work? If so what were your recent AVC's in /var/log/audit/audit.log? Not the problem? Then verify the script can run as the radiusd user. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Exec-Program: Permission Denied when running via service start
*sigh* it was indeed SELinux. I thought it had it disabled. Still not exactly sure why when I wrapped the init.d statement with a 'sh' it works, but nevertheless you solved my issue. Thanks John. On Tue, Mar 29, 2011 at 2:16 PM, John Dennis jden...@redhat.com wrote: On 03/29/2011 03:09 PM, Christopher Athans wrote: Greetings all, I've been racking my brains out trying to solve/debug the following issue, hopefully someone can provide a new perspective. I've implemented mOTP as en external authentication program by defining it in radiusd.conf with a Program = /etc/raddb/otpverify.sh statement. As I said, it does indeed work properly, except, when I start the radiusd server up as a daemon via init.d radiusd -X - Works properly service radiusd start or /etc/init.d/radiusd start FAILS sh /etc/init.d/radiusd start Works When it works properly, I get proper Accept Replys. When it 'fails', its due to not being able to execute the script and this is logged in radius.log Error: Exec-Program: FAILED to execute /etc/raddb/otpverify.sh: Permission denied In all the above scenarios, I was root when executing the statements. I am *not* in a chroot jail, all the necessary directories are read/write by user 'radiusd' which is what the process is running as. I'm also using the init.d script that came with the CentOS package. My linux platform and freeradius information is as follows: CentOS 5.5 - 2.6.18-194.32.1.el5 #1 SMP x86_64 GNU/Linux running FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu. Thanks for any assistance with this. Is SELinux enabled? % getenforce If it's enforcing then set it to permissive mode % setenforce 0 Now does it work? If so what were your recent AVC's in /var/log/audit/audit.log? Not the problem? Then verify the script can run as the radiusd user. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Exec-Program: Permission Denied when running via service start
On 03/29/2011 03:20 PM, Christopher Athans wrote: *sigh* it was indeed SELinux. I thought it had it disabled. Still not exactly sure why when I wrapped the init.d statement with a 'sh' it works, but nevertheless you solved my issue. Thanks John. The behavior is different because /sbin/service has special SELinux transition rules. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Exec-Program: Permission Denied when running via service start
Hi, I've implemented mOTP as en external authentication program by defining it in radiusd.conf with a Program = /etc/raddb/otpverify.sh statement. As I said, it does indeed work properly, except, when I start the radiusd server up as a daemon via init.d radiusd -X - Works properly service radiusd start or /etc/init.d/radiusd start FAILS sh /etc/init.d/radiusd start Works When it works properly, I get proper Accept Replys. When it 'fails', its due to not being able to execute the script and this is logged in radius.log Error: Exec-Program: FAILED to execute /etc/raddb/otpverify.sh: Permission denied it sounds like basics...but this error message is pretty straight forward... what are the permissions on that file? are you running eg SELinux ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Exec-Program: Permission Denied when running via service start
Hi, *sigh* it was indeed SELinux. I thought it had it disabled. Still not exactly sure why when I wrapped the init.d statement with a 'sh' it works, but nevertheless you solved my issue. Thanks John. you are going to fix the issue as shown by audit2allow etc rathr than just leave SELinux disabled or permissive? (so many people do thatthen wonder how the bad guys got onto their server) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
reply-detail log And Exec-Program-Wait
Dear All , I am upgrading from 1.1.7 To 2.1.10 I am using Exec-Program-Wait to run a script In the old ver, I can find the out put of my script in reply-detail log , But in the new ver. I Only find the attribute Exec-Program-Wait = /usr/bin/php /var/www/html/check.php testuser 1 but i need all the ourput to be printed in the reply-detail log, so is there any way to do that ?? regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program-Wait and reply-detail log
Dear All , I am upgrading from 1.1.7 To 2.1.10 I am using Exec-Program-Wait to run a script In the old ver, I can find the out put of my script in reply-detail log , But in the new ver. I Only find the attribute Exec-Program-Wait = /usr/bin/php /var/www/html/check.php testuser 1 but i need all the ourput to be printed in the reply-detail log, so is there any way to do that ?? regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Output from Exec-Program-Wait in users file
Hi,
am migrating from an ancient radius install to FreeRADIUS Version 2.1.8
The system uses a custom authentication binary which we access from the users
file via,
DEFAULT NAS-IP-Address == 192.168.1.100, Auth-Type := Accept,
Simultaneous-Use := 1
Exec-Program-Wait = /usr/local/sbin/auth -X -U -u 5882626 --
%{User-Name} %{User-Password} %{%{Called-Station-Id}:-Missing}
%{%{NAS-IP-Address}:-Missing} %{%{Calling-Station-Id}:-Missing}
%{%{NAS-Port-Type}:-Missing} %{Vendor-Specific} ,
Fall-Through = no
On the old version, the output from the EXEC was sent back in the Accept
packet..
Now is looks like the stdout form the Exec-Program-Wait is not being send back
but either dropped or misplaced.
++[sql] returns ok
+- entering group post-auth {...}
Exec-Program output: Framed-Compression=Van-Jacobsen-TCP-IP
Framed-Routing=None Framed-MTU=1500 Framed-IP-Netmask=255.255.255.0
Framed-Protocol=PPP Service-Type=Framed-User Idle-Timeout=1800
Session-Timeout=86400 ERX-Virtual-Router=SOMEROUTER
ERX-Ingress-Policy-Name=COMFORT_UP ERX-Egress-Policy-Name=COMFORT_DOWN
Exec-Program-Wait: plaintext: Framed-Compression=Van-Jacobsen-TCP-IP
Framed-Routing=None Framed-MTU=1500 Framed-IP-Netmask=255.255.255.0
Framed-Protocol=PPP Service-Type=Framed-User Idle-Timeout=1800
Session-Timeout=86400 ERX-Virtual-Router=SOMEROUTER
ERX-Ingress-Policy-Name=COMFORT_UP ERX-Egress-Policy-Name=COMFORT_DOWN
Exec-Program: returned: 0
++[exec] returns noop
Sending Access-Accept of id 248 to 192.168.1.100 port 5
Finished request 0.
Is there a way to direct the output from the Exec-Program into the Accept
packet?
As far as we can tell, we are sending back and empty Accept packet. The values
are calculated by the auth binary, so hard coding them would be very difficult.
It's after 1am here, so I hope this won't seem obvious in the morning.
Any hints would be greatly appreciated.
Thanks so much,
-craig
Craig Campbell
craig.campb...@ccraft.ca
CampbellCraft Consulting Inc
2 Kenny Court
Whitby, Ontario
Canada
L1R 2L8
905 922-2789
__ Information from ESET Smart Security, version of virus signature
database 5612 (2010) __
The message was checked by ESET Smart Security.
http://www.eset.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Output from Exec-Program-Wait in users file
I think I found the issue. One of the value pairs being returned used a name
not defined in the dictionary file. The new name is similar leading me to
suspect the old name was deprecated and eventually replaced with a more clear
name.
Thanks all!
-craig
- Original Message -
From: Craig Campbell
To: FreeRadius users mailing list
Sent: Friday, November 12, 2010 6:24 AM
Subject: Output from Exec-Program-Wait in users file
Hi,
am migrating from an ancient radius install to FreeRADIUS Version 2.1.8
The system uses a custom authentication binary which we access from the users
file via,
DEFAULT NAS-IP-Address == 192.168.1.100, Auth-Type := Accept,
Simultaneous-Use := 1
Exec-Program-Wait = /usr/local/sbin/auth -X -U -u 5882626 --
%{User-Name} %{User-Password} %{%{Called-Station-Id}:-Missing}
%{%{NAS-IP-Address}:-Missing} %{%{Calling-Station-Id}:-Missing}
%{%{NAS-Port-Type}:-Missing} %{Vendor-Specific} ,
Fall-Through = no
On the old version, the output from the EXEC was sent back in the Accept
packet..
Now is looks like the stdout form the Exec-Program-Wait is not being send
back but either dropped or misplaced.
++[sql] returns ok
+- entering group post-auth {...}
Exec-Program output: Framed-Compression=Van-Jacobsen-TCP-IP
Framed-Routing=None Framed-MTU=1500 Framed-IP-Netmask=255.255.255.0
Framed-Protocol=PPP Service-Type=Framed-User Idle-Timeout=1800
Session-Timeout=86400 ERX-Virtual-Router=SOMEROUTER
ERX-Ingress-Policy-Name=COMFORT_UP ERX-Egress-Policy-Name=COMFORT_DOWN
Exec-Program-Wait: plaintext: Framed-Compression=Van-Jacobsen-TCP-IP
Framed-Routing=None Framed-MTU=1500 Framed-IP-Netmask=255.255.255.0
Framed-Protocol=PPP Service-Type=Framed-User Idle-Timeout=1800
Session-Timeout=86400 ERX-Virtual-Router=SOMEROUTER
ERX-Ingress-Policy-Name=COMFORT_UP ERX-Egress-Policy-Name=COMFORT_DOWN
Exec-Program: returned: 0
++[exec] returns noop
Sending Access-Accept of id 248 to 192.168.1.100 port 5
Finished request 0.
Is there a way to direct the output from the Exec-Program into the Accept
packet?
As far as we can tell, we are sending back and empty Accept packet. The
values are calculated by the auth binary, so hard coding them would be very
difficult.
It's after 1am here, so I hope this won't seem obvious in the morning.
Any hints would be greatly appreciated.
Thanks so much,
-craig
--
Craig Campbell
craig.campb...@ccraft.ca
CampbellCraft Consulting Inc
2 Kenny Court
Whitby, Ontario
Canada
L1R 2L8
905 922-2789
__ Information from ESET Smart Security, version of virus signature
database 5612 (2010) __
The message was checked by ESET Smart Security.
http://www.eset.com
__ Information from ESET Smart Security, version of virus signature
database 5614 (20101112) __
The message was checked by ESET Smart Security.
http://www.eset.com
__ Information from ESET Smart Security, version of virus signature
database 5614 (20101112) __
The message was checked by ESET Smart Security.
http://www.eset.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with expand result of exec-program
Hi everybody!!
I've got a strange problem with expand the result of the execution of a
program. This is my config data:
-- dictionary ---
ATTRIBUTE mi-resultado-script 3003integer
- exec --
exec {
wait = yes
shell_escape = yes
output = yes
}
--- sites-available/default --
mi-resultado-script = %{exec:/aplicaciones/radius/bin/radius_ath.sh}
But during the execution:
Executing /aplicaciones/radius/bin/radius_ath.sh
Exec-Program output:
Exec-Program: returned: 1
result 1
expand: %{exec:/aplicaciones/radius/bin/radius_ath.sh} -
The result of the program is 1 but the value of the expression is not
expanded, and the attribute mi-resultado-script has always zero value.
Could you help me with this?
Thank you very much.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with expand result of exec-program
Juan Rodríguez wrote:
Hi everybody!!
Executing /aplicaciones/radius/bin/radius_ath.sh
Exec-Program output:
The program printed nothing.
Exec-Program: returned: 1
result 1
expand: %{exec:/aplicaciones/radius/bin/radius_ath.sh} -
The result of the program is 1 but the value of the expression is not
expanded, and the attribute mi-resultado-script has always zero value.
Could you help me with this?
Fix your program so that it prints something to the output.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with expand result of exec-program
Thank you Alan.
I get this error now:
expand: %{exec:/aplicaciones/radius/bin/radius_ath.sh} - 1
ERROR: Failed parsing value 1 for attribute mi-resultado-script: Unknown
value 1 for attribute mi-resultado-script
We can see a space after value 1. I've write in my script the line
echo 1
only to be sure, but this space appear again.
Could you help me with this?
Thanks again.
Date: Thu, 23 Sep 2010 13:19:54 +0200
From: al...@deployingradius.com
To: freeradius-users@lists.freeradius.org
Subject: Re: Problem with expand result of exec-program
Juan Rodríguez wrote:
Hi everybody!!
Executing /aplicaciones/radius/bin/radius_ath.sh
Exec-Program output:
The program printed nothing.
Exec-Program: returned: 1
result 1
expand: %{exec:/aplicaciones/radius/bin/radius_ath.sh} -
The result of the program is 1 but the value of the expression is not
expanded, and the attribute mi-resultado-script has always zero value.
Could you help me with this?
Fix your program so that it prints something to the output.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with expand result of exec-program
Juan Rodríguez wrote:
Thank you Alan.
I get this error now:
expand: %{exec:/aplicaciones/radius/bin/radius_ath.sh} - 1
ERROR: Failed parsing value 1 for attribute mi-resultado-script:
Unknown value 1 for attribute mi-resultado-script
See scripts/exec-program-wait
This is documented.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rewriting Exec-Program-Wait
Hello, Just upgraded to freeradius2 2.1.7 on CentOS 5.5. And Exec-Program-Wait no longer works now for accounting packets. Rewrote to exec module. But for performance reasons we were not executing external program for all the packets before. We used more specific user entries in users and acct_users files to return result without executing program. Like: DEFAULT Auth-Type := Accept, NAS-Identifier == company, Calling-Station-Id =~ ^49, 3GPP-SGSN-Address =~ ^10.20.20. DEFAULT Auth-Type := Accept Exec-Program-Wait = /etc/raddb/external-auth How to change that to exec module syntax? So that external-auth would not be called for certain packets? Regards, Mindaugas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting Exec-Program
David Rodríguez Fernández wrote: Hi list. The accounting is working, the radius server stores the accounting data in files, but don't execute my script. This script was working with a previous version of freeradius. I'm missing some configuration parameter, but I don't know what. Have you listed exec in the accounting section? It's that way in the default configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting Exec-Program
Hi list.
This is my first message to the list. I have read a lot before send
this message.
I have freeradius version 2.1.6 and want to for every accounting
packet exec a script.
I have configured the ${confdir}/modules/files file with:
acctusersfile = ${confdir}/acct_users
and my acct_users file have:
DEFAULT Acct-Status-Type == Start
Exec-Program = /etc/rad216-gprs/raddb/user_login.pl
DEFAULT Acct-Status-Type == Stop
Exec-Program = /etc/rad216-gprs/raddb/user_login.pl
The accounting is working, the radius server stores the accounting
data in files, but don't execute my script. This script was working
with a previous version of freeradius.
I'm missing some configuration parameter, but I don't know what.
Can you help? Thanks in advance.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait problem
Thank you for your reply,
to make it more precise, I'm trying to execute a script that checks the
users accounting (hours and minutes generated from radiusreport tool). And
when the users passes his limit he is then blocked access.
The exec module allows only this syntax: Attribute-Name =
`%{exec:/etc/freeradius/somescript}`,
(this is passed as an AV pair to the client/nas, the freeradius is running
as freerad user not root).
how can I make this happen with this syntax?
Thanks in advance.
Alan DeKok-2 wrote:
enid wrote:
DEFAULT Simultaneous-Use := 1
Idle-Timeout = 600,
Session-Timeout = 5400,
Framed-IP-Address = 255.255.255.254,
Framed-Compression = Van-Jacobson-TCP-IP,
Exec-Program-Wait = /etc/freeradius/somescript,
Fall-Through = Yes
but I want that the output of it to append to the AV pair reply that
goes
back to the client. So I have the problem that when the script is
executed,
its output doesn't append to the AV pair reply. (For example:
Reply-Message=Email Only Account)
I can post here my configuration files, if you tell me which.
Use the exec module instead. It gives you a much more fine-grained
control over the behavior of the program.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
View this message in context:
http://www.nabble.com/Exec-Program-Wait-problem-tp23161038p23171482.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait problem
enid wrote:
to make it more precise, I'm trying to execute a script that checks the
users accounting (hours and minutes generated from radiusreport tool). And
when the users passes his limit he is then blocked access.
The exec module can do that.
The exec module allows only this syntax: Attribute-Name =
`%{exec:/etc/freeradius/somescript}`,
No.
Go back and read raddb/modules/echo
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program problem
Hi,
I am running freeradius-server-2.1.1-7.
++--+---++-+
| id | username | attribute | op | value |
++--+---++-+
| 1 | spark | Exec-Program-Wait | := | /etc/raddb/getmac %u %i |
++--+---++-+
radisud -XX -d /etc/raddb/
Wed Apr 22 17:05:03 2009 : Auth: Login OK: [spark] (from client localhost port
2 cli 00:19:D1:4A:53:F8)
Wed Apr 22 17:05:03 2009 : Info: +- entering group post-auth {...}
Wed Apr 22 17:05:03 2009 : Info: [exec] expand: %u - spark
Wed Apr 22 17:05:03 2009 : Info: [exec] expand: %i - 00:19:D1:4A:53:F8
Wed Apr 22 17:05:03 2009 : Debug: Exec-Program output: Wed Apr 22 17:05:03 2009
: Error: Exec-Program: FAILED to execute /etc/raddb/getmac: Exec format error
Wed Apr 22 17:05:03 2009 : Debug: Exec-Program-Wait: plaintext: Wed Apr 22
17:05:03 2009 : Error: Exec-Program: FAILED to execute /etc/raddb/getmac: Exec
format error
Wed Apr 22 17:05:03 2009 : Debug: Exec-Program: returned: 1
Wed Apr 22 17:05:03 2009 : Info: [exec] Login incorrect (external check said so)
Wed Apr 22 17:05:03 2009 : Info: ++[exec] returns reject
Wed Apr 22 17:05:03 2009 : Info: Delaying reject of request 1 for 1 seconds
file /etc/raddb/getmac contains following with execute+radiusd permission
#/bin/bash
echo $1 --- $2 - done /etc/raddb/mac_entries
What could be wrong?
Nirmal Patel | Mumbai
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program problem
Nirmal wrote: ... Wed Apr 22 17:05:03 2009 : Debug: Exec-Program-Wait: plaintext: Wed Apr 22 17:05:03 2009 : Error: Exec-Program: FAILED to execute /etc/raddb/getmac: Exec format error ... #/bin/bash You can't run that program from a shell prompt, either. You have a typo. It should be: #!/bin/bash Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program problem
Thanks man, done. --- On Wed, 4/22/09, Alan DeKok al...@deployingradius.com wrote: From: Alan DeKok al...@deployingradius.com Subject: Re: Exec-Program problem To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Wednesday, April 22, 2009, 5:25 PM Nirmal wrote: ... Wed Apr 22 17:05:03 2009 : Debug: Exec-Program-Wait: plaintext: Wed Apr 22 17:05:03 2009 : Error: Exec-Program: FAILED to execute /etc/raddb/getmac: Exec format error ... #/bin/bash You can't run that program from a shell prompt, either. You have a typo. It should be: #!/bin/bash Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program problem
changed permission of /etc/raddb/mac_entries
now getting wrong format error.
Wed Apr 22 17:21:27 2009 : Auth: Login OK: [spark] (from client localhost port
0 cli 00:19:D1:4A:53:F8)
Wed Apr 22 17:21:27 2009 : Info: +- entering group post-auth {...}
Wed Apr 22 17:21:27 2009 : Info: [exec] expand: %u - spark
Wed Apr 22 17:21:27 2009 : Info: [exec] expand: %i - 00:19:D1:4A:53:F8
Wed Apr 22 17:21:27 2009 : Debug: Exec-Program output: Wed Apr 22 17:21:27 2009
: Error: Exec-Program: FAILED to execute /etc/raddb/getmac: Exec format error
Wed Apr 22 17:21:27 2009 : Debug: Exec-Program-Wait: plaintext: Wed Apr 22
17:21:27 2009 : Error: Exec-Program: FAILED to execute /etc/raddb/getmac: Exec
format error
Wed Apr 22 17:21:27 2009 : Debug: Exec-Program: returned: 1
in my previous version i was using the same format.
++--+---++-+
| id | username | attribute | op | value |
++--+---++-+
| 1 | spark | Exec-Program-Wait | := | /etc/raddb/getmac %u %i |
++--+---++-+
where to check syntax for exec-program ?
--- On Wed, 4/22/09, Nirmal nirmal_...@yahoo.com wrote:
From: Nirmal nirmal_...@yahoo.com
Subject: Exec-Program problem
To: freeradius users freeradius-users@lists.freeradius.org
Date: Wednesday, April 22, 2009, 5:11 PM
Hi,
I am running freeradius-server-2.1.1-7.
++--+---++-+
| id | username | attribute | op | value |
++--+---++-+
| 1 | spark | Exec-Program-Wait | := | /etc/raddb/getmac %u %i |
++--+---++-+
radisud -XX -d /etc/raddb/
Wed Apr 22 17:05:03 2009 : Auth: Login OK: [spark] (from client localhost port
2 cli 00:19:D1:4A:53:F8)
Wed Apr 22 17:05:03 2009 : Info: +- entering group post-auth {...}
Wed Apr 22 17:05:03 2009 : Info: [exec] expand: %u - spark
Wed Apr 22 17:05:03 2009 : Info: [exec] expand: %i - 00:19:D1:4A:53:F8
Wed Apr 22 17:05:03 2009 : Debug: Exec-Program output: Wed Apr 22 17:05:03 2009
: Error: Exec-Program: FAILED to execute /etc/raddb/getmac: Exec format error
Wed Apr 22 17:05:03 2009 : Debug: Exec-Program-Wait: plaintext: Wed Apr 22
17:05:03 2009 : Error: Exec-Program: FAILED to execute /etc/raddb/getmac: Exec
format error
Wed Apr 22 17:05:03 2009 : Debug: Exec-Program: returned: 1
Wed Apr 22 17:05:03 2009 : Info: [exec] Login incorrect (external check said so)
Wed Apr 22 17:05:03 2009 : Info: ++[exec] returns reject
Wed Apr 22 17:05:03 2009 : Info: Delaying reject of request 1 for 1 seconds
file /etc/raddb/getmac contains following with execute+radiusd permission
#/bin/bash
echo $1 --- $2 - done /etc/raddb/mac_entries
What could be wrong?
Nirmal Patel | Mumbai
-Inline Attachment Follows-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program-Wait problem
Hello all, I' running FreeRADIUS Version 2.1.5, and I'm trying to execute an external script when users authenticate. I have included the exec module. The script is executed in this form (in the users file): DEFAULT Simultaneous-Use := 1 Idle-Timeout = 600, Session-Timeout = 5400, Framed-IP-Address = 255.255.255.254, Framed-Compression = Van-Jacobson-TCP-IP, Exec-Program-Wait = /etc/freeradius/somescript, Fall-Through = Yes but I want that the output of it to append to the AV pair reply that goes back to the client. So I have the problem that when the script is executed, its output doesn't append to the AV pair reply. (For example: Reply-Message=Email Only Account) I can post here my configuration files, if you tell me which. Thanks in advance ! -- View this message in context: http://www.nabble.com/Exec-Program-Wait-problem-tp23161038p23161038.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait problem
enid wrote: DEFAULT Simultaneous-Use := 1 Idle-Timeout = 600, Session-Timeout = 5400, Framed-IP-Address = 255.255.255.254, Framed-Compression = Van-Jacobson-TCP-IP, Exec-Program-Wait = /etc/freeradius/somescript, Fall-Through = Yes but I want that the output of it to append to the AV pair reply that goes back to the client. So I have the problem that when the script is executed, its output doesn't append to the AV pair reply. (For example: Reply-Message=Email Only Account) I can post here my configuration files, if you tell me which. Use the exec module instead. It gives you a much more fine-grained control over the behavior of the program. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program-Wait w/ FreeRADIUS 2.1.3
I'm having trouble getting FreeRADIUS to run programs called by
Exec-Program-Wait in the newest version of FreeRADIUS (version 2.1.3).
I'm using a custom C script that used to work with all versions of
FreeRADIUS prior to version 2.
I have an entry like this in the users file which is matching my
access-requests:
DEFAULT Suffix == @test.net, Auth-Type := Accept
Exec-Program-Wait = /usr/local/sbin/checkradacct
%{Stripped-User-Name} %{Password},
Ascend-Data-Filter += ip in forward tcp est,
Ascend-Data-Filter += ip in forward dstip 10.0.0.0/24 tcp,
Ascend-Data-Filter += ip in drop tcp dstport = 25,
Ascend-Data-Filter += ip in forward,
Fall-Through = No
Here is my debugging output when I attempt to authenticate (doesn't
appear to execute my program):
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.1.1.1 port 49411, id=74,
length=76
User-Name = jmil...@test.net
User-Password = blah
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Framed-Protocol = PPP
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/radacct/10.1.1.1/auth-detail-20090317
[auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radacct/10.1.1.1/auth-detail-20090317
[auth_log] expand: %t - Tue Mar 17 13:58:23 2009
++[auth_log] returns ok
[suffix] Looking up realm test.net for User-Name = jmil...@test.net
[suffix] Found realm test.net
[suffix] Adding Stripped-User-Name = jmillay
[suffix] Adding Realm = test.net
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[files] users: Matched entry DEFAULT at line 26
[files] expand: /usr/local/sbin/checkradacct
%{Stripped-User-Name} %{Password} - /usr/local/sbin/checkradacct
jmillay blah
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Login OK: [jmil...@test.net] (from client 10.1.1.1 port 0)
Sending Access-Accept of id 74 to 10.1.1.1 port 49411
Ascend-Data-Filter += ip in forward tcp est
Ascend-Data-Filter += ip in forward dstip 10.0.0.0/24 tcp
Ascend-Data-Filter += ip in drop tcp dstport = 25
Ascend-Data-Filter += ip in forward 0
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 74 with timestamp +21
Any suggestions? I read in the docs that Exec-Program and
Exec-Program-Wait are deprecated but I haven't found any clear
documentation on how to configure rlm_exec to duplicate what I am trying
to do.
Thanks in advance,
Jeremiah
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait w/ FreeRADIUS 2.1.3
I'm having trouble getting FreeRADIUS to run programs called by Exec-Program-Wait in the newest version of FreeRADIUS (version 2.1.3). I'm using a custom C script that used to work with all versions of FreeRADIUS prior to version 2. Read comments in exec module configuration file (raddb/modules/exec). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait w/ FreeRADIUS 2.1.3
Replying to myself... I missed uncommenting exec from the post-auth section of default site. Everything is working now. Sorry for the wasting your valuable mailbox space. Jeremiah - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program-Wait and FreeRadius 2.1.1
Hello, we're about to migrate from Freeradius 0.9 to 2.1. During this we're noticed, that the Atribute Exec-Progam-Wait and Exec-Program are deprecated. We used this feature to start a script (which generates special Cisco AV-Pairs). Our Freeradius backend is a mysql database. Now my Problem is that the attributes doesn't work. So we tried with the exec module. Thie works fine, but we want to execute different scripts depending on the the group the user is inserted and I want to manage this via Databse like it was in version 0.9. Can you give me a clue how to deal with, because didn't find anything about this in the documentation. Thanks a lot and best regards Michael Schramm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait and FreeRadius 2.1.1
Michael Schramm wrote: we're about to migrate from Freeradius 0.9 to 2.1. During this we're noticed, that the Atribute Exec-Progam-Wait and Exec-Program are deprecated. We used this feature to start a script (which generates special Cisco AV-Pairs). They still work in 2.x. Now my Problem is that the attributes doesn't work. If you list exec in the post-auth section, then they work. This configuration is in the default configuration files in 2.x. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Exec-Program-Wait for MOTP (mobile OTP) with MSCHAPv2
Alan DeKok a écrit : Fabiano wrote: Can you point me to a document or website where the following mechanism is described well ? ie MSCHAPv2 Radius Client - Freeradius does the MSCHAPv2 challenge ? - auth is delegated to external script receiving attributes like username and password in clear - external script gives the auth ok answer - Freeradius gives the auth accepted answer to the MSCHAPv2 Radius client. MS-CHAP doesn't work this way. You CANNOT give a cleartext password to an external script by looking at the MS-CHAP data. It is *impossible*. Ok, thanks. The part I don't understand is how does this MSCHAPv2 auth work in Freeradius, and how the external script could get the attributes when the MSCHAPv2 challenge password is encrypted ? Does it mean that I have to implement the MSCHAPv2 challenge auth by myself, entirely in the external script ? No. You tell the server what the correct password is, and it does the MS-CHAP calculations to authenticate the user. Concerning the cleartext password; In your previous message, you say : get it from somewhere but I can' figure out how... A database? You should know what the *correct* password is, otherwise you don't be able to authenticate the user. You mean, for example making the OTP script (doing exactly the contrary of what it actually does) write the password every 10 seconds to a database for every user and then let freeradius check the db ? Is this the only way ? Thanks again ! Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Exec-Program-Wait for MOTP (mobile OTP) with MSCHAPv2
Fabiano wrote: A database? You should know what the *correct* password is, otherwise you don't be able to authenticate the user. You mean, for example making the OTP script (doing exactly the contrary of what it actually does) write the password every 10 seconds to a database for every user and then let freeradius check the db ? Is this the only way ? It would help if you described what you are trying to do, and why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Exec-Program-Wait for MOTP (mobile OTP) with MSCHAPv2
Alan DeKok a écrit : Fabiano wrote: A database? You should know what the *correct* password is, otherwise you don't be able to authenticate the user. You mean, for example making the OTP script (doing exactly the contrary of what it actually does) write the password every 10 seconds to a database for every user and then let freeradius check the db ? Is this the only way ? It would help if you described what you are trying to do, and why. Alan, I am using a firewall (m0n0.ch, based on FreeBSD) which has a PPTP server accepting only MSCHAPv2 auth. This PPTP server uses an internal database with flatfiles for authenticating VPN users but also offers auth through an external radius server. I thought that I could use the motp.sf.net project to make mobile clients (using cell phones qnd the j2me applet) authenticate with this setup. The MOTP project offers a shellscript named otverify.sh which waits some arguments to verify the client (Username, OTP, Init-Secret, PIN, Time Offset). Username and OTP are given by the VPN client Init-Secret, PIN and Time Offset are specified in the radius users file. Normally, this is done using xtradius, executing the script as external application and giving the arguments to it. The script answers ACCEPT or FAIL for final auth. That's it. I'm stuck here, having MSCHAPv2 clients and an auth script not useable with MSCHAPv2 auth. I have also tried this with the supplied PAM motp module, but as you said this is not possible. I had successful auths using radtest, but that's all... ;) I think that what I will try is rewrite the script in perl to generate the passwords every x seconds to a database and then make freeradius auth against the db entries. Do you think this is the best way ? Thanks again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Exec-Program-Wait for MOTP (mobile OTP) with MSCHAPv2
Fabiano wrote: Can you point me to a document or website where the following mechanism is described well ? ie MSCHAPv2 Radius Client - Freeradius does the MSCHAPv2 challenge ? - auth is delegated to external script receiving attributes like username and password in clear - external script gives the auth ok answer - Freeradius gives the auth accepted answer to the MSCHAPv2 Radius client. MS-CHAP doesn't work this way. You CANNOT give a cleartext password to an external script by looking at the MS-CHAP data. It is *impossible*. The part I don't understand is how does this MSCHAPv2 auth work in Freeradius, and how the external script could get the attributes when the MSCHAPv2 challenge password is encrypted ? Does it mean that I have to implement the MSCHAPv2 challenge auth by myself, entirely in the external script ? No. You tell the server what the correct password is, and it does the MS-CHAP calculations to authenticate the user. Concerning the cleartext password; In your previous message, you say : get it from somewhere but I can' figure out how... A database? You should know what the *correct* password is, otherwise you don't be able to authenticate the user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Exec-Program-Wait for MOTP (mobile OTP) with MSCHAPv2
Alan, Thanks for your answer. Can you point me to a document or website where the following mechanism is described well ? ie MSCHAPv2 Radius Client - Freeradius does the MSCHAPv2 challenge ? - auth is delegated to external script receiving attributes like username and password in clear - external script gives the auth ok answer - Freeradius gives the auth accepted answer to the MSCHAPv2 Radius client. The part I don't understand is how does this MSCHAPv2 auth work in Freeradius, and how the external script could get the attributes when the MSCHAPv2 challenge password is encrypted ? Does it mean that I have to implement the MSCHAPv2 challenge auth by myself, entirely in the external script ? Concerning the cleartext password; In your previous message, you say : get it from somewhere but I can' figure out how... Thanks a lot Best regards Fab Alan DeKok wrote : Fabiano wrote: Hello, Does anyone know where I can find some information on how to use the following in freeradius ? I have an external shell script which awaits arguments (username, clear password, and other arguments) and returns an answer for validation. The problem is that I cannot find any lead on how to do this while using MSCHAPv2... $ man unlang Then, run the script in the post-auth section. And I am not sure how to do this with Exec-Program-Wait. Is this possible without rewriting the module in C ? Is there any way to have the cleartext password sent to the external script ? Sure. Get it from somewhere, and then send it to the script. Alan DeKok. - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using Exec-Program-Wait for MOTP (mobile OTP) with MSCHAPv2
Hello, Does anyone know where I can find some information on how to use the following in freeradius ? I have an external shell script which awaits arguments (username, clear password, and other arguments) and returns an answer for validation. The problem is that I cannot find any lead on how to do this while using MSCHAPv2... And I am not sure how to do this with Exec-Program-Wait. Is this possible without rewriting the module in C ? Is there any way to have the cleartext password sent to the external script ? Thanks a lot Fab - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Exec-Program-Wait for MOTP (mobile OTP) with MSCHAPv2
On Feb 13, Fabiano fabi...@powerpc.ch wrote: Hello, Does anyone know where I can find some information on how to use the following in freeradius ? I have an external shell script which awaits arguments (username, clear password, and other arguments) and returns an answer for validation. The problem is that I cannot find any lead on how to do this while using MSCHAPv2... And I am not sure how to do this with Exec-Program-Wait. Hi Fabiano! I'm using mobile otp, but I use pam and not the shell script. (In fact, the shell script has some security issues which I found out a few days ago. Especially, it does not do the one time check correctly, because a token code can be reused until it expires!. To enable pam, I just wrote pam into the authenticate section, that's it. (and of course have a proper /etc/pam.d/radiusd file) Markus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Exec-Program-Wait for MOTP (mobile OTP) with MSCHAPv2
Fabiano wrote: Hello, Does anyone know where I can find some information on how to use the following in freeradius ? I have an external shell script which awaits arguments (username, clear password, and other arguments) and returns an answer for validation. The problem is that I cannot find any lead on how to do this while using MSCHAPv2... $ man unlang Then, run the script in the post-auth section. And I am not sure how to do this with Exec-Program-Wait. Is this possible without rewriting the module in C ? Is there any way to have the cleartext password sent to the external script ? Sure. Get it from somewhere, and then send it to the script. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program in acct_users file
Anton Borisov wrote: I used Start and Stop in accounting for some DNS registrations of my clients, like this: ~# cat acct_users ... ... DEFAULT Realm == 'dyndns', Acct-Status-Type == Start, Acct-Type := BILL ... and this works in 1.1.7 ! But for 2.1.1 - this does not work. You need to list the exec module in the post-auth section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program in acct_users file
Thank you for your reply.
Yes, yes.
I have uncommented exec in post-auth section in
/etc/raddb/sites-enabled/default config.
So, another way in 2.1.1 - I've configured this program only with
accounting module.
Some examples:
/etc/raddb/sites-enabled/default
accounting {
...
...
Acct-Type BILL {
if ( Acct-Status-Type =~ /Start|Stop/ ) {
dns
}
}
...
cat /etc/raddb/modules/exec
...
...
exec dns {
wait = yes
program = /path-to-my-programm.sh
input_pairs = request
output_pairs = reply
}
This is working, but more quickly and easily only add Exec-Programm to
acct_users (like in 1.7.7 version)
Would you be so kind and give some examples for acct_usrs in 2.1.1?
Alan DeKok wrote:
Anton Borisov wrote:
I used Start and Stop in accounting for some DNS registrations of my
clients, like this:
~# cat acct_users
...
...
DEFAULT Realm == 'dyndns', Acct-Status-Type == Start, Acct-Type
:= BILL
...
and this works in 1.1.7 !
But for 2.1.1 - this does not work.
You need to list the exec module in the post-auth section.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Yours faithfully,
Anton Borisov.
smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program in acct_users file
I'm using FR 1.1.7 with acct_users but what if you have more complicated
scripts and you're using it on Interim-Updates. Every time when
Interim-Update triggers, this script has to connect to do something
(database connection, do this, do that )...
Is there any other way to something like this?
On Tue, Dec 23, 2008 at 11:48 AM, Anton Borisov anto...@mccinet.ru wrote:
Thank you for your reply.
Yes, yes.
I have uncommented exec in post-auth section in
/etc/raddb/sites-enabled/default config.
So, another way in 2.1.1 - I've configured this program only with
accounting module.
Some examples:
/etc/raddb/sites-enabled/default
accounting {
...
...
Acct-Type BILL {
if ( Acct-Status-Type =~ /Start|Stop/ ) {
dns
}
}
...
cat /etc/raddb/modules/exec
...
...
exec dns {
wait = yes
program = /path-to-my-programm.sh
input_pairs = request
output_pairs = reply
}
This is working, but more quickly and easily only add Exec-Programm to
acct_users (like in 1.7.7 version)
Would you be so kind and give some examples for acct_usrs in 2.1.1?
Alan DeKok wrote:
Anton Borisov wrote:
I used Start and Stop in accounting for some DNS registrations of my
clients, like this:
~# cat acct_users
...
...
DEFAULT Realm == 'dyndns', Acct-Status-Type == Start, Acct-Type
:= BILL
...
and this works in 1.1.7 !
But for 2.1.1 - this does not work.
You need to list the exec module in the post-auth section.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Yours faithfully,
Anton Borisov.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program in acct_users file
Good day!
Does everyone know about Exec-Program in acct_users in Freeradius 2.1.1?
I upgrade my from 1.1.7 to 2.1.1 and do not see exec in debug.
I used Start and Stop in accounting for some DNS registrations of my
clients, like this:
~# cat acct_users
...
...
DEFAULT Realm == 'dyndns', Acct-Status-Type == Start, Acct-Type
:= BILL
Exec-Program = /opt/fr/bin/dyndns.acctstart.pl
DEFAULT Realm == 'dyndns', Acct-Status-Type == Stop, Acct-Type
:= BILL
Exec-Program = /opt/fr/bin/dyndns.acctstop.pl
and this works in 1.1.7 !
But for 2.1.1 - this does not work.
Mon Dec 22 18:19:19 2008 : Info: ++[preprocess] returns ok
Mon Dec 22 18:19:19 2008 : Info: [suffix] Looking up realm dyndns for
User-Name = 12...@dyndns
Mon Dec 22 18:19:19 2008 : Info: [suffix] Found realm dyndns
Mon Dec 22 18:19:19 2008 : Info: [suffix] Adding Stripped-User-Name =
12345
Mon Dec 22 18:19:19 2008 : Info: [suffix] Adding Realm = dyndns
Mon Dec 22 18:19:19 2008 : Info: [suffix] Accounting realm is LOCAL.
Mon Dec 22 18:19:19 2008 : Info: ++[suffix] returns ok
Mon Dec 22 18:19:19 2008 : Info: [files] expand: %{NAS-IP-Address} -
212.119.106.21
Mon Dec 22 18:19:19 2008 : Info: [files] acct_users: Matched entry
DEFAULT at line 32
in this point (32 line - Realm == 'dyndns', 33 line Exec-Program =
blabla in acct_users) doesn not work.
Mon Dec 22 18:19:19 2008 : Info: ++[files] returns ok
Mon Dec 22 18:19:19 2008 : Debug: Found Acct-Type BILL
Mon Dec 22 18:19:19 2008 : Info: +- entering group BILL {...}
Tue Dec 23 10:40:52 2008 : Info: [acct_unique] Hashing 'NAS-IP-Address =
212.119.106.21,Acct-Session-Id = D4776A151004A3344'
Tue Dec 23 10:40:52 2008 : Info: [acct_unique] Acct-Unique-Session-ID =
eddc8ecb616eae58.
Tue Dec 23 10:40:52 2008 : Info: ++[acct_unique] returns ok
Tue Dec 23 10:40:52 2008 : Info: [BILL] expand:
/opt/fr2/radacct/files/cdr.%Y%m%d.%H -
/opt/fr2/radacct/files/cdr.20081223.10
Tue Dec 23 10:40:52 2008 : Info: [BILL]
/opt/fr2/radacct/files/cdr.%Y%m%d.%H expands to
/opt/fr2/radacct/files/cdr.20081223.10
Tue Dec 23 10:40:52 2008 : Info: [BILL] Acquired filelock, tried 1 time(s)
Tue Dec 23 10:40:52 2008 : Info: [BILL] expand: %t - Tue Dec 23
10:40:52 2008
Tue Dec 23 10:40:52 2008 : Info: [BILL] Released filelock
Tue Dec 23 10:40:52 2008 : Info: ++[BILL] returns ok
Sending Accounting-Response of id 66 to 128.1.134.55 port 50812
in this point does not work again...
Tue Dec 23 10:40:52 2008 : Info: Finished request 0.
Tue Dec 23 10:40:52 2008 : Info: Cleaning up request 0 ID 66 with
timestamp +3
Tue Dec 23 10:40:52 2008 : Debug: Going to the next request
in 1.1.7
Tue Dec 23 10:28:56 2008 : Debug: rlm_acct_unique:
Acct-Unique-Session-ID = fd9494068cfbfd81.
Tue Dec 23 10:28:56 2008 : Debug: modsingle[accounting]: returned from
acct_unique (rlm_acct_unique) for request 1
Tue Dec 23 10:28:56 2008 : Debug: modcall[accounting]: module
acct_unique returns ok for request 1
Tue Dec 23 10:28:56 2008 : Debug: modsingle[accounting]: calling BILL
(rlm_detail) for request 1
Tue Dec 23 10:28:56 2008 : Debug: radius_xlat:
'/opt/fr/radacct/files/cdr.20081223.10'
Tue Dec 23 10:28:56 2008 : Debug: rlm_detail:
/opt/fr/radacct/files/cdr.%Y%m%d.%H expands to
/opt/fr/radacct/files/cdr.20081223.10
Tue Dec 23 10:28:56 2008 : Debug: rlm_detail: Acquired filelock, tried 1
time(s)
Tue Dec 23 10:28:56 2008 : Debug: rlm_detail: Released filelock
Tue Dec 23 10:28:56 2008 : Debug: modsingle[accounting]: returned from
BILL (rlm_detail) for request 1
Tue Dec 23 10:28:56 2008 : Debug: modcall[accounting]: module BILL
returns ok for request 1
Tue Dec 23 10:28:56 2008 : Debug: modcall: leaving group BILL (returns
ok) for request 1
in this point my script is working.
Sending Accounting-Response of id 232 to 128.1.134.55 port 33228
Tue Dec 23 10:28:56 2008 : Debug: Finished request 1
Tue Dec 23 10:28:56 2008 : Debug: Going to the next request
--
Yours faithfully,
Anton Borisov.
smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RES: exec program, but post-auth
Thanks for answers, i obtained ip, acctound-id, etc etc from preacct section, adding exec to section !! script filter with Acct-Status-Type = Start working fine now !! Ivan, in it´s first message i didn´t read to try with accouting packets !! thanks again !! Regards.. [EMAIL PROTECTED] wrote: Here i use Exec-Program-Wait to validade data AFTER auth OK, i need to execute other script AFTER auth OK to get IP address assigned to user. i´m trying to pass %f to my script but return ?.?.?.? because at this moment, radius not assigned ip for user... how i can do this ? Where is here? In what section are you trying to run the script? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sds. Alexandre Jeronimo Correa Onda Internet - http://www.ondainternet.com.br OPinguim Hosting - http://www.opinguim.net Linux User ID #142329 UNOTEL S/A - http://www.unotel.com.br - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: exec program, but post-auth
Ola use:
{nome do dicionario}
Ex:
{Call-Station-Id}
-Mensagem original-
De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Em nome de Alexandre J. Correa - Onda Internet
Enviada em: segunda-feira, 3 de novembro de 2008 19:43
Para: FreeRadius users mailing list
Assunto: exec program, but post-auth
Hello !!
Here i use Exec-Program-Wait to validade data AFTER auth OK, i need to
execute other script AFTER auth OK to get IP address assigned to user.
i´m trying to pass %f to my script but return ?.?.?.? because at this
moment, radius not assigned ip for user...
how i can do this ?
thanks !!
--
Sds.
Alexandre Jeronimo Correa
Onda Internet - http://www.ondainternet.com.br
OPinguim Hosting - http://www.opinguim.net
Linux User ID #142329
UNOTEL S/A - http://www.unotel.com.br
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec program, but post-auth
So radius *is* assigning IP's? Where? If it's ippool/sqlippool list your exec program after these in post-auth section. If IP's are assigned by DHCP you have to get it from accounting packets. But that will work for radius assigned IP's too. Ivan Kalik Kalik Informatika ISP Dana 4/11/2008, Alexandre J. Correa - Onda Internet [EMAIL PROTECTED] piše: auth are working fine... but i need execute one script after auth OK to get the IP that radius assigned to user, have any idea how i can do this ?! thanks !!! [EMAIL PROTECTED] wrote: Here i use Exec-Program-Wait to validade data AFTER auth OK, i need to execute other script AFTER auth OK to get IP address assigned to user. i´m trying to pass %f to my script but return ?.?.?.? because at this moment, radius not assigned ip for user... how i can do this ? If radius is not assigning IP's NAS will send them in accounting packets. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sds. Alexandre Jeronimo Correa Onda Internet - http://www.ondainternet.com.br OPinguim Hosting - http://www.opinguim.net Linux User ID #142329 UNOTEL S/A - http://www.unotel.com.br - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RES: exec program, but post-auth
Here i use Exec-Program-Wait to validade data AFTER auth OK, i need to execute other script AFTER auth OK to get IP address assigned to user. i´m trying to pass %f to my script but return ?.?.?.? because at this moment, radius not assigned ip for user... how i can do this ? Where is here? In what section are you trying to run the script? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
exec program, but post-auth
Hello !! Here i use Exec-Program-Wait to validade data AFTER auth OK, i need to execute other script AFTER auth OK to get IP address assigned to user. i´m trying to pass %f to my script but return ?.?.?.? because at this moment, radius not assigned ip for user... how i can do this ? thanks !! -- Sds. Alexandre Jeronimo Correa Onda Internet - http://www.ondainternet.com.br OPinguim Hosting - http://www.opinguim.net Linux User ID #142329 UNOTEL S/A - http://www.unotel.com.br - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec program, but post-auth
Here i use Exec-Program-Wait to validade data AFTER auth OK, i need to execute other script AFTER auth OK to get IP address assigned to user. i´m trying to pass %f to my script but return ?.?.?.? because at this moment, radius not assigned ip for user... how i can do this ? If radius is not assigning IP's NAS will send them in accounting packets. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec program, but post-auth
auth are working fine... but i need execute one script after auth OK to get the IP that radius assigned to user, have any idea how i can do this ?! thanks !!! [EMAIL PROTECTED] wrote: Here i use Exec-Program-Wait to validade data AFTER auth OK, i need to execute other script AFTER auth OK to get IP address assigned to user. i´m trying to pass %f to my script but return ?.?.?.? because at this moment, radius not assigned ip for user... how i can do this ? If radius is not assigning IP's NAS will send them in accounting packets. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sds. Alexandre Jeronimo Correa Onda Internet - http://www.ondainternet.com.br OPinguim Hosting - http://www.opinguim.net Linux User ID #142329 UNOTEL S/A - http://www.unotel.com.br - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec program, but post-auth
Huh? Ivan gave you the answer already. Read it again and then look into what accounting packets are. Sent from my iPhone On 4 Nov 2008, at 02:06, Alexandre J. Correa - Onda Internet [EMAIL PROTECTED] wrote: auth are working fine... but i need execute one script after auth OK to get the IP that radius assigned to user, have any idea how i can do this ?! thanks !!! [EMAIL PROTECTED] wrote: Here i use Exec-Program-Wait to validade data AFTER auth OK, i need to execute other script AFTER auth OK to get IP address assigned to user. i´m trying to pass %f to my script but return ?.?.?.? because at this moment, radius not assigned ip for user... how i can do this ? If radius is not assigning IP's NAS will send them in accounting packets. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sds. Alexandre Jeronimo Correa Onda Internet - http://www.ondainternet.com.br OPinguim Hosting - http://www.opinguim.net Linux User ID #142329 UNOTEL S/A - http://www.unotel.com.br - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program-Wait Don't work
Regards: Sorry my english! I'm using Exec-Program-Wait for session control and printing a Session-Timeout = 0 parameter, but don' work. In cistron radius, I received logs in radius.log: Tue Sep 4 17:26:57 2007 : Debug: Exec-Program output Session-Timeout:=100 Tue Sep 4 17:26:57 2007 : Debug: Exec-Program-Wait: value-pairs: ,Session-Timeout:=100 But now, I don't received nothing. How I can activate this log in radius.log? _ Blog your life in 3D with Windows Live Writer. http://www.windowslive.com/overview.html?ocid=TXT_TAGLM_Wave2_wl_writer_022008- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program-wait problem with freeradius 2.0.3
Emmanuel Willems wrote: Thank you for your feedback and sorry for the confusion. The program is being executed and returning the correct result, but I still can't authenticate. So... read the debug log, and fix all of the WARNINGs, errors, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program-wait problem with freeradius 2.0.3
Emmanuel Willems wrote: Here is a relevant part of the debug log: ... Tue Apr 15 14:36:27 2008 : Auth: Login OK: [000d2885af3e/000d2885af3e] (from client wlan-sen port 737 cli 000d.2885.af3e) Tue Apr 15 14:36:27 2008 : Debug: +- entering group post-auth Tue Apr 15 14:36:27 2008 : Debug: modsingle[post-auth]: calling exec (rlm_exec) for request 0 Tue Apr 15 14:36:28 2008 : Debug: Exec-Program output: Tue Apr 15 14:36:28 2008 : Debug: Exec-Program: returned: 0 What's the problem? It's calling your program. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program-wait problem with freeradius 2.0.3
Thank you for your feedback and sorry for the confusion. The program is being executed and returning the correct result, but I still can't authenticate. I'm using EAP-TTLS-PAP to connect to a Cisco Aironet AP1200. Using the same sql db in freeradius 1.1.3 it works, but not with freeradius 2.0.3. Any suggestions, Emmanuel Alan DeKok wrote: Emmanuel Willems wrote: Here is a relevant part of the debug log: ... Tue Apr 15 14:36:27 2008 : Auth: Login OK: [000d2885af3e/000d2885af3e] (from client wlan-sen port 737 cli 000d.2885.af3e) Tue Apr 15 14:36:27 2008 : Debug: +- entering group post-auth Tue Apr 15 14:36:27 2008 : Debug: modsingle[post-auth]: calling exec (rlm_exec) for request 0 Tue Apr 15 14:36:28 2008 : Debug: Exec-Program output: Tue Apr 15 14:36:28 2008 : Debug: Exec-Program: returned: 0 What's the problem? It's calling your program. Alan DeKok. -- Ingnieur-systme Systeem ingenieur System engineer Snat de Belgique Place de la Nation 1 1009 Bruxelles Belgische Senaat Natieplein 1 1009 Brussel Belgian Senate Place de la Nation 1 1009 Brussels Belgium e-mail: [EMAIL PROTECTED] URL: http://www.senate.be tel: +32 (2) 501.72.39 fax: +32 (2) 514.06.85 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program-wait problem with freeradius 2.0.3
I added exec in post-auth in sites-enabled/default and sites-enabled/inner-tunnel and it's still no go. Did i miss something? Thankx, Emmanuel Alan DeKok wrote: Emmanuel Willems wrote: All works well in version 1.1.3 but the script does not get called in version 2.0.3 List 'exec' in the post-auth section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program-wait problem with freeradius 2.0.3
Emmanuel Willems wrote: I added exec in post-auth in sites-enabled/default and sites-enabled/inner-tunnel and it's still no go. Did i miss something? Debug log? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
exec-program-wait problem with freeradius 2.0.3
Hi, I'm carrying out tests with 2 versions for freeradius 1.1.3 and 2.0.3 . I'm trying to use Exec-Program-Wait to run a script to do some extra checking. Both setups use the same MySQL database All works well in version 1.1.3 but the script does not get called in version 2.0.3 The SQL statements generated with both the 1.1.3 and 2.0.3 are identical and return the same result. But version 1.1.3 of freeradius runs the script while version 2.0.3 does not. Any ideas? Thanks in advance, Emmanuel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program-wait problem with freeradius 2.0.3
Emmanuel Willems wrote: All works well in version 1.1.3 but the script does not get called in version 2.0.3 List 'exec' in the post-auth section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait
Felipe Ceglia - PY1NB wrote:
I am trying to setup a prepaid style system on my freeradius. All I
want is to check user name against a perl script that will let user get
in or not.
You should use rlm_perl rather than Exec-Program-Wait
I put this on users file, but the script is not being run:
DEFAULT Called-Station-Id == hotspot_shop_tere #THIS IS LINE 155
Exec-Program-Wait = /etc/raddb/scripts/hotspot_shop_tere.pl %U,
You will need to add Auth-Type := Accept to the first line (with DEFAULT).
DEFAULT Called-Station-Id == hotspot_shop_tere, Acct-Status-Type == Stop
Exec-Program-Wait = /etc/raddb/scripts/hotspot_shop_tere.pl %U
%{AcctSessionTime},
This entry should go into the acct_users file, not the users file.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program-Wait
Hello,
I am trying to setup a prepaid style system on my freeradius. All I
want is to check user name against a perl script that will let user get
in or not.
I put this on users file, but the script is not being run:
DEFAULT Called-Station-Id == hotspot_shop_tere #THIS IS LINE 155
Exec-Program-Wait = /etc/raddb/scripts/hotspot_shop_tere.pl %U,
DEFAULT Called-Station-Id == hotspot_shop_tere, Acct-Status-Type == Stop
Exec-Program-Wait = /etc/raddb/scripts/hotspot_shop_tere.pl %U
%{AcctSessionTime},
Thanks in advance,
Felipe
radiusd -X says:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 10
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 1645
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = after
main: lower_pass = after
main: nospace_user = after
main: nospace_pass = after
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = no
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 2
security: status_server = yes
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = /etc/raddb/temp/passwd
unix: shadow = (null)
unix: group = /etc/raddb/temp/group
unix: radwtmp = NULL
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/raddb/huntgroups
preprocess: hints = /etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /etc/raddb/users
files: acctusersfile = /etc/raddb/acct_users
files: preproxy_usersfile = /etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded SQL
sql: driver = rlm_sql_mysql
sql: server = localhost
sql: port =
sql: login = root
sql: password = rootpasswd
sql: radius_db = radius
sql: nas_table = nas
sql: sqltrace = no
sql: sqltracefile = /var/log/radius/sqltrace.sql
sql: readclients = no
sql: deletestalesessions = yes
sql: num_sql_socks = 5
sql: sql_user_name = %{Stripped-User-Name:-%{User-Name:-DEFAULT}}
sql: default_user_profile =
sql: query_on_not_found = no
sql: authorize_check_query = SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = '%{SQL-User-Name}' ORDER BY id
sql: authorize_reply_query = SELECT id,UserName
Acct-Input-Gigawords in Exec-Program env
Hi list, I'm having trouble identifying the Acct-Input-Gigawords field in the shell environment of Exec-Program. Does anyone know how to ensure that it is being exported? I have a shell script (test-exec.sh) which according to examples in docs goes like so: #!/bin/sh /usr/bin/printenv /tmp/env.txt Then in my acct_users, again by example: DEFAULT Acct-Status-Type == Stop Exec-Program = /opt/bin/test-exec.sh This correctly prints out all the env variables to the file as expected. The problem is however that with ADSL traffic regularly exceeding the Gigawords boundaries of Acct-Input-Octets, we rely on the Acct-Input-Gigawords for the overflow. This is unfortunately not showing up in the list of env variables. Anyway to resolve this? Thanks -Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-Input-Gigawords in Exec-Program env
Rob Hartzenberg wrote: I'm having trouble identifying the Acct-Input-Gigawords field in the shell environment of Exec-Program. Does anyone know how to ensure that it is being exported? Read the output of debugging mode. If it's in the packet, it will be exported to any shell program. See doc/variables.txt for documentation on how this happens. This correctly prints out all the env variables to the file as expected. The problem is however that with ADSL traffic regularly exceeding the Gigawords boundaries of Acct-Input-Octets, we rely on the Acct-Input-Gigawords for the overflow. This is unfortunately not showing up in the list of env variables. Anyway to resolve this? Make the NAS send the attribute. If the NAS isn't sending the attribute, how do you expect the server to log it? What value do you expect the server to use? Does it invent the attribute out of thin air? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program based on LDAP Attribute
John Wever wrote:
DEFAULT Acct-Status-Type == Start, CustomAttrib == true
That *matches* the Custom Attribute. Is that what you want?
Exec-Program = /path/to/script.sh %u %{Framed-IP-Address}
%{CustomAttrib}
I've tried setting the ItemType of the CustomAttrib to checkItem and
replyItem, but neither method worked. My script needs access to the
username and the Framed-IP-Address.
Any suggestions?
Read doc/variables.txt to see how to refer to attributes in the reply
or check item list.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program based on LDAP Attribute
Yes, thats exactly what I want, but the script is never fired. It is my
understanding that the acct_users file only sees accounting packet data,
if the CustomAttrib is a checkItem would it even be available to query
at this point?
Just as info, I take off the , CustomAttrib == true and the script
fires as expected for all authenticated users.
Alan DeKok wrote:
John Wever wrote:
DEFAULT Acct-Status-Type == Start, CustomAttrib == true
That *matches* the Custom Attribute. Is that what you want?
Exec-Program = /path/to/script.sh %u %{Framed-IP-Address}
%{CustomAttrib}
I've tried setting the ItemType of the CustomAttrib to checkItem and
replyItem, but neither method worked. My script needs access to the
username and the Framed-IP-Address.
Any suggestions?
Read doc/variables.txt to see how to refer to attributes in the reply
or check item list.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program based on LDAP Attribute
John Wever wrote: Yes, thats exactly what I want, but the script is never fired. It is my understanding that the acct_users file only sees accounting packet data, Yes. if the CustomAttrib is a checkItem would it even be available to query at this point? The acct_users file can't do comparisons on check items. So what you're trying to do is impossible in 1.x. See CVS head and unlang for how to do this easily. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program based on LDAP Attribute
I need to be able to fire off a script via the Exec-Program (or some
other method) based upon a successful authentication and the value of an
LDAP attribute on the user's account. I tried putting the following in
the acct_users...
DEFAULT Acct-Status-Type == Start, CustomAttrib == true
Exec-Program = /path/to/script.sh %u %{Framed-IP-Address}
%{CustomAttrib}
I've tried setting the ItemType of the CustomAttrib to checkItem and
replyItem, but neither method worked. My script needs access to the
username and the Framed-IP-Address.
Any suggestions?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait
Michael Alexeev wrote: I found it on the following site: http://ftp.wayne.edu/pub/gnu/Manuals/radius-0.95/html_node/radius_182.html Which is the manual for the GNU radius server. There was never a 0.95 release of FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait
What led you to believe %C{User-Name} would be the user name? The
documentation says it's %{User-Name}. Where did the extra 'C' come from?
I found it on the following site:
http://ftp.wayne.edu/pub/gnu/Manuals/radius-0.95/html_node/radius_182.html
quote
Example
Suppose the `users' file contains the following entry:
DEFAULT Auth-Type = System,
Simultaneous-Use = 1
Exec-Program-Wait = /usr/local/sbin/telauth \
%C{User-Name} \
%C{Calling-Station-Id}
Then, upon successful matching, the program `/usr/local/sbin/telauth'
will be executed. It will get as its arguments the values of User-Name
and Calling-Station-Id attributes from the request pairs.
end of quote
Anyway, after removing the extra 'C' evrything works like fine. Thanks
for the help.
Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait
On Mon 25 Jun 2007, Michael Alexeev wrote:
What led you to believe %C{User-Name} would be the user name? The
documentation says it's %{User-Name}. Where did the extra 'C' come
from?
I found it on the following site:
http://ftp.wayne.edu/pub/gnu/Manuals/radius-0.95/html_node/radius_182.html
Which, if you read the title is the GNU Radius Manual, not the FreeRADIUS
Manual. You will probably have better luck if you read docs for the
software you are using ;-)
Cheers
--
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program-Wait
Hi all,
I am having trouble with macro substitution in Exec-Program-Wait
attribute. For some reason %C{User-Name} is expanded to
localhost{User-Name} string instead of real user name. Here is an
excerpt from the users config file:
jsullivan User-Password == mypass
Exec-Program-Wait = /bin/radius_chain %C{User-Name}
where /bin/radius_chain simply dumps the first parameter to the file:
#!/bin/sh
param=$1
echo param=$param /bin/test/test.txt
exit 0
The content of the /bin/test/test.txt is
param=localhost{User-Name}
instead of expected
param=jsullivan
Any ideas what is going on?
I am using FreeRadius Version 1.1.6 on linux
Thanks,
Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait
Michael Alexeev wrote:
Hi all,
I am having trouble with macro substitution in Exec-Program-Wait
attribute. For some reason %C{User-Name} is expanded to
localhost{User-Name} string instead of real user name.
Because %C is documented as being the client name.
What led you to believe %C{User-Name} would be the user name? The
documentation says it's %{User-Name}. Where did the extra 'C' come from?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait
Felipe Ceglia - PY1NB wrote: When I run it thru users file, it is called, and works. You put it in the reply list in the users file, and the check table in the SQL database. Put it in the reply tble in the SQL database. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Exec-Program-Wait Parameter
Peter Urban wrote:
i want to pass the username and password to an external program.
i already tried the following code but i didnt work:
DEFAULT Auth-Type ?= External
Exec-Program-Wait = /etc/raddb/mytestprogram %u %w,
Fall-Through = Yes
I found the %u placeholder in the doc/variable.txt document but i couldnt
found anything
about a placeholder for the password. The %w doesnt not work. (only in
xtradius-version)
How about %{User-Password} ? The documentation is relatively clear
about referencing any attribute.
Other Question: is %u the same as %{User-Name} ?
Yes.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add check item (Pool-Name) from Exec-Program-Wait script?
I want to use two ippools. That's no problem of course. But which IP pool to assign I can decide only in Exec-Program-Wait script. Now I have the following lines in users file: DEFAULT Auth-Type := Accept Exec-Program-Wait = /etc/raddb/authclient authclient script checks text file, connects to MySQL and Oracle and then it can say - use ippool1 or ippool2. But how to set Pool-Name check item? As far as I understand if authclient would write Pool-Name:=ipool1 to stdout then that would be reply not check item!? So how could I tell from the script which ippool to use? I feel that that somehow should be possible since ippool is post-auth thing. :) So no ideas? :) I'm thinking that maybe Fall-Through = Yes could help!? But again - how to set something from script that I could specify as check item in second DEFAULT entry? Thanks, Mindaugas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add check item (Pool-Name) from Exec-Program-Wait script?
Mindaugas wrote:
I want to use two ippools. That's no problem of course. But which IP pool
to assign I can decide only in Exec-Program-Wait script. Now I have the
following lines in users file:
DEFAULT Auth-Type := Accept
Exec-Program-Wait = /etc/raddb/authclient
authclient script checks text file, connects to MySQL and Oracle and then
it
can say - use ippool1 or ippool2. But how to set Pool-Name check item? As
far as I understand if authclient would write Pool-Name:=ipool1 to
stdout
then that would be reply not check item!?
So how could I tell from the script which ippool to use? I feel that that
somehow should be possible since ippool is post-auth thing. :)
So no ideas? :)
The exec module has two configuration items specifying where to take
the input from and output to. You will want to do this:
exec myprogram {
wait = yes
program = /path/to/your/program %{Some-Argument}
input_pairs = request
output_pairs = config
}
Then put the module in the authorize section:
authorize {
preprocess
files
# ..others
myprogram
}
There may be other ways of doing this. In particular, you might be able
in the users file to do this (haven't tested it):
DEFAULT Pool-Name := `%{exec:/path/to/program args}`
Fall-Through = yes/no
I'm thinking that maybe Fall-Through = Yes could help!? But again - how
to set something from script that I could specify as check item in second
DEFAULT entry?
You can't compare against config items in the users file, but should
not need to
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add check item (Pool-Name) from Exec-Program-Wait script?
I want to use two ippools. That's no problem of course. But which IP
pool
to assign I can decide only in Exec-Program-Wait script. Now I have the
following lines in users file:
DEFAULT Auth-Type := Accept
Exec-Program-Wait = /etc/raddb/authclient
authclient script checks text file, connects to MySQL and Oracle and
then
it
can say - use ippool1 or ippool2. But how to set Pool-Name check item?
As
far as I understand if authclient would write Pool-Name:=ipool1 to
stdout
then that would be reply not check item!?
So how could I tell from the script which ippool to use? I feel that
that
somehow should be possible since ippool is post-auth thing. :)
So no ideas? :)
The exec module has two configuration items specifying where to take
the input from and output to. You will want to do this:
exec myprogram {
wait = yes
program = /path/to/your/program %{Some-Argument}
input_pairs = request
output_pairs = config
}
Then put the module in the authorize section:
authorize {
preprocess
files
# ..others
myprogram
}
Aha! So my program then should write Pool-Name:=ippool2 to stdout and it
will pass as check item in post auth section later? And it can also return 1
if I want to deny access for particular user?
Thank you for the hint. I'll test it anyway.
Mindaugas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to add check item (Pool-Name) from Exec-Program-Wait script?
Hello, I want to use two ippools. That's no problem of course. But which IP pool to assign I can decide only in Exec-Program-Wait script. Now I have the following lines in users file: DEFAULT Auth-Type := Accept Exec-Program-Wait = /etc/raddb/authclient authclient script checks text file, connects to MySQL and Oracle and then it can say - use ippool1 or ippool2. But how to set Pool-Name check item? As far as I understand if authclient would write Pool-Name:=ipool1 to stdout then that would be reply not check item!? So how could I tell from the script which ippool to use? I feel that that somehow should be possible since ippool is post-auth thing. :) Thanks, Mindaugas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help to pass a local variable from Freeradius to exec program
Hi All I am trying to pass a integer value from Free radius to exec program . I have tryed to add as a value pair using paircreate() and then added the same to the request-packet-vps using pairadd. Set the lvalue , strvalue etc and passed to the radius_exec_program from rad_accounting module. Also set the tmp-name = Atribute-Name-Format . Still the attribute and value is not getting printed in the exec - progrm . Any help in this regard whould really help me. Thanks and regards Shankar ganesh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
exec-program-wait to send back AV pairs to freeradius
Hi
All,
I am trying to set
values for more than one attributes in the exec-program-wait for accounting
startpackets.
Below is the code i
am trying in the exec-program-wait
putenv("Calling-Station-ID=10")
putenv("Called-Station-ID=50")
Putenv("Acct-Session-ID="20")
return
0;
I have set the
exec-wait=yes in the radiusd.conf
I am not sure
whether freeradius picks all this values and sets in the valuepairs of the
radius_exec_program ()
I am trying to set
the accounting response packets with this value pairs in the rad_accounting
using pairmove but still my accounting response packets does not contain
this attributes
value pairs.
Can some body help
me to solve this problem ?
Thanks and
regards
Shankar
ganesh
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program-wait to send back AV pairs to freeradius
Shankar Ganesh C [EMAIL PROTECTED] wrote: Below is the code i am trying in the exec-program-wait putenv(Calling-Station-ID=10) That is not the documented way to send attributes back to the server. See scripts/exec-program-wait I am trying to set the accounting response packets with this value pairs in the rad_accounting using pairmove but still my accounting response packets does not contain this attributes value pairs. Accounting responses are not allowed to contain any attributes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic port assignment to exec program
Hi , I have a requirment to have a socket communication in the exec program from freeradius for an accounting start. I understand that for evey accounting request from free radius a exec program will be executed. How can i assign the exec program a dynamic port from the freeradius when it is invoked ? Is there any configuration needs to be done ? Thanks and regards Shankar ganesh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to return the values from the exec program to free radius?
Hi All, Could some body help me on the same? Thanks and regards Shankar ganesh -Original Message-From: Shankar Ganesh [mailto:[EMAIL PROTECTED]Sent: Wednesday, August 30, 2006 11:02 AMTo: freeradius-users@lists.freeradius.orgSubject: How to return the values from the exec program to free radius? Hi All, Could some body help me to know how to return values from the exec program ? I can understand thatI need to use the output-pairs or reply list .But do not really know how to use that any sample code or document would really help me. Thanks and regards Shankar ganesh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to return the values from the exec program to free radius?
Shankar Ganesh C [EMAIL PROTECTED] wrote: Could some body help me to know how to return values from the exec program ? scripts/exec-program-wait It describes what to do. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to return the values from the exec program to free radius?
Hi All, Could some body help me to know how to return values from the exec program ? I can understand thatI need to use the output-pairs or reply list .But do not really know how to use that any sample code or document would really help me. Thanks and regards Shankar ganesh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: acct_users Exec-Program causing defuct programs
Hi Everyone, Maybe this can help you: In acct_users if you use exec-program and you get defuct apps running then try this exec-program-wait. This seems to sort it out. Thanks, Michael -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Alan DeKok Sent: 09 August 2006 11:23 PM To: FreeRadius users mailing list Subject: Re: acct_users Exec-Program causing defuct programs Michael da Silva Pereira [EMAIL PROTECTED] wrote: I am trying to use Exec-Program to notify me of users logging in and out of my systems. For some reason I keep getting defuct programs everytime it runs my application: I think that's fixed in 1.1.3, which will be out maybe this week. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Autoreply: RE: acct_users Exec-Program causing defuct programs
Attualmente non sono in sede. Per richieste urgenti contattare lo 800 919299 o inviare una mail a [EMAIL PROTECTED] oppure a [EMAIL PROTECTED] Cordiali Saluti Giuseppe Parlato Area Network mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
acct_users Exec-Program causing defuct programs
Hi, I am trying to use Exec-Program to notify me of users logging in and out of my systems. For some reason I keep getting defuct programs everytime it runs my application: My acct_users file looks like the following: --- DEFAULT Acct-Status-Type == Start Exec-Program = /etc/raddb/test.sh DEFAULT Acct-Status-Type == Stop Exec-Program = /etc/raddb/test.sh DEFAULT Acct-Status-Type == Update Exec-Program = /etc/raddb/test.sh --- My /etc/raddb/test.sh looks like the following: --- #!/bin/sh exit 0; --- I am running: radiusd: FreeRADIUS Version 1.1.1, for host , built on Jul 25 2006 at 22:12:32 Copyright (C) 2000-2006 The FreeRADIUS server project. Any assistance would be greatly appreciated. Kind Regards, Michael da Silva Pereira - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Autoreply: acct_users Exec-Program causing defuct programs
Attualmente non sono in sede. Per richieste urgenti contattare lo 800 919299 o inviare una mail a [EMAIL PROTECTED] oppure a [EMAIL PROTECTED] Cordiali Saluti Giuseppe Parlato Area Network mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: acct_users Exec-Program causing defuct programs
Michael da Silva Pereira [EMAIL PROTECTED] wrote: I am trying to use Exec-Program to notify me of users logging in and out of my systems. For some reason I keep getting defuct programs everytime it runs my application: I think that's fixed in 1.1.3, which will be out maybe this week. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Autoreply: Re: acct_users Exec-Program causing defuct programs
Attualmente non sono in sede. Per richieste urgenti contattare lo 800 919299 o inviare una mail a [EMAIL PROTECTED] oppure a [EMAIL PROTECTED] Cordiali Saluti Giuseppe Parlato Area Network mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: exec-program dependent on ldap attribute values
Tariq Rashid [EMAIL PROTECTED] wrote:
I would like however for the script to be called only when an LDAP attribute
has a certain values. Is this possible? The user's LDAP profile has already
been searched for the user's password in the initial auth request, and
possibly in the acct request.
something like the following does not work:
DEFAULT Acct-Status-Type == Start, Account-Status == inactive
Exec-Program = /etc/freeradius/scripts/acct_start.py %{User-Name}
where Account-Status is mapped to the LDAP attribute in the ldap-attrmap
file.
Probably because Account-Status is a check item, and not in the
request. It will have to go into the request for it to be compared in
the acct_users file.
Alan DeKok.
---
so must it be added to the request artificially before the comparision happens?
i'm not sure what the recommended what to achieve this is...
tariq
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
exec-program dependent on ldap attribute values
Hi,
I am using the acct_users file to trigger an external script when an accounting
start has been received:
DEFAULT Acct-Status-Type == Start
Exec-Program = /etc/freeradius/scripts/acct_start.py %{User-Name}
I would like however for the script to be called only when an LDAP attribute
has a certain values. Is this possible? The user's LDAP profile has already
been searched for the user's password in the initial auth request, and possibly
in the acct request.
something like the following does not work:
DEFAULT Acct-Status-Type == Start, Account-Status == inactive
Exec-Program = /etc/freeradius/scripts/acct_start.py %{User-Name}
where Account-Status is mapped to the LDAP attribute in the ldap-attrmap file.
Tariq
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program dependent on ldap attribute values
Tariq Rashid [EMAIL PROTECTED] wrote:
I would like however for the script to be called only when an LDAP attribute
has a certain values. Is this possible? The user's LDAP profile has already
been searched for the user's password in the initial auth request, and
possibly in the acct request.
something like the following does not work:
DEFAULT Acct-Status-Type == Start, Account-Status == inactive
Exec-Program = /etc/freeradius/scripts/acct_start.py %{User-Name}
where Account-Status is mapped to the LDAP attribute in the ldap-attrmap
file.
Probably because Account-Status is a check item, and not in the
request. It will have to go into the request for it to be compared in
the acct_users file.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program and length of arguments
Anton Maksimenkov wrote:
If I add to users file this:
When I used exec-program all the attributes I wanted were in the
environment.
And how can I exploit it? I get only this:
--
$ cat /home/engineer/acrad.sh
#!/bin/sh
printenv /tmp/exec-program-wait
--
bob Auth-Type := Local, User-Password == bob
Reply-Message = Hello, %u,
Exec-Program = /home/engineer/acrad.sh
--
after radtest in /tmp/exec-program-wait I found only
$ cat /tmp/exec-program-wait
CLIENT_IP_ADDRESS=127.0.0.1
NAS_IP_ADDRESS=255.255.255.255
PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin:/usr/local/bin
NAS_PORT=0
USER_PASSWORD=bob
USER_NAME=bob
See? Its working perfectly. Your radtest caused the above.
But this is far less than what I wait for... I need to do the same
that SQL accounting do.
Your radtest DOES NOT cause accounting requests to occur as well.
If I look at raddb/pgsql-voip.conf, I can see
snip
I read this. But I just newbie, sorry. I tried this
exec echo {
wait = yes
program = /home/engineer/acrad.sh %{User-Name}
input_pairs = request
output_pairs = reply
}
instantiate {
exec
...
but it seems that program not started at all.
packet_type = Accounting-Request
And make sure you instantiate the echo instance of the exec module
under the radiusd accounting section
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program and length of arguments
If I add to users file this:
When I used exec-program all the attributes I wanted were in the
environment.
And how can I exploit it? I get only this:
--
$ cat /home/engineer/acrad.sh
#!/bin/sh
printenv /tmp/exec-program-wait
--
bob Auth-Type := Local, User-Password == bob
Reply-Message = Hello, %u,
Exec-Program = /home/engineer/acrad.sh
--
after radtest in /tmp/exec-program-wait I found only
$ cat /tmp/exec-program-wait
CLIENT_IP_ADDRESS=127.0.0.1
NAS_IP_ADDRESS=255.255.255.255
PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin:/usr/local/bin
NAS_PORT=0
USER_PASSWORD=bob
USER_NAME=bob
But this is far less than what I wait for... I need to do the same
that SQL accounting do. If I look at raddb/pgsql-voip.conf, I can see
the pretty accounting_stop_query, which put many interestiong info to
database. I think it can put all the
%{User-Name} : %{Service-Type} : %{Acct-Status-Type} :
%{Acct-Session-Id} : %{Framed-Protocol} : %{NAS-Identifier} :
%{NAS-Port-Id} : %{NAS-IP-Address} : %{Calling-Station-Id} :
%{Called-Station-Id} : %{Framed-IP-Address} : %{Acct-Input-Octets} :
%{Acct-Output-Octets} : %{Acct-Input-Packets} : %{Acct-Output-Packets}
: %{Acct-Session-Time} : %{Acct-Terminate-Cause}
Am I right?
So, how can I do the same, but with perl/shell script (e.g. pass all
this variables as arguments or environment) ?
From radiusd.conf
#
# The attributes which are placed into the
# environment variables for the program.
#
# Allowed values are:
#
# request attributes from the request
# config attributes from the
configuration items list
# reply attributes from the reply
# proxy-request attributes from the proxy request
# proxy-reply attributes from the proxy reply
#
# Note that some attributes may not exist at some
# stages. e.g. There may be no proxy-reply
# attributes if this module is used in the
# 'authorize' section.
I read this. But I just newbie, sorry. I tried this
exec echo {
wait = yes
program = /home/engineer/acrad.sh %{User-Name}
input_pairs = request
output_pairs = reply
}
instantiate {
exec
...
but it seems that program not started at all.
--
engineer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program and length of arguments
Hi.
If I add to users file this:
bob Auth-Type := Local, User-Password == bob
Reply-Message = Hello, %u,
Exec-Program = /home/engineer/acrad.pl User-Name=%{User-Name}
Service-Type=%{Service-Type} Acct-Status-Type=%{Acct-Status-Type}
Acct-Session-Id=%{Acct-Session-Id} Framed-Protocol=%{Framed-Protocol}
NAS-Identifier=%{NAS-Identifier} NAS-Port-Id=%{NAS-Port-Id}
it work. But I need to pass more arguments to my program, but as far
as I can see there is some limit. If I add this:
Exec-Program = /home/engineer/acrad.sh User-Name=%{User-Name}
Service-Type=%{Service-Type} Acct-Status-Type=%{Acct-Status-Type}
Acct-Session-Id=%{Acct-Session-Id} Framed-Protocol=%{Framed-Protocol}
NAS-Identifier=%{NAS-Identifier} NAS-Port-Id=%{NAS-Port-Id}
NAS-IP-Address=%{NAS-IP-Address}
Calling-Station-Id=%{Calling-Station-Id}
Called-Station-Id=%{Called-Station-Id}
Framed-IP-Address=%{Framed-IP-Address}
Acct-Input-Octets=%{Acct-Input-Octets}
Acct-Output-Octets=%{Acct-Output-Octets}
Acct-Input-Packets=%{Acct-Input-Packets}
Acct-Output-Packets=%{Acct-Output-Packets}
Acct-Session-Time=%{Acct-Session-Time}
Acct-Terminate-Cause=%{Acct-Terminate-Cause}
# radiusd -sfxxyz -l stdout 21
...
Module: Loaded files
files: usersfile = /etc/raddb/users
files: acctusersfile = /etc/raddb/acct_users
files: preproxy_usersfile = /etc/raddb/preproxy_users
files: compat = no
/etc/raddb/users[220]: Parse error (reply) for entry bob: Expected end
of line or comma
Errors reading /etc/raddb/users
radiusd.conf[1047]: files: Module instantiation failed.
radiusd.conf[1791] Unknown module files.
radiusd.conf[1727] Failed to parse authorize section.
and same with hints file.
The main goal is that I need to do some accounting by my script. I
saw at experimental.conf (at perl section), but for now I not
understand can I utilize it for my needs somehow.
What can I do?
--
engineer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec program debugging.
I am trying to execute a program in the post-proxy section on
Access-Accept packets to bring up bandwidth management for a user when
they log in:
(radiusd.conf)
exec bwup {
wait = no;
program = /etc/raddb/bwlimit start %{User-Name}
%{Calling-Station-Id} %{Tunnel-Private-Group-Id:0} %{NAS-Port}
%{GLI-Rx-Data-Rate} %{GLI-Tx-Data-Rate}
input_pairs = reply
packet_type = Access-Accept
output = none
}
post-proxy {
# post_proxy_log
# attr_rewrite
# attr_filter
exec
eap
}
However, the exec call keeps failing when called from inside radiusd -X:
Ready to process requests.
rad_recv: Access-Request packet from host xxx.xxx.6.99:1645, id=3,
length=128
User-Name =
Framed-MTU = 1400
Called-Station-Id = 00-13-19-36-C4-52
Calling-Station-Id = 00-13-D3-67-D7-05
Service-Type = Login-User
Message-Authenticator = 0x43483d78f3b3f25bcb7657f1522050ef
EAP-Message = 0x0202000501
NAS-Port-Type = Wireless-802.11
NAS-Port = 262
NAS-IP-Address = xxx.xxx.6.99
NAS-Identifier = -Ch11
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = , looking up realm NULL
rlm_realm: Found realm NULL
rlm_realm: Adding Stripped-User-Name =
rlm_realm: Proxying request from user to realm NULL
rlm_realm: Adding Realm = NULL
rlm_realm: Preparing to proxy authentication request to realm NULL
modcall[authorize]: module suffix returns updated for request 0
rlm_eap: Request is supposed to be proxied to Realm NULL. Not doing
EAP.
modcall[authorize]: module eap returns noop for request 0
modcall: group authorize returns updated for request 0
Sending Access-Request of id 0 to xxx.xxx.178.13:1645
User-Name =
Framed-MTU = 1400
Called-Station-Id = 00-13-19-36-C4-52
Calling-Station-Id = 00-13-D3-67-D7-05
Service-Type = Login-User
Message-Authenticator = 0x
EAP-Message = 0x0202000501
NAS-Port-Type = Wireless-802.11
NAS-Port = 262
NAS-IP-Address = xxx.xxx.6.99
NAS-Identifier = -Ch11
Proxy-State = 0x33
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Challenge packet from host xxx.xxx.178.13:1645, id=0,
length=80
Proxy-State = 0x33
Session-Timeout = 30
EAP-Message = 0x010300061920
State = 0x1cc3035501370001d819b40600034b872b6f01
Message-Authenticator = 0x2153f90d4c19a27ae054f7f297611c86
Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 0
rlm_exec (exec): We require a program to execute
modcall[post-proxy]: module exec returns fail for request 0
modcall: group post-proxy returns fail for request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 31 seconds...
But, if I take the values from a valid Access-Accept packet for the
attributes listed above, the file executes correctly with no errors:
wireless-r1 raddb # su - radiusd
[EMAIL PROTECTED] ~ $ /etc/raddb/bwlimit start egable
00:a0:12:34:56:78 3 7 1024 512
[EMAIL PROTECTED] ~ $ /etc/raddb/bwlimit stop egable
[EMAIL PROTECTED] ~ $ exit
logout
wireless-r1 raddb #
All of my rules get added correctly when issuing a start command and
they get removed correctly when issuing the stop command, but only if I
issue the commands from the command line.
If I add more Xs to the -X, it still doesn't tell me why it is failing
(what the specific error message is):
Mon Mar 20 13:32:45 2006 : Debug: Processing the post-proxy section of
radiusd.conf
Mon Mar 20 13:32:45 2006 : Debug: modcall: entering group post-proxy for
request 0
Mon Mar 20 13:32:45 2006 : Debug: modsingle[post-proxy]: calling exec
(rlm_exec) for request 0
Mon Mar 20 13:32:45 2006 : Error: rlm_exec (exec): We require a program
to execute
Mon Mar 20 13:32:45 2006 : Debug: modsingle[post-proxy]: returned from
exec (rlm_exec) for request 0
Mon Mar 20 13:32:45 2006 : Debug: modcall[post-proxy]: module exec
returns fail for request 0
Mon Mar 20 13:32:45 2006 : Debug: modcall: group post-proxy returns fail
for request 0
Mon Mar 20 13:32:45 2006 : Debug: Going to the next request
Mon Mar 20 13:32:45 2006 : Debug: rl_next: returning NULL
Mon Mar 20 13:32:45 2006 : Debug: Waking up in 6 seconds...
I am assuming I just have the configuration for this set up wrong or
something. Obviously, the Access-Accept packet is not yet coming back
because the first Access-Challenge hasn't even been passed on to the AP
yet. So, I'm not sure why the post-proxy section even wants to fire the
program at this point in the authentication process. Does anyone know
what I did wrong?
Thanks.
Eliot Gable
Certified Wireless
Re: Exec program debugging.
Eliot, Wireless and Server Administrator,
Great Lakes Internet [EMAIL PROTECTED] wrote:
I am trying to execute a program in the post-proxy section on
Access-Accept packets to bring up bandwidth management for a user when
they log in:
(radiusd.conf)
exec bwup {
...
post-proxy {
...
exec
List bwup, not exec.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program
Hi, Hope someone can help me to give me a more detailed explanation about Exec-Program. I see this in the acct_users file. DEFAULT Acct-Status-Type == Start Exec-Program = /path/to/exec/acct/start Do we have to make our own file for this Exec-Program or is there already one provided in the basic package? Or if not, can someone give me an example of this file? Sorry if i ask stupid favor, since I am still newbie in this field. Thanks a lot Priscilla __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian + Exec-Program = Zombie process
George Chelidze wrote: versions. Can I make some tests to narrow down the problem, or some other actions. Best Regards, George I suppose you could add some debug code to where you believe the calls to waitpid should be/are The way I read it, without threads it should be in src/main/radiusd.c:631 in cvs 20060124 Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
