Error: Exec-Program: Permission Denied when running via service start
Greetings all, I've been racking my brains out trying to solve/debug the following issue, hopefully someone can provide a new perspective. I've implemented mOTP as en external authentication program by defining it in radiusd.conf with a Program = /etc/raddb/otpverify.sh statement. As I said, it does indeed work properly, except, when I start the radiusd server up as a daemon via init.d radiusd -X - Works properly service radiusd start or /etc/init.d/radiusd start FAILS sh /etc/init.d/radiusd start Works When it works properly, I get proper Accept Replys. When it 'fails', its due to not being able to execute the script and this is logged in radius.log Error: Exec-Program: FAILED to execute /etc/raddb/otpverify.sh: Permission denied In all the above scenarios, I was root when executing the statements. I am *not* in a chroot jail, all the necessary directories are read/write by user 'radiusd' which is what the process is running as. I'm also using the init.d script that came with the CentOS package. My linux platform and freeradius information is as follows: CentOS 5.5 - 2.6.18-194.32.1.el5 #1 SMP x86_64 GNU/Linux running FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu. Thanks for any assistance with this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Exec-Program: Permission Denied when running via service start
On 03/29/2011 03:09 PM, Christopher Athans wrote: Greetings all, I've been racking my brains out trying to solve/debug the following issue, hopefully someone can provide a new perspective. I've implemented mOTP as en external authentication program by defining it in radiusd.conf with a Program = /etc/raddb/otpverify.sh statement. As I said, it does indeed work properly, except, when I start the radiusd server up as a daemon via init.d radiusd -X - Works properly service radiusd start or /etc/init.d/radiusd start FAILS sh /etc/init.d/radiusd start Works When it works properly, I get proper Accept Replys. When it 'fails', its due to not being able to execute the script and this is logged in radius.log Error: Exec-Program: FAILED to execute /etc/raddb/otpverify.sh: Permission denied In all the above scenarios, I was root when executing the statements. I am *not* in a chroot jail, all the necessary directories are read/write by user 'radiusd' which is what the process is running as. I'm also using the init.d script that came with the CentOS package. My linux platform and freeradius information is as follows: CentOS 5.5 - 2.6.18-194.32.1.el5 #1 SMP x86_64 GNU/Linux running FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu. Thanks for any assistance with this. Is SELinux enabled? % getenforce If it's enforcing then set it to permissive mode % setenforce 0 Now does it work? If so what were your recent AVC's in /var/log/audit/audit.log? Not the problem? Then verify the script can run as the radiusd user. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Exec-Program: Permission Denied when running via service start
*sigh* it was indeed SELinux. I thought it had it disabled. Still not exactly sure why when I wrapped the init.d statement with a 'sh' it works, but nevertheless you solved my issue. Thanks John. On Tue, Mar 29, 2011 at 2:16 PM, John Dennis jden...@redhat.com wrote: On 03/29/2011 03:09 PM, Christopher Athans wrote: Greetings all, I've been racking my brains out trying to solve/debug the following issue, hopefully someone can provide a new perspective. I've implemented mOTP as en external authentication program by defining it in radiusd.conf with a Program = /etc/raddb/otpverify.sh statement. As I said, it does indeed work properly, except, when I start the radiusd server up as a daemon via init.d radiusd -X - Works properly service radiusd start or /etc/init.d/radiusd start FAILS sh /etc/init.d/radiusd start Works When it works properly, I get proper Accept Replys. When it 'fails', its due to not being able to execute the script and this is logged in radius.log Error: Exec-Program: FAILED to execute /etc/raddb/otpverify.sh: Permission denied In all the above scenarios, I was root when executing the statements. I am *not* in a chroot jail, all the necessary directories are read/write by user 'radiusd' which is what the process is running as. I'm also using the init.d script that came with the CentOS package. My linux platform and freeradius information is as follows: CentOS 5.5 - 2.6.18-194.32.1.el5 #1 SMP x86_64 GNU/Linux running FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu. Thanks for any assistance with this. Is SELinux enabled? % getenforce If it's enforcing then set it to permissive mode % setenforce 0 Now does it work? If so what were your recent AVC's in /var/log/audit/audit.log? Not the problem? Then verify the script can run as the radiusd user. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Exec-Program: Permission Denied when running via service start
On 03/29/2011 03:20 PM, Christopher Athans wrote: *sigh* it was indeed SELinux. I thought it had it disabled. Still not exactly sure why when I wrapped the init.d statement with a 'sh' it works, but nevertheless you solved my issue. Thanks John. The behavior is different because /sbin/service has special SELinux transition rules. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Exec-Program: Permission Denied when running via service start
Hi, I've implemented mOTP as en external authentication program by defining it in radiusd.conf with a Program = /etc/raddb/otpverify.sh statement. As I said, it does indeed work properly, except, when I start the radiusd server up as a daemon via init.d radiusd -X - Works properly service radiusd start or /etc/init.d/radiusd start FAILS sh /etc/init.d/radiusd start Works When it works properly, I get proper Accept Replys. When it 'fails', its due to not being able to execute the script and this is logged in radius.log Error: Exec-Program: FAILED to execute /etc/raddb/otpverify.sh: Permission denied it sounds like basics...but this error message is pretty straight forward... what are the permissions on that file? are you running eg SELinux ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Exec-Program: Permission Denied when running via service start
Hi, *sigh* it was indeed SELinux. I thought it had it disabled. Still not exactly sure why when I wrapped the init.d statement with a 'sh' it works, but nevertheless you solved my issue. Thanks John. you are going to fix the issue as shown by audit2allow etc rathr than just leave SELinux disabled or permissive? (so many people do thatthen wonder how the bad guys got onto their server) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
reply-detail log And Exec-Program-Wait
Dear All , I am upgrading from 1.1.7 To 2.1.10 I am using Exec-Program-Wait to run a script In the old ver, I can find the out put of my script in reply-detail log , But in the new ver. I Only find the attribute Exec-Program-Wait = /usr/bin/php /var/www/html/check.php testuser 1 but i need all the ourput to be printed in the reply-detail log, so is there any way to do that ?? regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program-Wait and reply-detail log
Dear All , I am upgrading from 1.1.7 To 2.1.10 I am using Exec-Program-Wait to run a script In the old ver, I can find the out put of my script in reply-detail log , But in the new ver. I Only find the attribute Exec-Program-Wait = /usr/bin/php /var/www/html/check.php testuser 1 but i need all the ourput to be printed in the reply-detail log, so is there any way to do that ?? regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Output from Exec-Program-Wait in users file
Hi, am migrating from an ancient radius install to FreeRADIUS Version 2.1.8 The system uses a custom authentication binary which we access from the users file via, DEFAULT NAS-IP-Address == 192.168.1.100, Auth-Type := Accept, Simultaneous-Use := 1 Exec-Program-Wait = /usr/local/sbin/auth -X -U -u 5882626 -- %{User-Name} %{User-Password} %{%{Called-Station-Id}:-Missing} %{%{NAS-IP-Address}:-Missing} %{%{Calling-Station-Id}:-Missing} %{%{NAS-Port-Type}:-Missing} %{Vendor-Specific} , Fall-Through = no On the old version, the output from the EXEC was sent back in the Accept packet.. Now is looks like the stdout form the Exec-Program-Wait is not being send back but either dropped or misplaced. ++[sql] returns ok +- entering group post-auth {...} Exec-Program output: Framed-Compression=Van-Jacobsen-TCP-IP Framed-Routing=None Framed-MTU=1500 Framed-IP-Netmask=255.255.255.0 Framed-Protocol=PPP Service-Type=Framed-User Idle-Timeout=1800 Session-Timeout=86400 ERX-Virtual-Router=SOMEROUTER ERX-Ingress-Policy-Name=COMFORT_UP ERX-Egress-Policy-Name=COMFORT_DOWN Exec-Program-Wait: plaintext: Framed-Compression=Van-Jacobsen-TCP-IP Framed-Routing=None Framed-MTU=1500 Framed-IP-Netmask=255.255.255.0 Framed-Protocol=PPP Service-Type=Framed-User Idle-Timeout=1800 Session-Timeout=86400 ERX-Virtual-Router=SOMEROUTER ERX-Ingress-Policy-Name=COMFORT_UP ERX-Egress-Policy-Name=COMFORT_DOWN Exec-Program: returned: 0 ++[exec] returns noop Sending Access-Accept of id 248 to 192.168.1.100 port 5 Finished request 0. Is there a way to direct the output from the Exec-Program into the Accept packet? As far as we can tell, we are sending back and empty Accept packet. The values are calculated by the auth binary, so hard coding them would be very difficult. It's after 1am here, so I hope this won't seem obvious in the morning. Any hints would be greatly appreciated. Thanks so much, -craig Craig Campbell craig.campb...@ccraft.ca CampbellCraft Consulting Inc 2 Kenny Court Whitby, Ontario Canada L1R 2L8 905 922-2789 __ Information from ESET Smart Security, version of virus signature database 5612 (2010) __ The message was checked by ESET Smart Security. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Output from Exec-Program-Wait in users file
I think I found the issue. One of the value pairs being returned used a name not defined in the dictionary file. The new name is similar leading me to suspect the old name was deprecated and eventually replaced with a more clear name. Thanks all! -craig - Original Message - From: Craig Campbell To: FreeRadius users mailing list Sent: Friday, November 12, 2010 6:24 AM Subject: Output from Exec-Program-Wait in users file Hi, am migrating from an ancient radius install to FreeRADIUS Version 2.1.8 The system uses a custom authentication binary which we access from the users file via, DEFAULT NAS-IP-Address == 192.168.1.100, Auth-Type := Accept, Simultaneous-Use := 1 Exec-Program-Wait = /usr/local/sbin/auth -X -U -u 5882626 -- %{User-Name} %{User-Password} %{%{Called-Station-Id}:-Missing} %{%{NAS-IP-Address}:-Missing} %{%{Calling-Station-Id}:-Missing} %{%{NAS-Port-Type}:-Missing} %{Vendor-Specific} , Fall-Through = no On the old version, the output from the EXEC was sent back in the Accept packet.. Now is looks like the stdout form the Exec-Program-Wait is not being send back but either dropped or misplaced. ++[sql] returns ok +- entering group post-auth {...} Exec-Program output: Framed-Compression=Van-Jacobsen-TCP-IP Framed-Routing=None Framed-MTU=1500 Framed-IP-Netmask=255.255.255.0 Framed-Protocol=PPP Service-Type=Framed-User Idle-Timeout=1800 Session-Timeout=86400 ERX-Virtual-Router=SOMEROUTER ERX-Ingress-Policy-Name=COMFORT_UP ERX-Egress-Policy-Name=COMFORT_DOWN Exec-Program-Wait: plaintext: Framed-Compression=Van-Jacobsen-TCP-IP Framed-Routing=None Framed-MTU=1500 Framed-IP-Netmask=255.255.255.0 Framed-Protocol=PPP Service-Type=Framed-User Idle-Timeout=1800 Session-Timeout=86400 ERX-Virtual-Router=SOMEROUTER ERX-Ingress-Policy-Name=COMFORT_UP ERX-Egress-Policy-Name=COMFORT_DOWN Exec-Program: returned: 0 ++[exec] returns noop Sending Access-Accept of id 248 to 192.168.1.100 port 5 Finished request 0. Is there a way to direct the output from the Exec-Program into the Accept packet? As far as we can tell, we are sending back and empty Accept packet. The values are calculated by the auth binary, so hard coding them would be very difficult. It's after 1am here, so I hope this won't seem obvious in the morning. Any hints would be greatly appreciated. Thanks so much, -craig -- Craig Campbell craig.campb...@ccraft.ca CampbellCraft Consulting Inc 2 Kenny Court Whitby, Ontario Canada L1R 2L8 905 922-2789 __ Information from ESET Smart Security, version of virus signature database 5612 (2010) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 5614 (20101112) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 5614 (20101112) __ The message was checked by ESET Smart Security. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with expand result of exec-program
Hi everybody!! I've got a strange problem with expand the result of the execution of a program. This is my config data: -- dictionary --- ATTRIBUTE mi-resultado-script 3003integer - exec -- exec { wait = yes shell_escape = yes output = yes } --- sites-available/default -- mi-resultado-script = %{exec:/aplicaciones/radius/bin/radius_ath.sh} But during the execution: Executing /aplicaciones/radius/bin/radius_ath.sh Exec-Program output: Exec-Program: returned: 1 result 1 expand: %{exec:/aplicaciones/radius/bin/radius_ath.sh} - The result of the program is 1 but the value of the expression is not expanded, and the attribute mi-resultado-script has always zero value. Could you help me with this? Thank you very much. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with expand result of exec-program
Juan Rodríguez wrote: Hi everybody!! Executing /aplicaciones/radius/bin/radius_ath.sh Exec-Program output: The program printed nothing. Exec-Program: returned: 1 result 1 expand: %{exec:/aplicaciones/radius/bin/radius_ath.sh} - The result of the program is 1 but the value of the expression is not expanded, and the attribute mi-resultado-script has always zero value. Could you help me with this? Fix your program so that it prints something to the output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with expand result of exec-program
Thank you Alan. I get this error now: expand: %{exec:/aplicaciones/radius/bin/radius_ath.sh} - 1 ERROR: Failed parsing value 1 for attribute mi-resultado-script: Unknown value 1 for attribute mi-resultado-script We can see a space after value 1. I've write in my script the line echo 1 only to be sure, but this space appear again. Could you help me with this? Thanks again. Date: Thu, 23 Sep 2010 13:19:54 +0200 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: Problem with expand result of exec-program Juan Rodríguez wrote: Hi everybody!! Executing /aplicaciones/radius/bin/radius_ath.sh Exec-Program output: The program printed nothing. Exec-Program: returned: 1 result 1 expand: %{exec:/aplicaciones/radius/bin/radius_ath.sh} - The result of the program is 1 but the value of the expression is not expanded, and the attribute mi-resultado-script has always zero value. Could you help me with this? Fix your program so that it prints something to the output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with expand result of exec-program
Juan Rodríguez wrote: Thank you Alan. I get this error now: expand: %{exec:/aplicaciones/radius/bin/radius_ath.sh} - 1 ERROR: Failed parsing value 1 for attribute mi-resultado-script: Unknown value 1 for attribute mi-resultado-script See scripts/exec-program-wait This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rewriting Exec-Program-Wait
Hello, Just upgraded to freeradius2 2.1.7 on CentOS 5.5. And Exec-Program-Wait no longer works now for accounting packets. Rewrote to exec module. But for performance reasons we were not executing external program for all the packets before. We used more specific user entries in users and acct_users files to return result without executing program. Like: DEFAULT Auth-Type := Accept, NAS-Identifier == company, Calling-Station-Id =~ ^49, 3GPP-SGSN-Address =~ ^10.20.20. DEFAULT Auth-Type := Accept Exec-Program-Wait = /etc/raddb/external-auth How to change that to exec module syntax? So that external-auth would not be called for certain packets? Regards, Mindaugas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting Exec-Program
David Rodríguez Fernández wrote: Hi list. The accounting is working, the radius server stores the accounting data in files, but don't execute my script. This script was working with a previous version of freeradius. I'm missing some configuration parameter, but I don't know what. Have you listed exec in the accounting section? It's that way in the default configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting Exec-Program
Hi list. This is my first message to the list. I have read a lot before send this message. I have freeradius version 2.1.6 and want to for every accounting packet exec a script. I have configured the ${confdir}/modules/files file with: acctusersfile = ${confdir}/acct_users and my acct_users file have: DEFAULT Acct-Status-Type == Start Exec-Program = /etc/rad216-gprs/raddb/user_login.pl DEFAULT Acct-Status-Type == Stop Exec-Program = /etc/rad216-gprs/raddb/user_login.pl The accounting is working, the radius server stores the accounting data in files, but don't execute my script. This script was working with a previous version of freeradius. I'm missing some configuration parameter, but I don't know what. Can you help? Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait problem
Thank you for your reply, to make it more precise, I'm trying to execute a script that checks the users accounting (hours and minutes generated from radiusreport tool). And when the users passes his limit he is then blocked access. The exec module allows only this syntax: Attribute-Name = `%{exec:/etc/freeradius/somescript}`, (this is passed as an AV pair to the client/nas, the freeradius is running as freerad user not root). how can I make this happen with this syntax? Thanks in advance. Alan DeKok-2 wrote: enid wrote: DEFAULT Simultaneous-Use := 1 Idle-Timeout = 600, Session-Timeout = 5400, Framed-IP-Address = 255.255.255.254, Framed-Compression = Van-Jacobson-TCP-IP, Exec-Program-Wait = /etc/freeradius/somescript, Fall-Through = Yes but I want that the output of it to append to the AV pair reply that goes back to the client. So I have the problem that when the script is executed, its output doesn't append to the AV pair reply. (For example: Reply-Message=Email Only Account) I can post here my configuration files, if you tell me which. Use the exec module instead. It gives you a much more fine-grained control over the behavior of the program. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Exec-Program-Wait-problem-tp23161038p23171482.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait problem
enid wrote: to make it more precise, I'm trying to execute a script that checks the users accounting (hours and minutes generated from radiusreport tool). And when the users passes his limit he is then blocked access. The exec module can do that. The exec module allows only this syntax: Attribute-Name = `%{exec:/etc/freeradius/somescript}`, No. Go back and read raddb/modules/echo Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program problem
Hi, I am running freeradius-server-2.1.1-7. ++--+---++-+ | id | username | attribute | op | value | ++--+---++-+ | 1 | spark | Exec-Program-Wait | := | /etc/raddb/getmac %u %i | ++--+---++-+ radisud -XX -d /etc/raddb/ Wed Apr 22 17:05:03 2009 : Auth: Login OK: [spark] (from client localhost port 2 cli 00:19:D1:4A:53:F8) Wed Apr 22 17:05:03 2009 : Info: +- entering group post-auth {...} Wed Apr 22 17:05:03 2009 : Info: [exec] expand: %u - spark Wed Apr 22 17:05:03 2009 : Info: [exec] expand: %i - 00:19:D1:4A:53:F8 Wed Apr 22 17:05:03 2009 : Debug: Exec-Program output: Wed Apr 22 17:05:03 2009 : Error: Exec-Program: FAILED to execute /etc/raddb/getmac: Exec format error Wed Apr 22 17:05:03 2009 : Debug: Exec-Program-Wait: plaintext: Wed Apr 22 17:05:03 2009 : Error: Exec-Program: FAILED to execute /etc/raddb/getmac: Exec format error Wed Apr 22 17:05:03 2009 : Debug: Exec-Program: returned: 1 Wed Apr 22 17:05:03 2009 : Info: [exec] Login incorrect (external check said so) Wed Apr 22 17:05:03 2009 : Info: ++[exec] returns reject Wed Apr 22 17:05:03 2009 : Info: Delaying reject of request 1 for 1 seconds file /etc/raddb/getmac contains following with execute+radiusd permission #/bin/bash echo $1 --- $2 - done /etc/raddb/mac_entries What could be wrong? Nirmal Patel | Mumbai - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program problem
Nirmal wrote: ... Wed Apr 22 17:05:03 2009 : Debug: Exec-Program-Wait: plaintext: Wed Apr 22 17:05:03 2009 : Error: Exec-Program: FAILED to execute /etc/raddb/getmac: Exec format error ... #/bin/bash You can't run that program from a shell prompt, either. You have a typo. It should be: #!/bin/bash Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program problem
Thanks man, done. --- On Wed, 4/22/09, Alan DeKok al...@deployingradius.com wrote: From: Alan DeKok al...@deployingradius.com Subject: Re: Exec-Program problem To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Wednesday, April 22, 2009, 5:25 PM Nirmal wrote: ... Wed Apr 22 17:05:03 2009 : Debug: Exec-Program-Wait: plaintext: Wed Apr 22 17:05:03 2009 : Error: Exec-Program: FAILED to execute /etc/raddb/getmac: Exec format error ... #/bin/bash You can't run that program from a shell prompt, either. You have a typo. It should be: #!/bin/bash Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program problem
changed permission of /etc/raddb/mac_entries now getting wrong format error. Wed Apr 22 17:21:27 2009 : Auth: Login OK: [spark] (from client localhost port 0 cli 00:19:D1:4A:53:F8) Wed Apr 22 17:21:27 2009 : Info: +- entering group post-auth {...} Wed Apr 22 17:21:27 2009 : Info: [exec] expand: %u - spark Wed Apr 22 17:21:27 2009 : Info: [exec] expand: %i - 00:19:D1:4A:53:F8 Wed Apr 22 17:21:27 2009 : Debug: Exec-Program output: Wed Apr 22 17:21:27 2009 : Error: Exec-Program: FAILED to execute /etc/raddb/getmac: Exec format error Wed Apr 22 17:21:27 2009 : Debug: Exec-Program-Wait: plaintext: Wed Apr 22 17:21:27 2009 : Error: Exec-Program: FAILED to execute /etc/raddb/getmac: Exec format error Wed Apr 22 17:21:27 2009 : Debug: Exec-Program: returned: 1 in my previous version i was using the same format. ++--+---++-+ | id | username | attribute | op | value | ++--+---++-+ | 1 | spark | Exec-Program-Wait | := | /etc/raddb/getmac %u %i | ++--+---++-+ where to check syntax for exec-program ? --- On Wed, 4/22/09, Nirmal nirmal_...@yahoo.com wrote: From: Nirmal nirmal_...@yahoo.com Subject: Exec-Program problem To: freeradius users freeradius-users@lists.freeradius.org Date: Wednesday, April 22, 2009, 5:11 PM Hi, I am running freeradius-server-2.1.1-7. ++--+---++-+ | id | username | attribute | op | value | ++--+---++-+ | 1 | spark | Exec-Program-Wait | := | /etc/raddb/getmac %u %i | ++--+---++-+ radisud -XX -d /etc/raddb/ Wed Apr 22 17:05:03 2009 : Auth: Login OK: [spark] (from client localhost port 2 cli 00:19:D1:4A:53:F8) Wed Apr 22 17:05:03 2009 : Info: +- entering group post-auth {...} Wed Apr 22 17:05:03 2009 : Info: [exec] expand: %u - spark Wed Apr 22 17:05:03 2009 : Info: [exec] expand: %i - 00:19:D1:4A:53:F8 Wed Apr 22 17:05:03 2009 : Debug: Exec-Program output: Wed Apr 22 17:05:03 2009 : Error: Exec-Program: FAILED to execute /etc/raddb/getmac: Exec format error Wed Apr 22 17:05:03 2009 : Debug: Exec-Program-Wait: plaintext: Wed Apr 22 17:05:03 2009 : Error: Exec-Program: FAILED to execute /etc/raddb/getmac: Exec format error Wed Apr 22 17:05:03 2009 : Debug: Exec-Program: returned: 1 Wed Apr 22 17:05:03 2009 : Info: [exec] Login incorrect (external check said so) Wed Apr 22 17:05:03 2009 : Info: ++[exec] returns reject Wed Apr 22 17:05:03 2009 : Info: Delaying reject of request 1 for 1 seconds file /etc/raddb/getmac contains following with execute+radiusd permission #/bin/bash echo $1 --- $2 - done /etc/raddb/mac_entries What could be wrong? Nirmal Patel | Mumbai -Inline Attachment Follows- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program-Wait problem
Hello all, I' running FreeRADIUS Version 2.1.5, and I'm trying to execute an external script when users authenticate. I have included the exec module. The script is executed in this form (in the users file): DEFAULT Simultaneous-Use := 1 Idle-Timeout = 600, Session-Timeout = 5400, Framed-IP-Address = 255.255.255.254, Framed-Compression = Van-Jacobson-TCP-IP, Exec-Program-Wait = /etc/freeradius/somescript, Fall-Through = Yes but I want that the output of it to append to the AV pair reply that goes back to the client. So I have the problem that when the script is executed, its output doesn't append to the AV pair reply. (For example: Reply-Message=Email Only Account) I can post here my configuration files, if you tell me which. Thanks in advance ! -- View this message in context: http://www.nabble.com/Exec-Program-Wait-problem-tp23161038p23161038.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait problem
enid wrote: DEFAULT Simultaneous-Use := 1 Idle-Timeout = 600, Session-Timeout = 5400, Framed-IP-Address = 255.255.255.254, Framed-Compression = Van-Jacobson-TCP-IP, Exec-Program-Wait = /etc/freeradius/somescript, Fall-Through = Yes but I want that the output of it to append to the AV pair reply that goes back to the client. So I have the problem that when the script is executed, its output doesn't append to the AV pair reply. (For example: Reply-Message=Email Only Account) I can post here my configuration files, if you tell me which. Use the exec module instead. It gives you a much more fine-grained control over the behavior of the program. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program-Wait w/ FreeRADIUS 2.1.3
I'm having trouble getting FreeRADIUS to run programs called by Exec-Program-Wait in the newest version of FreeRADIUS (version 2.1.3). I'm using a custom C script that used to work with all versions of FreeRADIUS prior to version 2. I have an entry like this in the users file which is matching my access-requests: DEFAULT Suffix == @test.net, Auth-Type := Accept Exec-Program-Wait = /usr/local/sbin/checkradacct %{Stripped-User-Name} %{Password}, Ascend-Data-Filter += ip in forward tcp est, Ascend-Data-Filter += ip in forward dstip 10.0.0.0/24 tcp, Ascend-Data-Filter += ip in drop tcp dstport = 25, Ascend-Data-Filter += ip in forward, Fall-Through = No Here is my debugging output when I attempt to authenticate (doesn't appear to execute my program): Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.1.1.1 port 49411, id=74, length=76 User-Name = jmil...@test.net User-Password = blah NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Framed-Protocol = PPP +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/radacct/10.1.1.1/auth-detail-20090317 [auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/10.1.1.1/auth-detail-20090317 [auth_log] expand: %t - Tue Mar 17 13:58:23 2009 ++[auth_log] returns ok [suffix] Looking up realm test.net for User-Name = jmil...@test.net [suffix] Found realm test.net [suffix] Adding Stripped-User-Name = jmillay [suffix] Adding Realm = test.net [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [files] users: Matched entry DEFAULT at line 26 [files] expand: /usr/local/sbin/checkradacct %{Stripped-User-Name} %{Password} - /usr/local/sbin/checkradacct jmillay blah ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = Accept Auth-Type = Accept, accepting the user Login OK: [jmil...@test.net] (from client 10.1.1.1 port 0) Sending Access-Accept of id 74 to 10.1.1.1 port 49411 Ascend-Data-Filter += ip in forward tcp est Ascend-Data-Filter += ip in forward dstip 10.0.0.0/24 tcp Ascend-Data-Filter += ip in drop tcp dstport = 25 Ascend-Data-Filter += ip in forward 0 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 74 with timestamp +21 Any suggestions? I read in the docs that Exec-Program and Exec-Program-Wait are deprecated but I haven't found any clear documentation on how to configure rlm_exec to duplicate what I am trying to do. Thanks in advance, Jeremiah - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait w/ FreeRADIUS 2.1.3
I'm having trouble getting FreeRADIUS to run programs called by Exec-Program-Wait in the newest version of FreeRADIUS (version 2.1.3). I'm using a custom C script that used to work with all versions of FreeRADIUS prior to version 2. Read comments in exec module configuration file (raddb/modules/exec). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait w/ FreeRADIUS 2.1.3
Replying to myself... I missed uncommenting exec from the post-auth section of default site. Everything is working now. Sorry for the wasting your valuable mailbox space. Jeremiah - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program-Wait and FreeRadius 2.1.1
Hello, we're about to migrate from Freeradius 0.9 to 2.1. During this we're noticed, that the Atribute Exec-Progam-Wait and Exec-Program are deprecated. We used this feature to start a script (which generates special Cisco AV-Pairs). Our Freeradius backend is a mysql database. Now my Problem is that the attributes doesn't work. So we tried with the exec module. Thie works fine, but we want to execute different scripts depending on the the group the user is inserted and I want to manage this via Databse like it was in version 0.9. Can you give me a clue how to deal with, because didn't find anything about this in the documentation. Thanks a lot and best regards Michael Schramm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait and FreeRadius 2.1.1
Michael Schramm wrote: we're about to migrate from Freeradius 0.9 to 2.1. During this we're noticed, that the Atribute Exec-Progam-Wait and Exec-Program are deprecated. We used this feature to start a script (which generates special Cisco AV-Pairs). They still work in 2.x. Now my Problem is that the attributes doesn't work. If you list exec in the post-auth section, then they work. This configuration is in the default configuration files in 2.x. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Exec-Program-Wait for MOTP (mobile OTP) with MSCHAPv2
Alan DeKok a écrit : Fabiano wrote: Can you point me to a document or website where the following mechanism is described well ? ie MSCHAPv2 Radius Client - Freeradius does the MSCHAPv2 challenge ? - auth is delegated to external script receiving attributes like username and password in clear - external script gives the auth ok answer - Freeradius gives the auth accepted answer to the MSCHAPv2 Radius client. MS-CHAP doesn't work this way. You CANNOT give a cleartext password to an external script by looking at the MS-CHAP data. It is *impossible*. Ok, thanks. The part I don't understand is how does this MSCHAPv2 auth work in Freeradius, and how the external script could get the attributes when the MSCHAPv2 challenge password is encrypted ? Does it mean that I have to implement the MSCHAPv2 challenge auth by myself, entirely in the external script ? No. You tell the server what the correct password is, and it does the MS-CHAP calculations to authenticate the user. Concerning the cleartext password; In your previous message, you say : get it from somewhere but I can' figure out how... A database? You should know what the *correct* password is, otherwise you don't be able to authenticate the user. You mean, for example making the OTP script (doing exactly the contrary of what it actually does) write the password every 10 seconds to a database for every user and then let freeradius check the db ? Is this the only way ? Thanks again ! Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Exec-Program-Wait for MOTP (mobile OTP) with MSCHAPv2
Fabiano wrote: A database? You should know what the *correct* password is, otherwise you don't be able to authenticate the user. You mean, for example making the OTP script (doing exactly the contrary of what it actually does) write the password every 10 seconds to a database for every user and then let freeradius check the db ? Is this the only way ? It would help if you described what you are trying to do, and why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Exec-Program-Wait for MOTP (mobile OTP) with MSCHAPv2
Alan DeKok a écrit : Fabiano wrote: A database? You should know what the *correct* password is, otherwise you don't be able to authenticate the user. You mean, for example making the OTP script (doing exactly the contrary of what it actually does) write the password every 10 seconds to a database for every user and then let freeradius check the db ? Is this the only way ? It would help if you described what you are trying to do, and why. Alan, I am using a firewall (m0n0.ch, based on FreeBSD) which has a PPTP server accepting only MSCHAPv2 auth. This PPTP server uses an internal database with flatfiles for authenticating VPN users but also offers auth through an external radius server. I thought that I could use the motp.sf.net project to make mobile clients (using cell phones qnd the j2me applet) authenticate with this setup. The MOTP project offers a shellscript named otverify.sh which waits some arguments to verify the client (Username, OTP, Init-Secret, PIN, Time Offset). Username and OTP are given by the VPN client Init-Secret, PIN and Time Offset are specified in the radius users file. Normally, this is done using xtradius, executing the script as external application and giving the arguments to it. The script answers ACCEPT or FAIL for final auth. That's it. I'm stuck here, having MSCHAPv2 clients and an auth script not useable with MSCHAPv2 auth. I have also tried this with the supplied PAM motp module, but as you said this is not possible. I had successful auths using radtest, but that's all... ;) I think that what I will try is rewrite the script in perl to generate the passwords every x seconds to a database and then make freeradius auth against the db entries. Do you think this is the best way ? Thanks again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Exec-Program-Wait for MOTP (mobile OTP) with MSCHAPv2
Fabiano wrote: Can you point me to a document or website where the following mechanism is described well ? ie MSCHAPv2 Radius Client - Freeradius does the MSCHAPv2 challenge ? - auth is delegated to external script receiving attributes like username and password in clear - external script gives the auth ok answer - Freeradius gives the auth accepted answer to the MSCHAPv2 Radius client. MS-CHAP doesn't work this way. You CANNOT give a cleartext password to an external script by looking at the MS-CHAP data. It is *impossible*. The part I don't understand is how does this MSCHAPv2 auth work in Freeradius, and how the external script could get the attributes when the MSCHAPv2 challenge password is encrypted ? Does it mean that I have to implement the MSCHAPv2 challenge auth by myself, entirely in the external script ? No. You tell the server what the correct password is, and it does the MS-CHAP calculations to authenticate the user. Concerning the cleartext password; In your previous message, you say : get it from somewhere but I can' figure out how... A database? You should know what the *correct* password is, otherwise you don't be able to authenticate the user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Exec-Program-Wait for MOTP (mobile OTP) with MSCHAPv2
Alan, Thanks for your answer. Can you point me to a document or website where the following mechanism is described well ? ie MSCHAPv2 Radius Client - Freeradius does the MSCHAPv2 challenge ? - auth is delegated to external script receiving attributes like username and password in clear - external script gives the auth ok answer - Freeradius gives the auth accepted answer to the MSCHAPv2 Radius client. The part I don't understand is how does this MSCHAPv2 auth work in Freeradius, and how the external script could get the attributes when the MSCHAPv2 challenge password is encrypted ? Does it mean that I have to implement the MSCHAPv2 challenge auth by myself, entirely in the external script ? Concerning the cleartext password; In your previous message, you say : get it from somewhere but I can' figure out how... Thanks a lot Best regards Fab Alan DeKok wrote : Fabiano wrote: Hello, Does anyone know where I can find some information on how to use the following in freeradius ? I have an external shell script which awaits arguments (username, clear password, and other arguments) and returns an answer for validation. The problem is that I cannot find any lead on how to do this while using MSCHAPv2... $ man unlang Then, run the script in the post-auth section. And I am not sure how to do this with Exec-Program-Wait. Is this possible without rewriting the module in C ? Is there any way to have the cleartext password sent to the external script ? Sure. Get it from somewhere, and then send it to the script. Alan DeKok. - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using Exec-Program-Wait for MOTP (mobile OTP) with MSCHAPv2
Hello, Does anyone know where I can find some information on how to use the following in freeradius ? I have an external shell script which awaits arguments (username, clear password, and other arguments) and returns an answer for validation. The problem is that I cannot find any lead on how to do this while using MSCHAPv2... And I am not sure how to do this with Exec-Program-Wait. Is this possible without rewriting the module in C ? Is there any way to have the cleartext password sent to the external script ? Thanks a lot Fab - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Exec-Program-Wait for MOTP (mobile OTP) with MSCHAPv2
On Feb 13, Fabiano fabi...@powerpc.ch wrote: Hello, Does anyone know where I can find some information on how to use the following in freeradius ? I have an external shell script which awaits arguments (username, clear password, and other arguments) and returns an answer for validation. The problem is that I cannot find any lead on how to do this while using MSCHAPv2... And I am not sure how to do this with Exec-Program-Wait. Hi Fabiano! I'm using mobile otp, but I use pam and not the shell script. (In fact, the shell script has some security issues which I found out a few days ago. Especially, it does not do the one time check correctly, because a token code can be reused until it expires!. To enable pam, I just wrote pam into the authenticate section, that's it. (and of course have a proper /etc/pam.d/radiusd file) Markus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Exec-Program-Wait for MOTP (mobile OTP) with MSCHAPv2
Fabiano wrote: Hello, Does anyone know where I can find some information on how to use the following in freeradius ? I have an external shell script which awaits arguments (username, clear password, and other arguments) and returns an answer for validation. The problem is that I cannot find any lead on how to do this while using MSCHAPv2... $ man unlang Then, run the script in the post-auth section. And I am not sure how to do this with Exec-Program-Wait. Is this possible without rewriting the module in C ? Is there any way to have the cleartext password sent to the external script ? Sure. Get it from somewhere, and then send it to the script. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program in acct_users file
Anton Borisov wrote: I used Start and Stop in accounting for some DNS registrations of my clients, like this: ~# cat acct_users ... ... DEFAULT Realm == 'dyndns', Acct-Status-Type == Start, Acct-Type := BILL ... and this works in 1.1.7 ! But for 2.1.1 - this does not work. You need to list the exec module in the post-auth section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program in acct_users file
Thank you for your reply. Yes, yes. I have uncommented exec in post-auth section in /etc/raddb/sites-enabled/default config. So, another way in 2.1.1 - I've configured this program only with accounting module. Some examples: /etc/raddb/sites-enabled/default accounting { ... ... Acct-Type BILL { if ( Acct-Status-Type =~ /Start|Stop/ ) { dns } } ... cat /etc/raddb/modules/exec ... ... exec dns { wait = yes program = /path-to-my-programm.sh input_pairs = request output_pairs = reply } This is working, but more quickly and easily only add Exec-Programm to acct_users (like in 1.7.7 version) Would you be so kind and give some examples for acct_usrs in 2.1.1? Alan DeKok wrote: Anton Borisov wrote: I used Start and Stop in accounting for some DNS registrations of my clients, like this: ~# cat acct_users ... ... DEFAULT Realm == 'dyndns', Acct-Status-Type == Start, Acct-Type := BILL ... and this works in 1.1.7 ! But for 2.1.1 - this does not work. You need to list the exec module in the post-auth section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Yours faithfully, Anton Borisov. smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program in acct_users file
I'm using FR 1.1.7 with acct_users but what if you have more complicated scripts and you're using it on Interim-Updates. Every time when Interim-Update triggers, this script has to connect to do something (database connection, do this, do that )... Is there any other way to something like this? On Tue, Dec 23, 2008 at 11:48 AM, Anton Borisov anto...@mccinet.ru wrote: Thank you for your reply. Yes, yes. I have uncommented exec in post-auth section in /etc/raddb/sites-enabled/default config. So, another way in 2.1.1 - I've configured this program only with accounting module. Some examples: /etc/raddb/sites-enabled/default accounting { ... ... Acct-Type BILL { if ( Acct-Status-Type =~ /Start|Stop/ ) { dns } } ... cat /etc/raddb/modules/exec ... ... exec dns { wait = yes program = /path-to-my-programm.sh input_pairs = request output_pairs = reply } This is working, but more quickly and easily only add Exec-Programm to acct_users (like in 1.7.7 version) Would you be so kind and give some examples for acct_usrs in 2.1.1? Alan DeKok wrote: Anton Borisov wrote: I used Start and Stop in accounting for some DNS registrations of my clients, like this: ~# cat acct_users ... ... DEFAULT Realm == 'dyndns', Acct-Status-Type == Start, Acct-Type := BILL ... and this works in 1.1.7 ! But for 2.1.1 - this does not work. You need to list the exec module in the post-auth section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Yours faithfully, Anton Borisov. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program in acct_users file
Good day! Does everyone know about Exec-Program in acct_users in Freeradius 2.1.1? I upgrade my from 1.1.7 to 2.1.1 and do not see exec in debug. I used Start and Stop in accounting for some DNS registrations of my clients, like this: ~# cat acct_users ... ... DEFAULT Realm == 'dyndns', Acct-Status-Type == Start, Acct-Type := BILL Exec-Program = /opt/fr/bin/dyndns.acctstart.pl DEFAULT Realm == 'dyndns', Acct-Status-Type == Stop, Acct-Type := BILL Exec-Program = /opt/fr/bin/dyndns.acctstop.pl and this works in 1.1.7 ! But for 2.1.1 - this does not work. Mon Dec 22 18:19:19 2008 : Info: ++[preprocess] returns ok Mon Dec 22 18:19:19 2008 : Info: [suffix] Looking up realm dyndns for User-Name = 12...@dyndns Mon Dec 22 18:19:19 2008 : Info: [suffix] Found realm dyndns Mon Dec 22 18:19:19 2008 : Info: [suffix] Adding Stripped-User-Name = 12345 Mon Dec 22 18:19:19 2008 : Info: [suffix] Adding Realm = dyndns Mon Dec 22 18:19:19 2008 : Info: [suffix] Accounting realm is LOCAL. Mon Dec 22 18:19:19 2008 : Info: ++[suffix] returns ok Mon Dec 22 18:19:19 2008 : Info: [files] expand: %{NAS-IP-Address} - 212.119.106.21 Mon Dec 22 18:19:19 2008 : Info: [files] acct_users: Matched entry DEFAULT at line 32 in this point (32 line - Realm == 'dyndns', 33 line Exec-Program = blabla in acct_users) doesn not work. Mon Dec 22 18:19:19 2008 : Info: ++[files] returns ok Mon Dec 22 18:19:19 2008 : Debug: Found Acct-Type BILL Mon Dec 22 18:19:19 2008 : Info: +- entering group BILL {...} Tue Dec 23 10:40:52 2008 : Info: [acct_unique] Hashing 'NAS-IP-Address = 212.119.106.21,Acct-Session-Id = D4776A151004A3344' Tue Dec 23 10:40:52 2008 : Info: [acct_unique] Acct-Unique-Session-ID = eddc8ecb616eae58. Tue Dec 23 10:40:52 2008 : Info: ++[acct_unique] returns ok Tue Dec 23 10:40:52 2008 : Info: [BILL] expand: /opt/fr2/radacct/files/cdr.%Y%m%d.%H - /opt/fr2/radacct/files/cdr.20081223.10 Tue Dec 23 10:40:52 2008 : Info: [BILL] /opt/fr2/radacct/files/cdr.%Y%m%d.%H expands to /opt/fr2/radacct/files/cdr.20081223.10 Tue Dec 23 10:40:52 2008 : Info: [BILL] Acquired filelock, tried 1 time(s) Tue Dec 23 10:40:52 2008 : Info: [BILL] expand: %t - Tue Dec 23 10:40:52 2008 Tue Dec 23 10:40:52 2008 : Info: [BILL] Released filelock Tue Dec 23 10:40:52 2008 : Info: ++[BILL] returns ok Sending Accounting-Response of id 66 to 128.1.134.55 port 50812 in this point does not work again... Tue Dec 23 10:40:52 2008 : Info: Finished request 0. Tue Dec 23 10:40:52 2008 : Info: Cleaning up request 0 ID 66 with timestamp +3 Tue Dec 23 10:40:52 2008 : Debug: Going to the next request in 1.1.7 Tue Dec 23 10:28:56 2008 : Debug: rlm_acct_unique: Acct-Unique-Session-ID = fd9494068cfbfd81. Tue Dec 23 10:28:56 2008 : Debug: modsingle[accounting]: returned from acct_unique (rlm_acct_unique) for request 1 Tue Dec 23 10:28:56 2008 : Debug: modcall[accounting]: module acct_unique returns ok for request 1 Tue Dec 23 10:28:56 2008 : Debug: modsingle[accounting]: calling BILL (rlm_detail) for request 1 Tue Dec 23 10:28:56 2008 : Debug: radius_xlat: '/opt/fr/radacct/files/cdr.20081223.10' Tue Dec 23 10:28:56 2008 : Debug: rlm_detail: /opt/fr/radacct/files/cdr.%Y%m%d.%H expands to /opt/fr/radacct/files/cdr.20081223.10 Tue Dec 23 10:28:56 2008 : Debug: rlm_detail: Acquired filelock, tried 1 time(s) Tue Dec 23 10:28:56 2008 : Debug: rlm_detail: Released filelock Tue Dec 23 10:28:56 2008 : Debug: modsingle[accounting]: returned from BILL (rlm_detail) for request 1 Tue Dec 23 10:28:56 2008 : Debug: modcall[accounting]: module BILL returns ok for request 1 Tue Dec 23 10:28:56 2008 : Debug: modcall: leaving group BILL (returns ok) for request 1 in this point my script is working. Sending Accounting-Response of id 232 to 128.1.134.55 port 33228 Tue Dec 23 10:28:56 2008 : Debug: Finished request 1 Tue Dec 23 10:28:56 2008 : Debug: Going to the next request -- Yours faithfully, Anton Borisov. smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RES: exec program, but post-auth
Thanks for answers, i obtained ip, acctound-id, etc etc from preacct section, adding exec to section !! script filter with Acct-Status-Type = Start working fine now !! Ivan, in it´s first message i didn´t read to try with accouting packets !! thanks again !! Regards.. [EMAIL PROTECTED] wrote: Here i use Exec-Program-Wait to validade data AFTER auth OK, i need to execute other script AFTER auth OK to get IP address assigned to user. i´m trying to pass %f to my script but return ?.?.?.? because at this moment, radius not assigned ip for user... how i can do this ? Where is here? In what section are you trying to run the script? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sds. Alexandre Jeronimo Correa Onda Internet - http://www.ondainternet.com.br OPinguim Hosting - http://www.opinguim.net Linux User ID #142329 UNOTEL S/A - http://www.unotel.com.br - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: exec program, but post-auth
Ola use: {nome do dicionario} Ex: {Call-Station-Id} -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de Alexandre J. Correa - Onda Internet Enviada em: segunda-feira, 3 de novembro de 2008 19:43 Para: FreeRadius users mailing list Assunto: exec program, but post-auth Hello !! Here i use Exec-Program-Wait to validade data AFTER auth OK, i need to execute other script AFTER auth OK to get IP address assigned to user. i´m trying to pass %f to my script but return ?.?.?.? because at this moment, radius not assigned ip for user... how i can do this ? thanks !! -- Sds. Alexandre Jeronimo Correa Onda Internet - http://www.ondainternet.com.br OPinguim Hosting - http://www.opinguim.net Linux User ID #142329 UNOTEL S/A - http://www.unotel.com.br - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec program, but post-auth
So radius *is* assigning IP's? Where? If it's ippool/sqlippool list your exec program after these in post-auth section. If IP's are assigned by DHCP you have to get it from accounting packets. But that will work for radius assigned IP's too. Ivan Kalik Kalik Informatika ISP Dana 4/11/2008, Alexandre J. Correa - Onda Internet [EMAIL PROTECTED] piše: auth are working fine... but i need execute one script after auth OK to get the IP that radius assigned to user, have any idea how i can do this ?! thanks !!! [EMAIL PROTECTED] wrote: Here i use Exec-Program-Wait to validade data AFTER auth OK, i need to execute other script AFTER auth OK to get IP address assigned to user. i´m trying to pass %f to my script but return ?.?.?.? because at this moment, radius not assigned ip for user... how i can do this ? If radius is not assigning IP's NAS will send them in accounting packets. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sds. Alexandre Jeronimo Correa Onda Internet - http://www.ondainternet.com.br OPinguim Hosting - http://www.opinguim.net Linux User ID #142329 UNOTEL S/A - http://www.unotel.com.br - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RES: exec program, but post-auth
Here i use Exec-Program-Wait to validade data AFTER auth OK, i need to execute other script AFTER auth OK to get IP address assigned to user. i´m trying to pass %f to my script but return ?.?.?.? because at this moment, radius not assigned ip for user... how i can do this ? Where is here? In what section are you trying to run the script? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
exec program, but post-auth
Hello !! Here i use Exec-Program-Wait to validade data AFTER auth OK, i need to execute other script AFTER auth OK to get IP address assigned to user. i´m trying to pass %f to my script but return ?.?.?.? because at this moment, radius not assigned ip for user... how i can do this ? thanks !! -- Sds. Alexandre Jeronimo Correa Onda Internet - http://www.ondainternet.com.br OPinguim Hosting - http://www.opinguim.net Linux User ID #142329 UNOTEL S/A - http://www.unotel.com.br - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec program, but post-auth
Here i use Exec-Program-Wait to validade data AFTER auth OK, i need to execute other script AFTER auth OK to get IP address assigned to user. i´m trying to pass %f to my script but return ?.?.?.? because at this moment, radius not assigned ip for user... how i can do this ? If radius is not assigning IP's NAS will send them in accounting packets. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec program, but post-auth
auth are working fine... but i need execute one script after auth OK to get the IP that radius assigned to user, have any idea how i can do this ?! thanks !!! [EMAIL PROTECTED] wrote: Here i use Exec-Program-Wait to validade data AFTER auth OK, i need to execute other script AFTER auth OK to get IP address assigned to user. i´m trying to pass %f to my script but return ?.?.?.? because at this moment, radius not assigned ip for user... how i can do this ? If radius is not assigning IP's NAS will send them in accounting packets. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sds. Alexandre Jeronimo Correa Onda Internet - http://www.ondainternet.com.br OPinguim Hosting - http://www.opinguim.net Linux User ID #142329 UNOTEL S/A - http://www.unotel.com.br - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec program, but post-auth
Huh? Ivan gave you the answer already. Read it again and then look into what accounting packets are. Sent from my iPhone On 4 Nov 2008, at 02:06, Alexandre J. Correa - Onda Internet [EMAIL PROTECTED] wrote: auth are working fine... but i need execute one script after auth OK to get the IP that radius assigned to user, have any idea how i can do this ?! thanks !!! [EMAIL PROTECTED] wrote: Here i use Exec-Program-Wait to validade data AFTER auth OK, i need to execute other script AFTER auth OK to get IP address assigned to user. i´m trying to pass %f to my script but return ?.?.?.? because at this moment, radius not assigned ip for user... how i can do this ? If radius is not assigning IP's NAS will send them in accounting packets. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sds. Alexandre Jeronimo Correa Onda Internet - http://www.ondainternet.com.br OPinguim Hosting - http://www.opinguim.net Linux User ID #142329 UNOTEL S/A - http://www.unotel.com.br - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program-Wait Don't work
Regards: Sorry my english! I'm using Exec-Program-Wait for session control and printing a Session-Timeout = 0 parameter, but don' work. In cistron radius, I received logs in radius.log: Tue Sep 4 17:26:57 2007 : Debug: Exec-Program output Session-Timeout:=100 Tue Sep 4 17:26:57 2007 : Debug: Exec-Program-Wait: value-pairs: ,Session-Timeout:=100 But now, I don't received nothing. How I can activate this log in radius.log? _ Blog your life in 3D with Windows Live Writer. http://www.windowslive.com/overview.html?ocid=TXT_TAGLM_Wave2_wl_writer_022008- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program-wait problem with freeradius 2.0.3
Emmanuel Willems wrote: Thank you for your feedback and sorry for the confusion. The program is being executed and returning the correct result, but I still can't authenticate. So... read the debug log, and fix all of the WARNINGs, errors, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program-wait problem with freeradius 2.0.3
Emmanuel Willems wrote: Here is a relevant part of the debug log: ... Tue Apr 15 14:36:27 2008 : Auth: Login OK: [000d2885af3e/000d2885af3e] (from client wlan-sen port 737 cli 000d.2885.af3e) Tue Apr 15 14:36:27 2008 : Debug: +- entering group post-auth Tue Apr 15 14:36:27 2008 : Debug: modsingle[post-auth]: calling exec (rlm_exec) for request 0 Tue Apr 15 14:36:28 2008 : Debug: Exec-Program output: Tue Apr 15 14:36:28 2008 : Debug: Exec-Program: returned: 0 What's the problem? It's calling your program. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program-wait problem with freeradius 2.0.3
Thank you for your feedback and sorry for the confusion. The program is being executed and returning the correct result, but I still can't authenticate. I'm using EAP-TTLS-PAP to connect to a Cisco Aironet AP1200. Using the same sql db in freeradius 1.1.3 it works, but not with freeradius 2.0.3. Any suggestions, Emmanuel Alan DeKok wrote: Emmanuel Willems wrote: Here is a relevant part of the debug log: ... Tue Apr 15 14:36:27 2008 : Auth: Login OK: [000d2885af3e/000d2885af3e] (from client wlan-sen port 737 cli 000d.2885.af3e) Tue Apr 15 14:36:27 2008 : Debug: +- entering group post-auth Tue Apr 15 14:36:27 2008 : Debug: modsingle[post-auth]: calling exec (rlm_exec) for request 0 Tue Apr 15 14:36:28 2008 : Debug: Exec-Program output: Tue Apr 15 14:36:28 2008 : Debug: Exec-Program: returned: 0 What's the problem? It's calling your program. Alan DeKok. -- Ingnieur-systme Systeem ingenieur System engineer Snat de Belgique Place de la Nation 1 1009 Bruxelles Belgische Senaat Natieplein 1 1009 Brussel Belgian Senate Place de la Nation 1 1009 Brussels Belgium e-mail: [EMAIL PROTECTED] URL: http://www.senate.be tel: +32 (2) 501.72.39 fax: +32 (2) 514.06.85 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program-wait problem with freeradius 2.0.3
I added exec in post-auth in sites-enabled/default and sites-enabled/inner-tunnel and it's still no go. Did i miss something? Thankx, Emmanuel Alan DeKok wrote: Emmanuel Willems wrote: All works well in version 1.1.3 but the script does not get called in version 2.0.3 List 'exec' in the post-auth section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program-wait problem with freeradius 2.0.3
Emmanuel Willems wrote: I added exec in post-auth in sites-enabled/default and sites-enabled/inner-tunnel and it's still no go. Did i miss something? Debug log? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
exec-program-wait problem with freeradius 2.0.3
Hi, I'm carrying out tests with 2 versions for freeradius 1.1.3 and 2.0.3 . I'm trying to use Exec-Program-Wait to run a script to do some extra checking. Both setups use the same MySQL database All works well in version 1.1.3 but the script does not get called in version 2.0.3 The SQL statements generated with both the 1.1.3 and 2.0.3 are identical and return the same result. But version 1.1.3 of freeradius runs the script while version 2.0.3 does not. Any ideas? Thanks in advance, Emmanuel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program-wait problem with freeradius 2.0.3
Emmanuel Willems wrote: All works well in version 1.1.3 but the script does not get called in version 2.0.3 List 'exec' in the post-auth section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait
Felipe Ceglia - PY1NB wrote: I am trying to setup a prepaid style system on my freeradius. All I want is to check user name against a perl script that will let user get in or not. You should use rlm_perl rather than Exec-Program-Wait I put this on users file, but the script is not being run: DEFAULT Called-Station-Id == hotspot_shop_tere #THIS IS LINE 155 Exec-Program-Wait = /etc/raddb/scripts/hotspot_shop_tere.pl %U, You will need to add Auth-Type := Accept to the first line (with DEFAULT). DEFAULT Called-Station-Id == hotspot_shop_tere, Acct-Status-Type == Stop Exec-Program-Wait = /etc/raddb/scripts/hotspot_shop_tere.pl %U %{AcctSessionTime}, This entry should go into the acct_users file, not the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program-Wait
Hello, I am trying to setup a prepaid style system on my freeradius. All I want is to check user name against a perl script that will let user get in or not. I put this on users file, but the script is not being run: DEFAULT Called-Station-Id == hotspot_shop_tere #THIS IS LINE 155 Exec-Program-Wait = /etc/raddb/scripts/hotspot_shop_tere.pl %U, DEFAULT Called-Station-Id == hotspot_shop_tere, Acct-Status-Type == Stop Exec-Program-Wait = /etc/raddb/scripts/hotspot_shop_tere.pl %U %{AcctSessionTime}, Thanks in advance, Felipe radiusd -X says: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 10 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1645 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = after main: lower_pass = after main: nospace_user = after main: nospace_pass = after main: checkrad = /usr/sbin/checkrad main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 2 security: status_server = yes main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = /etc/raddb/temp/passwd unix: shadow = (null) unix: group = /etc/raddb/temp/group unix: radwtmp = NULL unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /etc/raddb/users files: acctusersfile = /etc/raddb/acct_users files: preproxy_usersfile = /etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded SQL sql: driver = rlm_sql_mysql sql: server = localhost sql: port = sql: login = root sql: password = rootpasswd sql: radius_db = radius sql: nas_table = nas sql: sqltrace = no sql: sqltracefile = /var/log/radius/sqltrace.sql sql: readclients = no sql: deletestalesessions = yes sql: num_sql_socks = 5 sql: sql_user_name = %{Stripped-User-Name:-%{User-Name:-DEFAULT}} sql: default_user_profile = sql: query_on_not_found = no sql: authorize_check_query = SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id sql: authorize_reply_query = SELECT id,UserName
Acct-Input-Gigawords in Exec-Program env
Hi list, I'm having trouble identifying the Acct-Input-Gigawords field in the shell environment of Exec-Program. Does anyone know how to ensure that it is being exported? I have a shell script (test-exec.sh) which according to examples in docs goes like so: #!/bin/sh /usr/bin/printenv /tmp/env.txt Then in my acct_users, again by example: DEFAULT Acct-Status-Type == Stop Exec-Program = /opt/bin/test-exec.sh This correctly prints out all the env variables to the file as expected. The problem is however that with ADSL traffic regularly exceeding the Gigawords boundaries of Acct-Input-Octets, we rely on the Acct-Input-Gigawords for the overflow. This is unfortunately not showing up in the list of env variables. Anyway to resolve this? Thanks -Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-Input-Gigawords in Exec-Program env
Rob Hartzenberg wrote: I'm having trouble identifying the Acct-Input-Gigawords field in the shell environment of Exec-Program. Does anyone know how to ensure that it is being exported? Read the output of debugging mode. If it's in the packet, it will be exported to any shell program. See doc/variables.txt for documentation on how this happens. This correctly prints out all the env variables to the file as expected. The problem is however that with ADSL traffic regularly exceeding the Gigawords boundaries of Acct-Input-Octets, we rely on the Acct-Input-Gigawords for the overflow. This is unfortunately not showing up in the list of env variables. Anyway to resolve this? Make the NAS send the attribute. If the NAS isn't sending the attribute, how do you expect the server to log it? What value do you expect the server to use? Does it invent the attribute out of thin air? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program based on LDAP Attribute
John Wever wrote: DEFAULT Acct-Status-Type == Start, CustomAttrib == true That *matches* the Custom Attribute. Is that what you want? Exec-Program = /path/to/script.sh %u %{Framed-IP-Address} %{CustomAttrib} I've tried setting the ItemType of the CustomAttrib to checkItem and replyItem, but neither method worked. My script needs access to the username and the Framed-IP-Address. Any suggestions? Read doc/variables.txt to see how to refer to attributes in the reply or check item list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program based on LDAP Attribute
Yes, thats exactly what I want, but the script is never fired. It is my understanding that the acct_users file only sees accounting packet data, if the CustomAttrib is a checkItem would it even be available to query at this point? Just as info, I take off the , CustomAttrib == true and the script fires as expected for all authenticated users. Alan DeKok wrote: John Wever wrote: DEFAULT Acct-Status-Type == Start, CustomAttrib == true That *matches* the Custom Attribute. Is that what you want? Exec-Program = /path/to/script.sh %u %{Framed-IP-Address} %{CustomAttrib} I've tried setting the ItemType of the CustomAttrib to checkItem and replyItem, but neither method worked. My script needs access to the username and the Framed-IP-Address. Any suggestions? Read doc/variables.txt to see how to refer to attributes in the reply or check item list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program based on LDAP Attribute
John Wever wrote: Yes, thats exactly what I want, but the script is never fired. It is my understanding that the acct_users file only sees accounting packet data, Yes. if the CustomAttrib is a checkItem would it even be available to query at this point? The acct_users file can't do comparisons on check items. So what you're trying to do is impossible in 1.x. See CVS head and unlang for how to do this easily. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program based on LDAP Attribute
I need to be able to fire off a script via the Exec-Program (or some other method) based upon a successful authentication and the value of an LDAP attribute on the user's account. I tried putting the following in the acct_users... DEFAULT Acct-Status-Type == Start, CustomAttrib == true Exec-Program = /path/to/script.sh %u %{Framed-IP-Address} %{CustomAttrib} I've tried setting the ItemType of the CustomAttrib to checkItem and replyItem, but neither method worked. My script needs access to the username and the Framed-IP-Address. Any suggestions? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait
Michael Alexeev wrote: I found it on the following site: http://ftp.wayne.edu/pub/gnu/Manuals/radius-0.95/html_node/radius_182.html Which is the manual for the GNU radius server. There was never a 0.95 release of FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait
What led you to believe %C{User-Name} would be the user name? The documentation says it's %{User-Name}. Where did the extra 'C' come from? I found it on the following site: http://ftp.wayne.edu/pub/gnu/Manuals/radius-0.95/html_node/radius_182.html quote Example Suppose the `users' file contains the following entry: DEFAULT Auth-Type = System, Simultaneous-Use = 1 Exec-Program-Wait = /usr/local/sbin/telauth \ %C{User-Name} \ %C{Calling-Station-Id} Then, upon successful matching, the program `/usr/local/sbin/telauth' will be executed. It will get as its arguments the values of User-Name and Calling-Station-Id attributes from the request pairs. end of quote Anyway, after removing the extra 'C' evrything works like fine. Thanks for the help. Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait
On Mon 25 Jun 2007, Michael Alexeev wrote: What led you to believe %C{User-Name} would be the user name? The documentation says it's %{User-Name}. Where did the extra 'C' come from? I found it on the following site: http://ftp.wayne.edu/pub/gnu/Manuals/radius-0.95/html_node/radius_182.html Which, if you read the title is the GNU Radius Manual, not the FreeRADIUS Manual. You will probably have better luck if you read docs for the software you are using ;-) Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program-Wait
Hi all, I am having trouble with macro substitution in Exec-Program-Wait attribute. For some reason %C{User-Name} is expanded to localhost{User-Name} string instead of real user name. Here is an excerpt from the users config file: jsullivan User-Password == mypass Exec-Program-Wait = /bin/radius_chain %C{User-Name} where /bin/radius_chain simply dumps the first parameter to the file: #!/bin/sh param=$1 echo param=$param /bin/test/test.txt exit 0 The content of the /bin/test/test.txt is param=localhost{User-Name} instead of expected param=jsullivan Any ideas what is going on? I am using FreeRadius Version 1.1.6 on linux Thanks, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait
Michael Alexeev wrote: Hi all, I am having trouble with macro substitution in Exec-Program-Wait attribute. For some reason %C{User-Name} is expanded to localhost{User-Name} string instead of real user name. Because %C is documented as being the client name. What led you to believe %C{User-Name} would be the user name? The documentation says it's %{User-Name}. Where did the extra 'C' come from? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait
Felipe Ceglia - PY1NB wrote: When I run it thru users file, it is called, and works. You put it in the reply list in the users file, and the check table in the SQL database. Put it in the reply tble in the SQL database. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Exec-Program-Wait Parameter
Peter Urban wrote: i want to pass the username and password to an external program. i already tried the following code but i didnt work: DEFAULT Auth-Type ?= External Exec-Program-Wait = /etc/raddb/mytestprogram %u %w, Fall-Through = Yes I found the %u placeholder in the doc/variable.txt document but i couldnt found anything about a placeholder for the password. The %w doesnt not work. (only in xtradius-version) How about %{User-Password} ? The documentation is relatively clear about referencing any attribute. Other Question: is %u the same as %{User-Name} ? Yes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add check item (Pool-Name) from Exec-Program-Wait script?
I want to use two ippools. That's no problem of course. But which IP pool to assign I can decide only in Exec-Program-Wait script. Now I have the following lines in users file: DEFAULT Auth-Type := Accept Exec-Program-Wait = /etc/raddb/authclient authclient script checks text file, connects to MySQL and Oracle and then it can say - use ippool1 or ippool2. But how to set Pool-Name check item? As far as I understand if authclient would write Pool-Name:=ipool1 to stdout then that would be reply not check item!? So how could I tell from the script which ippool to use? I feel that that somehow should be possible since ippool is post-auth thing. :) So no ideas? :) I'm thinking that maybe Fall-Through = Yes could help!? But again - how to set something from script that I could specify as check item in second DEFAULT entry? Thanks, Mindaugas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add check item (Pool-Name) from Exec-Program-Wait script?
Mindaugas wrote: I want to use two ippools. That's no problem of course. But which IP pool to assign I can decide only in Exec-Program-Wait script. Now I have the following lines in users file: DEFAULT Auth-Type := Accept Exec-Program-Wait = /etc/raddb/authclient authclient script checks text file, connects to MySQL and Oracle and then it can say - use ippool1 or ippool2. But how to set Pool-Name check item? As far as I understand if authclient would write Pool-Name:=ipool1 to stdout then that would be reply not check item!? So how could I tell from the script which ippool to use? I feel that that somehow should be possible since ippool is post-auth thing. :) So no ideas? :) The exec module has two configuration items specifying where to take the input from and output to. You will want to do this: exec myprogram { wait = yes program = /path/to/your/program %{Some-Argument} input_pairs = request output_pairs = config } Then put the module in the authorize section: authorize { preprocess files # ..others myprogram } There may be other ways of doing this. In particular, you might be able in the users file to do this (haven't tested it): DEFAULT Pool-Name := `%{exec:/path/to/program args}` Fall-Through = yes/no I'm thinking that maybe Fall-Through = Yes could help!? But again - how to set something from script that I could specify as check item in second DEFAULT entry? You can't compare against config items in the users file, but should not need to - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add check item (Pool-Name) from Exec-Program-Wait script?
I want to use two ippools. That's no problem of course. But which IP pool to assign I can decide only in Exec-Program-Wait script. Now I have the following lines in users file: DEFAULT Auth-Type := Accept Exec-Program-Wait = /etc/raddb/authclient authclient script checks text file, connects to MySQL and Oracle and then it can say - use ippool1 or ippool2. But how to set Pool-Name check item? As far as I understand if authclient would write Pool-Name:=ipool1 to stdout then that would be reply not check item!? So how could I tell from the script which ippool to use? I feel that that somehow should be possible since ippool is post-auth thing. :) So no ideas? :) The exec module has two configuration items specifying where to take the input from and output to. You will want to do this: exec myprogram { wait = yes program = /path/to/your/program %{Some-Argument} input_pairs = request output_pairs = config } Then put the module in the authorize section: authorize { preprocess files # ..others myprogram } Aha! So my program then should write Pool-Name:=ippool2 to stdout and it will pass as check item in post auth section later? And it can also return 1 if I want to deny access for particular user? Thank you for the hint. I'll test it anyway. Mindaugas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to add check item (Pool-Name) from Exec-Program-Wait script?
Hello, I want to use two ippools. That's no problem of course. But which IP pool to assign I can decide only in Exec-Program-Wait script. Now I have the following lines in users file: DEFAULT Auth-Type := Accept Exec-Program-Wait = /etc/raddb/authclient authclient script checks text file, connects to MySQL and Oracle and then it can say - use ippool1 or ippool2. But how to set Pool-Name check item? As far as I understand if authclient would write Pool-Name:=ipool1 to stdout then that would be reply not check item!? So how could I tell from the script which ippool to use? I feel that that somehow should be possible since ippool is post-auth thing. :) Thanks, Mindaugas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help to pass a local variable from Freeradius to exec program
Hi All I am trying to pass a integer value from Free radius to exec program . I have tryed to add as a value pair using paircreate() and then added the same to the request-packet-vps using pairadd. Set the lvalue , strvalue etc and passed to the radius_exec_program from rad_accounting module. Also set the tmp-name = Atribute-Name-Format . Still the attribute and value is not getting printed in the exec - progrm . Any help in this regard whould really help me. Thanks and regards Shankar ganesh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
exec-program-wait to send back AV pairs to freeradius
Hi All, I am trying to set values for more than one attributes in the exec-program-wait for accounting startpackets. Below is the code i am trying in the exec-program-wait putenv("Calling-Station-ID=10") putenv("Called-Station-ID=50") Putenv("Acct-Session-ID="20") return 0; I have set the exec-wait=yes in the radiusd.conf I am not sure whether freeradius picks all this values and sets in the valuepairs of the radius_exec_program () I am trying to set the accounting response packets with this value pairs in the rad_accounting using pairmove but still my accounting response packets does not contain this attributes value pairs. Can some body help me to solve this problem ? Thanks and regards Shankar ganesh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program-wait to send back AV pairs to freeradius
Shankar Ganesh C [EMAIL PROTECTED] wrote: Below is the code i am trying in the exec-program-wait putenv(Calling-Station-ID=10) That is not the documented way to send attributes back to the server. See scripts/exec-program-wait I am trying to set the accounting response packets with this value pairs in the rad_accounting using pairmove but still my accounting response packets does not contain this attributes value pairs. Accounting responses are not allowed to contain any attributes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic port assignment to exec program
Hi , I have a requirment to have a socket communication in the exec program from freeradius for an accounting start. I understand that for evey accounting request from free radius a exec program will be executed. How can i assign the exec program a dynamic port from the freeradius when it is invoked ? Is there any configuration needs to be done ? Thanks and regards Shankar ganesh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to return the values from the exec program to free radius?
Hi All, Could some body help me on the same? Thanks and regards Shankar ganesh -Original Message-From: Shankar Ganesh [mailto:[EMAIL PROTECTED]Sent: Wednesday, August 30, 2006 11:02 AMTo: freeradius-users@lists.freeradius.orgSubject: How to return the values from the exec program to free radius? Hi All, Could some body help me to know how to return values from the exec program ? I can understand thatI need to use the output-pairs or reply list .But do not really know how to use that any sample code or document would really help me. Thanks and regards Shankar ganesh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to return the values from the exec program to free radius?
Shankar Ganesh C [EMAIL PROTECTED] wrote: Could some body help me to know how to return values from the exec program ? scripts/exec-program-wait It describes what to do. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to return the values from the exec program to free radius?
Hi All, Could some body help me to know how to return values from the exec program ? I can understand thatI need to use the output-pairs or reply list .But do not really know how to use that any sample code or document would really help me. Thanks and regards Shankar ganesh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: acct_users Exec-Program causing defuct programs
Hi Everyone, Maybe this can help you: In acct_users if you use exec-program and you get defuct apps running then try this exec-program-wait. This seems to sort it out. Thanks, Michael -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Alan DeKok Sent: 09 August 2006 11:23 PM To: FreeRadius users mailing list Subject: Re: acct_users Exec-Program causing defuct programs Michael da Silva Pereira [EMAIL PROTECTED] wrote: I am trying to use Exec-Program to notify me of users logging in and out of my systems. For some reason I keep getting defuct programs everytime it runs my application: I think that's fixed in 1.1.3, which will be out maybe this week. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Autoreply: RE: acct_users Exec-Program causing defuct programs
Attualmente non sono in sede. Per richieste urgenti contattare lo 800 919299 o inviare una mail a [EMAIL PROTECTED] oppure a [EMAIL PROTECTED] Cordiali Saluti Giuseppe Parlato Area Network mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
acct_users Exec-Program causing defuct programs
Hi, I am trying to use Exec-Program to notify me of users logging in and out of my systems. For some reason I keep getting defuct programs everytime it runs my application: My acct_users file looks like the following: --- DEFAULT Acct-Status-Type == Start Exec-Program = /etc/raddb/test.sh DEFAULT Acct-Status-Type == Stop Exec-Program = /etc/raddb/test.sh DEFAULT Acct-Status-Type == Update Exec-Program = /etc/raddb/test.sh --- My /etc/raddb/test.sh looks like the following: --- #!/bin/sh exit 0; --- I am running: radiusd: FreeRADIUS Version 1.1.1, for host , built on Jul 25 2006 at 22:12:32 Copyright (C) 2000-2006 The FreeRADIUS server project. Any assistance would be greatly appreciated. Kind Regards, Michael da Silva Pereira - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Autoreply: acct_users Exec-Program causing defuct programs
Attualmente non sono in sede. Per richieste urgenti contattare lo 800 919299 o inviare una mail a [EMAIL PROTECTED] oppure a [EMAIL PROTECTED] Cordiali Saluti Giuseppe Parlato Area Network mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: acct_users Exec-Program causing defuct programs
Michael da Silva Pereira [EMAIL PROTECTED] wrote: I am trying to use Exec-Program to notify me of users logging in and out of my systems. For some reason I keep getting defuct programs everytime it runs my application: I think that's fixed in 1.1.3, which will be out maybe this week. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Autoreply: Re: acct_users Exec-Program causing defuct programs
Attualmente non sono in sede. Per richieste urgenti contattare lo 800 919299 o inviare una mail a [EMAIL PROTECTED] oppure a [EMAIL PROTECTED] Cordiali Saluti Giuseppe Parlato Area Network mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: exec-program dependent on ldap attribute values
Tariq Rashid [EMAIL PROTECTED] wrote: I would like however for the script to be called only when an LDAP attribute has a certain values. Is this possible? The user's LDAP profile has already been searched for the user's password in the initial auth request, and possibly in the acct request. something like the following does not work: DEFAULT Acct-Status-Type == Start, Account-Status == inactive Exec-Program = /etc/freeradius/scripts/acct_start.py %{User-Name} where Account-Status is mapped to the LDAP attribute in the ldap-attrmap file. Probably because Account-Status is a check item, and not in the request. It will have to go into the request for it to be compared in the acct_users file. Alan DeKok. --- so must it be added to the request artificially before the comparision happens? i'm not sure what the recommended what to achieve this is... tariq - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
exec-program dependent on ldap attribute values
Hi, I am using the acct_users file to trigger an external script when an accounting start has been received: DEFAULT Acct-Status-Type == Start Exec-Program = /etc/freeradius/scripts/acct_start.py %{User-Name} I would like however for the script to be called only when an LDAP attribute has a certain values. Is this possible? The user's LDAP profile has already been searched for the user's password in the initial auth request, and possibly in the acct request. something like the following does not work: DEFAULT Acct-Status-Type == Start, Account-Status == inactive Exec-Program = /etc/freeradius/scripts/acct_start.py %{User-Name} where Account-Status is mapped to the LDAP attribute in the ldap-attrmap file. Tariq - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program dependent on ldap attribute values
Tariq Rashid [EMAIL PROTECTED] wrote: I would like however for the script to be called only when an LDAP attribute has a certain values. Is this possible? The user's LDAP profile has already been searched for the user's password in the initial auth request, and possibly in the acct request. something like the following does not work: DEFAULT Acct-Status-Type == Start, Account-Status == inactive Exec-Program = /etc/freeradius/scripts/acct_start.py %{User-Name} where Account-Status is mapped to the LDAP attribute in the ldap-attrmap file. Probably because Account-Status is a check item, and not in the request. It will have to go into the request for it to be compared in the acct_users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program and length of arguments
Anton Maksimenkov wrote: If I add to users file this: When I used exec-program all the attributes I wanted were in the environment. And how can I exploit it? I get only this: -- $ cat /home/engineer/acrad.sh #!/bin/sh printenv /tmp/exec-program-wait -- bob Auth-Type := Local, User-Password == bob Reply-Message = Hello, %u, Exec-Program = /home/engineer/acrad.sh -- after radtest in /tmp/exec-program-wait I found only $ cat /tmp/exec-program-wait CLIENT_IP_ADDRESS=127.0.0.1 NAS_IP_ADDRESS=255.255.255.255 PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin:/usr/local/bin NAS_PORT=0 USER_PASSWORD=bob USER_NAME=bob See? Its working perfectly. Your radtest caused the above. But this is far less than what I wait for... I need to do the same that SQL accounting do. Your radtest DOES NOT cause accounting requests to occur as well. If I look at raddb/pgsql-voip.conf, I can see snip I read this. But I just newbie, sorry. I tried this exec echo { wait = yes program = /home/engineer/acrad.sh %{User-Name} input_pairs = request output_pairs = reply } instantiate { exec ... but it seems that program not started at all. packet_type = Accounting-Request And make sure you instantiate the echo instance of the exec module under the radiusd accounting section - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program and length of arguments
If I add to users file this: When I used exec-program all the attributes I wanted were in the environment. And how can I exploit it? I get only this: -- $ cat /home/engineer/acrad.sh #!/bin/sh printenv /tmp/exec-program-wait -- bob Auth-Type := Local, User-Password == bob Reply-Message = Hello, %u, Exec-Program = /home/engineer/acrad.sh -- after radtest in /tmp/exec-program-wait I found only $ cat /tmp/exec-program-wait CLIENT_IP_ADDRESS=127.0.0.1 NAS_IP_ADDRESS=255.255.255.255 PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin:/usr/local/bin NAS_PORT=0 USER_PASSWORD=bob USER_NAME=bob But this is far less than what I wait for... I need to do the same that SQL accounting do. If I look at raddb/pgsql-voip.conf, I can see the pretty accounting_stop_query, which put many interestiong info to database. I think it can put all the %{User-Name} : %{Service-Type} : %{Acct-Status-Type} : %{Acct-Session-Id} : %{Framed-Protocol} : %{NAS-Identifier} : %{NAS-Port-Id} : %{NAS-IP-Address} : %{Calling-Station-Id} : %{Called-Station-Id} : %{Framed-IP-Address} : %{Acct-Input-Octets} : %{Acct-Output-Octets} : %{Acct-Input-Packets} : %{Acct-Output-Packets} : %{Acct-Session-Time} : %{Acct-Terminate-Cause} Am I right? So, how can I do the same, but with perl/shell script (e.g. pass all this variables as arguments or environment) ? From radiusd.conf # # The attributes which are placed into the # environment variables for the program. # # Allowed values are: # # request attributes from the request # config attributes from the configuration items list # reply attributes from the reply # proxy-request attributes from the proxy request # proxy-reply attributes from the proxy reply # # Note that some attributes may not exist at some # stages. e.g. There may be no proxy-reply # attributes if this module is used in the # 'authorize' section. I read this. But I just newbie, sorry. I tried this exec echo { wait = yes program = /home/engineer/acrad.sh %{User-Name} input_pairs = request output_pairs = reply } instantiate { exec ... but it seems that program not started at all. -- engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program and length of arguments
Hi. If I add to users file this: bob Auth-Type := Local, User-Password == bob Reply-Message = Hello, %u, Exec-Program = /home/engineer/acrad.pl User-Name=%{User-Name} Service-Type=%{Service-Type} Acct-Status-Type=%{Acct-Status-Type} Acct-Session-Id=%{Acct-Session-Id} Framed-Protocol=%{Framed-Protocol} NAS-Identifier=%{NAS-Identifier} NAS-Port-Id=%{NAS-Port-Id} it work. But I need to pass more arguments to my program, but as far as I can see there is some limit. If I add this: Exec-Program = /home/engineer/acrad.sh User-Name=%{User-Name} Service-Type=%{Service-Type} Acct-Status-Type=%{Acct-Status-Type} Acct-Session-Id=%{Acct-Session-Id} Framed-Protocol=%{Framed-Protocol} NAS-Identifier=%{NAS-Identifier} NAS-Port-Id=%{NAS-Port-Id} NAS-IP-Address=%{NAS-IP-Address} Calling-Station-Id=%{Calling-Station-Id} Called-Station-Id=%{Called-Station-Id} Framed-IP-Address=%{Framed-IP-Address} Acct-Input-Octets=%{Acct-Input-Octets} Acct-Output-Octets=%{Acct-Output-Octets} Acct-Input-Packets=%{Acct-Input-Packets} Acct-Output-Packets=%{Acct-Output-Packets} Acct-Session-Time=%{Acct-Session-Time} Acct-Terminate-Cause=%{Acct-Terminate-Cause} # radiusd -sfxxyz -l stdout 21 ... Module: Loaded files files: usersfile = /etc/raddb/users files: acctusersfile = /etc/raddb/acct_users files: preproxy_usersfile = /etc/raddb/preproxy_users files: compat = no /etc/raddb/users[220]: Parse error (reply) for entry bob: Expected end of line or comma Errors reading /etc/raddb/users radiusd.conf[1047]: files: Module instantiation failed. radiusd.conf[1791] Unknown module files. radiusd.conf[1727] Failed to parse authorize section. and same with hints file. The main goal is that I need to do some accounting by my script. I saw at experimental.conf (at perl section), but for now I not understand can I utilize it for my needs somehow. What can I do? -- engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec program debugging.
I am trying to execute a program in the post-proxy section on Access-Accept packets to bring up bandwidth management for a user when they log in: (radiusd.conf) exec bwup { wait = no; program = /etc/raddb/bwlimit start %{User-Name} %{Calling-Station-Id} %{Tunnel-Private-Group-Id:0} %{NAS-Port} %{GLI-Rx-Data-Rate} %{GLI-Tx-Data-Rate} input_pairs = reply packet_type = Access-Accept output = none } post-proxy { # post_proxy_log # attr_rewrite # attr_filter exec eap } However, the exec call keeps failing when called from inside radiusd -X: Ready to process requests. rad_recv: Access-Request packet from host xxx.xxx.6.99:1645, id=3, length=128 User-Name = Framed-MTU = 1400 Called-Station-Id = 00-13-19-36-C4-52 Calling-Station-Id = 00-13-D3-67-D7-05 Service-Type = Login-User Message-Authenticator = 0x43483d78f3b3f25bcb7657f1522050ef EAP-Message = 0x0202000501 NAS-Port-Type = Wireless-802.11 NAS-Port = 262 NAS-IP-Address = xxx.xxx.6.99 NAS-Identifier = -Ch11 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = , looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = rlm_realm: Proxying request from user to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Preparing to proxy authentication request to realm NULL modcall[authorize]: module suffix returns updated for request 0 rlm_eap: Request is supposed to be proxied to Realm NULL. Not doing EAP. modcall[authorize]: module eap returns noop for request 0 modcall: group authorize returns updated for request 0 Sending Access-Request of id 0 to xxx.xxx.178.13:1645 User-Name = Framed-MTU = 1400 Called-Station-Id = 00-13-19-36-C4-52 Calling-Station-Id = 00-13-D3-67-D7-05 Service-Type = Login-User Message-Authenticator = 0x EAP-Message = 0x0202000501 NAS-Port-Type = Wireless-802.11 NAS-Port = 262 NAS-IP-Address = xxx.xxx.6.99 NAS-Identifier = -Ch11 Proxy-State = 0x33 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Challenge packet from host xxx.xxx.178.13:1645, id=0, length=80 Proxy-State = 0x33 Session-Timeout = 30 EAP-Message = 0x010300061920 State = 0x1cc3035501370001d819b40600034b872b6f01 Message-Authenticator = 0x2153f90d4c19a27ae054f7f297611c86 Processing the post-proxy section of radiusd.conf modcall: entering group post-proxy for request 0 rlm_exec (exec): We require a program to execute modcall[post-proxy]: module exec returns fail for request 0 modcall: group post-proxy returns fail for request 0 Going to the next request --- Walking the entire request list --- Waking up in 31 seconds... But, if I take the values from a valid Access-Accept packet for the attributes listed above, the file executes correctly with no errors: wireless-r1 raddb # su - radiusd [EMAIL PROTECTED] ~ $ /etc/raddb/bwlimit start egable 00:a0:12:34:56:78 3 7 1024 512 [EMAIL PROTECTED] ~ $ /etc/raddb/bwlimit stop egable [EMAIL PROTECTED] ~ $ exit logout wireless-r1 raddb # All of my rules get added correctly when issuing a start command and they get removed correctly when issuing the stop command, but only if I issue the commands from the command line. If I add more Xs to the -X, it still doesn't tell me why it is failing (what the specific error message is): Mon Mar 20 13:32:45 2006 : Debug: Processing the post-proxy section of radiusd.conf Mon Mar 20 13:32:45 2006 : Debug: modcall: entering group post-proxy for request 0 Mon Mar 20 13:32:45 2006 : Debug: modsingle[post-proxy]: calling exec (rlm_exec) for request 0 Mon Mar 20 13:32:45 2006 : Error: rlm_exec (exec): We require a program to execute Mon Mar 20 13:32:45 2006 : Debug: modsingle[post-proxy]: returned from exec (rlm_exec) for request 0 Mon Mar 20 13:32:45 2006 : Debug: modcall[post-proxy]: module exec returns fail for request 0 Mon Mar 20 13:32:45 2006 : Debug: modcall: group post-proxy returns fail for request 0 Mon Mar 20 13:32:45 2006 : Debug: Going to the next request Mon Mar 20 13:32:45 2006 : Debug: rl_next: returning NULL Mon Mar 20 13:32:45 2006 : Debug: Waking up in 6 seconds... I am assuming I just have the configuration for this set up wrong or something. Obviously, the Access-Accept packet is not yet coming back because the first Access-Challenge hasn't even been passed on to the AP yet. So, I'm not sure why the post-proxy section even wants to fire the program at this point in the authentication process. Does anyone know what I did wrong? Thanks. Eliot Gable Certified Wireless
Re: Exec program debugging.
Eliot, Wireless and Server Administrator, Great Lakes Internet [EMAIL PROTECTED] wrote: I am trying to execute a program in the post-proxy section on Access-Accept packets to bring up bandwidth management for a user when they log in: (radiusd.conf) exec bwup { ... post-proxy { ... exec List bwup, not exec. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program
Hi, Hope someone can help me to give me a more detailed explanation about Exec-Program. I see this in the acct_users file. DEFAULT Acct-Status-Type == Start Exec-Program = /path/to/exec/acct/start Do we have to make our own file for this Exec-Program or is there already one provided in the basic package? Or if not, can someone give me an example of this file? Sorry if i ask stupid favor, since I am still newbie in this field. Thanks a lot Priscilla __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian + Exec-Program = Zombie process
George Chelidze wrote: versions. Can I make some tests to narrow down the problem, or some other actions. Best Regards, George I suppose you could add some debug code to where you believe the calls to waitpid should be/are The way I read it, without threads it should be in src/main/radiusd.c:631 in cvs 20060124 Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html