Re: Question regarding external script authentication
Alan DeKok wrote: Patric wrote: I just want to clarify, if I set the reject_delay to 0, and in my external script the only thing I do is exit(1);, then freeradius will return a reject response to the NAS? It will send a reject to the NAS. Thanks Alan, you're an absolute gem! Patrick -- Free pop3 email with a spam filter. http://www.bluebottle.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding external script authentication
Alan DeKok wrote: Patric wrote: I just want to clarify, if I set the reject_delay to 0, and in my external script the only thing I do is exit(1);, then freeradius will return a reject response to the NAS? It will send a reject to the NAS. Sorry if Im flogging a dead horse here... I furthered my investigation and found the following interesting results: After making reject_delay = 0, I ran the freeradius in debug mode on my test environment to see what happens, and indeed it does return an Access-Reject : ... rad_recv: Access-Request packet from host 127.0.0.1:32770, id=12, length=95 User-Name = [EMAIL PROTECTED] User-Password = TestUser NAS-IP-Address = 255.255.255.255 NAS-Port = 100 NAS-Port-Type = Virtual Exec-Program: /usr/local/freeradius/radauth.php -- u:[EMAIL PROTECTED] p:TestUser n:100 t:Virtual Exec-Program: returned: 1 rlm_exec (exec-radauth): External script failed Sending Access-Reject of id 12 to 127.0.0.1 port 32770 ... All of the above is spot on! Now riddle me this: When I make the same changes to my production server and run it in debug mode it does all of the above *except* return the Access-Reject! ... rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1820, id=83, length=140 Framed-Protocol = PPP User-Name = [EMAIL PROTECTED] User-Password = TestUser NAS-Port-Type = Virtual NAS-Port = 1010101010 NAS-Port-Id = x/x/x/xx.xxx Connect-Info = AutoShapedVC Service-Type = Framed-User NAS-IP-Address = xxx.xxx.xxx.xxx Proxy-State = 0x323037 Exec-Program: /usr/local/freeradius/radauth.php -- u:[EMAIL PROTECTED] p:TestUser n:1010101010 t:Virtual Exec-Program: returned: 1 rlm_exec (exec-radauth): External script failed rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1820, id=170, length=140 ... As you can see it goes onto the next access request. I did let the debug run longer, but after a minute there was still no Access-Reject. Test environment is running : CentOS release 4.4 (Final) 2.6.16.33-xen_3.0.4.1 #1 SMP Fri Jan 5 10:40:15 EST 2007 i686 i686 i386 GNU/Linux radiusd: FreeRADIUS Version 1.1.3, for host i686-pc-linux-gnu, built on Oct 5 2006 at 10:52:23 Production environment is running : Red Hat Enterprise Linux ES release 3 (Taroon Update 8) 2.4.21-40.EL #1 Wed Mar 15 14:30:04 EST 2006 i686 i686 i386 GNU/Linux radiusd: FreeRADIUS Version 1.1.3, for host i686-redhat-linux-gnu, built on Sep 20 2006 at 14:13:13 I have searched through the conf file and docs and googled this but I cant find any reason why the server is not returning the Access-Reject Any ideas? Thanks again Patrick -- Get a free email address with REAL anti-spam protection. http://www.bluebottle.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding external script authentication
Hi, Framed-Protocol = PPP User-Name = [EMAIL PROTECTED] User-Password = TestUser NAS-Port-Type = Virtual NAS-Port = 1010101010 NAS-Port-Id = x/x/x/xx.xxx Connect-Info = AutoShapedVC Service-Type = Framed-User NAS-IP-Address = xxx.xxx.xxx.xxx Proxy-State = 0x323037 you have various other attributes in your real production system - perhaps you have matching DEFAULT values (eg in users file) which are aiding the access accept? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding external script authentication
[EMAIL PROTECTED] wrote: you have various other attributes in your real production system - perhaps you have matching DEFAULT values (eg in users file) which are aiding the access accept? If that were the case, then wouldnt this eliminate the problem: My radiusd.conf authorize section contains only this : authorize { files exec-radauth } My users file contains only this : DEFAULT Auth-Type = Accept If I understand it correctly this would mean that the only authentication done is by my script. I did the above on the production server, but I am still not returning an access-reject... I have now also upgrading freeradius on the production server to 1.1.6, also with the same result - no access-reject returned... I am now at a loss as to where else to look, but I suspect its some kind of config setting. Where? I dont know :[ Thanks guys Patrick -- Get a free email address with REAL anti-spam protection. http://www.bluebottle.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding external script authentication
As per my ramblings below, I ran the server in debug level 3, and one can see that it is the correct DEFAULT entry that it is picking up : rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1820, id=80, length=139 Framed-Protocol = PPP User-Name = [EMAIL PROTECTED] User-Password = TestUser NAS-Port-Type = Virtual NAS-Port = 1234567890 NAS-Port-Id = 1/1/1/1.1 Connect-Info = AutoShapedVC Service-Type = Framed-User NAS-IP-Address = xxx.xxx.xxx.xxx Proxy-State = 0x3439 Fri May 18 13:39:07 2007 : Debug: Processing the authorize section of radiusd.conf Fri May 18 13:39:07 2007 : Debug: modcall: entering group authorize for request 21 Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 21 Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 21 Fri May 18 13:39:07 2007 : Debug: modcall[authorize]: module preprocess returns ok for request 21 Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 21 Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 21 Fri May 18 13:39:07 2007 : Debug: modcall[authorize]: module chap returns noop for request 21 Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 21 Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 21 Fri May 18 13:39:07 2007 : Debug: modcall[authorize]: module mschap returns noop for request 21 Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 21 Fri May 18 13:39:07 2007 : Debug: rlm_realm: Looking up realm realm.com for User-Name = [EMAIL PROTECTED] Fri May 18 13:39:07 2007 : Debug: rlm_realm: No such realm realm.com Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 21 Fri May 18 13:39:07 2007 : Debug: modcall[authorize]: module suffix returns noop for request 21 Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 21 Fri May 18 13:39:07 2007 : Debug: rlm_eap: No EAP-Message, not doing EAP Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 21 Fri May 18 13:39:07 2007 : Debug: modcall[authorize]: module eap returns noop for request 21 Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: calling files (rlm_files) for request 21 *Fri May 18 13:39:07 2007 : Debug: users: Matched entry DEFAULT at line 54* Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 21 Fri May 18 13:39:07 2007 : Debug: modcall[authorize]: module files returns ok for request 21 Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: calling exec-radauth (rlm_exec) for request 21 Fri May 18 13:39:07 2007 : Debug: radius_xlat: 'u:[EMAIL PROTECTED]' Fri May 18 13:39:07 2007 : Debug: radius_xlat: 'p:TestUser' Fri May 18 13:39:07 2007 : Debug: radius_xlat: 'n:1234567890' Fri May 18 13:39:07 2007 : Debug: radius_xlat: 't:Virtual' Fri May 18 13:39:07 2007 : Debug: Exec-Program output: Fri May 18 13:39:07 2007 : Debug: Exec-Program: returned: 1 Fri May 18 13:39:07 2007 : Error: rlm_exec (exec-radauth): External script failed Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: returned from exec-radauth (rlm_exec) for request 21 Fri May 18 13:39:07 2007 : Debug: modcall[authorize]: module exec-radauth returns fail for request 21 Fri May 18 13:39:07 2007 : Debug: modcall: leaving group authorize (returns fail) for request 21 Fri May 18 13:39:07 2007 : Debug: Finished request 21 Fri May 18 13:39:07 2007 : Debug: Going to the next request Fri May 18 13:39:07 2007 : Debug: --- Walking the entire request list --- Fri May 18 13:39:07 2007 : Debug: Waking up in 3 seconds... Line 54 of my users file contains : DEFAULT Auth-Type = Accept I dont know if that helps at all, but this one has me well and truly stumped... :~[ Patrick Patric wrote: [EMAIL PROTECTED] wrote: you have various other attributes in your real production system - perhaps you have matching DEFAULT values (eg in users file) which are aiding the access accept? If that were the case, then wouldnt this eliminate the problem: My radiusd.conf authorize section contains only this : authorize { files exec-radauth } My users file contains only this : DEFAULT Auth-Type = Accept If I understand it correctly this would mean that the only authentication done is by my script. I did the above on the production server, but I am still not returning an access-reject... I have now also upgrading freeradius on the production server to 1.1.6, also with the same result - no access-reject returned... I am now at a
Re: Question regarding external script authentication
Alan DeKok wrote: It's a bug in 1.1.x. It's fixed in 2.0.0 Ah great, at least that explains it! I see the latest public release is 1.1.6, is 2.0.0 available perhaps in the cvs? Would you say it is stable enough to run in production yet? If not any ETA? Otherwise can you suggest any previous version that may not have this bug, and is security safe enough to run in a production environment? It would seem the 1.1.3 build I have on my test environment does not have that bug... *shrugs* Thanks a stack Alan, you have been a great help! Patrick -- Find out how you can get spam free email. http://www.bluebottle.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding external script authentication
Ah great, at least that explains it! I see the latest public release is 1.1.6, is 2.0.0 available perhaps in the cvs? Would you say it is stable enough to run in production yet? If not any ETA? See the main web page? It's all there... It seems to be in the news section on all the pages *except* the main one. Ivan Kalik Kalik Informatika ISP Dana 18/5/2007, Alan DeKok [EMAIL PROTECTED] piše: Patric wrote: Ah great, at least that explains it! I see the latest public release is 1.1.6, is 2.0.0 available perhaps in the cvs? Would you say it is stable enough to run in production yet? If not any ETA? See the main web page? It's all there... Otherwise can you suggest any previous version that may not have this bug, and is security safe enough to run in a production environment? It would seem the 1.1.3 build I have on my test environment does not have that bug... *shrugs* It has the bug. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding external script authentication
Patric wrote: Ah great, at least that explains it! I see the latest public release is 1.1.6, is 2.0.0 available perhaps in the cvs? Would you say it is stable enough to run in production yet? If not any ETA? See the main web page? It's all there... Otherwise can you suggest any previous version that may not have this bug, and is security safe enough to run in a production environment? It would seem the 1.1.3 build I have on my test environment does not have that bug... *shrugs* It has the bug. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding external script authentication
On Fri 18 May 2007, Patric wrote: Alan DeKok wrote: It's a bug in 1.1.x. It's fixed in 2.0.0 Ah great, at least that explains it! I see the latest public release is 1.1.6, is 2.0.0 available perhaps in the cvs? Would you say it is stable enough to run in production yet? If not any ETA? Otherwise can you suggest any previous version that may not have this bug, and is security safe enough to run in a production environment? It would seem the 1.1.3 build I have on my test environment does not have that bug... *shrugs* Thanks a stack Alan, you have been a great help! ftp://ftp.freeradius.org/pub/radius/freeradius-server-2.0.0-pre1.tar.bz2 Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding external script authentication
[EMAIL PROTECTED] wrote: It seems to be in the news section on all the pages *except* the main one. Your browser has cached the main page. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding external script authentication
Alan DeKok wrote: See the main web page? It's all there... Read, and understood :] Out of curiosity I did compile the latest snapshot, and I see that it is fixed, and even returns the correct status based on what your external script returns (1 - rejected, 4 - handled, 5 - invalid, etc...). Thats fantastic, cant wait till its ready for release! It has the bug. Yes, undoubtedly, but what I meant was the server still returns the access-reject... Well thanks so much, you've helped me clear up and understand a lot more of freeradius! -- Get a free email address with REAL anti-spam protection. http://www.bluebottle.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding external script authentication
Alan DeKok wrote: [EMAIL PROTECTED] wrote: It seems to be in the news section on all the pages *except* the main one. Your browser has cached the main page. Alan you're gonna give us all an inferiority complex if you continue to be right all the time! ;] Cheers -- Get a free email address with REAL anti-spam protection. http://www.bluebottle.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding external script authentication
Patric wrote: I am currently using exec to authenticate users through an external script. When all criteria match I return the correct access-accept pairs and the users authenticate successfully. When the criteria are NOT met, I exit(1) my php script to hand control back to the freeradius server. This seems to be causing authentication requests to time out, as I guess I am not sending anything back... Set reject_delay = 0 in radiusd.conf. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding external script authentication
Hi Alan, Thanks for ur response. Alan DeKok wrote: Set reject_delay = 0 in radiusd.conf. I just want to clarify, if I set the reject_delay to 0, and in my external script the only thing I do is exit(1);, then freeradius will return a reject response to the NAS? Or will it simply not respond? Because the complaint my NAS maintainer has is that he is getting no response. Thanks a stack! Patrick -- Get a free email account with anti spam protection. http://www.bluebottle.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding external script authentication
Patric wrote: I just want to clarify, if I set the reject_delay to 0, and in my external script the only thing I do is exit(1);, then freeradius will return a reject response to the NAS? It will send a reject to the NAS. Or will it simply not respond? Because the complaint my NAS maintainer has is that he is getting no response. Yes, I understood that from your previous message. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html