Re: rlm_exec question
Anybody know about these two things that I asked?
1. I have log incoming authentication requests set to yes but they do
not seem to be getting logged (in the radiusd.log file). Ideally I
would like to see the same level of verbosity as the radiusd -X mode
gives on standard out in my logs. Is there anyway to do that without
actually running the server in debug mode?
2. Is there a config setting for locking out a user temporarily if
they make more than say 5 unsuccessful login attempts in a short time
span?
Thanks.
On Thu, Apr 17, 2008 at 1:15 AM, T Kid82 [EMAIL PROTECTED] wrote:
Thank you Alan, your recommendation worked perfectly. It has
permanently cured me of fleas :p
Two other things I wanted to ask the experts on here.
1. I have log incoming authentication requests set to yes but they do
not seem to be getting logged (in the radiusd.log file). Ideally I
would like to see the same level of verbosity as the radiusd -X mode
gives on standard out in my logs. Is there anyway to do that without
actually running the server in debug mode?
2. Is there a config setting for locking out a user temporarily if
they make more than say 5 unsuccessful login attempts in a short time
span?
Thanks again.
-- Tauseef
On Sun, Apr 13, 2008 at 11:32 PM, Alan DeKok [EMAIL PROTECTED] wrote:
T Kid82 wrote:
First I added a files sub-section the modules section within
radiusd.conf
files {
Auth-Type := Exec
}
There is already a files subsection. It configures the users
file. You should put the Auth-Type entry there, instead of in
radiusd.conf.
Oh, and read the documentation for the users file.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec question
Thank you Alan, your recommendation worked perfectly. It has
permanently cured me of fleas :p
Two other things I wanted to ask the experts on here.
1. I have log incoming authentication requests set to yes but they do
not seem to be getting logged (in the radiusd.log file). Ideally I
would like to see the same level of verbosity as the radiusd -X mode
gives on standard out in my logs. Is there anyway to do that without
actually running the server in debug mode?
2. Is there a config setting for locking out a user temporarily if
they make more than say 5 unsuccessful login attempts in a short time
span?
Thanks again.
-- Tauseef
On Sun, Apr 13, 2008 at 11:32 PM, Alan DeKok [EMAIL PROTECTED] wrote:
T Kid82 wrote:
First I added a files sub-section the modules section within radiusd.conf
files {
Auth-Type := Exec
}
There is already a files subsection. It configures the users
file. You should put the Auth-Type entry there, instead of in
radiusd.conf.
Oh, and read the documentation for the users file.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_exec question
Hi everyone,
I am trying to accomplish a very simple task using RADIUS as an
authentication proxy.
All I need it to do is use the username/password combo sent in, run a
perl script to validate those credentials and return a pass or fail.
I have my perl script setup to return all the right codes as the
radiusd.conf specifies. ( 0 : fail, 0 : ok , etc...)
I have added the following changes to the radiusd.conf file,
everything else is as it is out of the box.
authorize {
preprocess
exec
}
authenticate {
Auth-Type Exec {
exec
}
}
In the modules section I added my program name / perl script (the
location is just a temp thing to get this going):
exec {
program = /usr/bin/authenticate.pl
wait = yes
input_pairs = request
output_pairs = reply
}
When i run radtest, this is what I see in the logs
User-Name = tkid
User-Password = hlsearch
NAS-IP-Address = 127.0.0.1
NAS-Port = 1645
+- entering group authorize
++[preprocess] returns ok
Exec-Program output: Error: Password check passed
Exec-Program: returned: 0
++[exec] returns ok
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [tkid/hlsearch] (from client localhost port 1645)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - tkid
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 149 with timestamp +10
Ready to process requests.
In essence, all I want is authentication and not authorization. How do
I accomplish that here?
Thanks for your help in advance.
Thanks,
-- Tauseef
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec question
Hi Ivan,
I tried two variations.
First I added a files sub-section the modules section within radiusd.conf
files {
Auth-Type := Exec
}
and in the authorize section I put in
authorize {
preprocess
files
}
This is what I saw in the radius logs
User-Name = tkid
User-Password = hlsearch
NAS-IP-Address = 127.0.0.1
NAS-Port = 1645
+- entering group authorize
++[preprocess] returns ok
++[files] returns noop
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [tkid/hlsearch] (from client localhost port 1645)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - tkid
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Waking up in 4.9 seconds.
Cleaning up request 0 ID 79 with timestamp +20
Ready to process requests.
I also tried adding the DEFAULT as you asked
so i made an addition to the files module
files {
DEFAULT Auth-Type := Exec
}
I got a radiusd.conf syntax error
Expecting section start brace '{' after DEFAULT Auth-Type
Let me know what else I need to get going here. It would be great if
you can let me know specifically where I have to add config settings
since I am not very familiar with freeradius yet.
I would really prefer to run a perl script rather than doing a .pm
since I tried that before and just kept getting too many errors. I'll
consider that once all the options of a perl script have been
exhausted.
Thanks everyone for your help.
-- Tauseef
2008/4/13 Ivan Kalik [EMAIL PROTECTED]:
Add files to authorize and put DEFAULT Auth-Type := Exec in it.
Ivan Kalik
Kalik Informatika ISP
Dana 13/4/2008, T Kid82 [EMAIL PROTECTED] piše:
Hi everyone,
I am trying to accomplish a very simple task using RADIUS as an
authentication proxy.
All I need it to do is use the username/password combo sent in, run a
perl script to validate those credentials and return a pass or fail.
I have my perl script setup to return all the right codes as the
radiusd.conf specifies. ( 0 : fail, 0 : ok , etc...)
I have added the following changes to the radiusd.conf file,
everything else is as it is out of the box.
authorize {
preprocess
exec
}
authenticate {
Auth-Type Exec {
exec
}
}
In the modules section I added my program name / perl script (the
location is just a temp thing to get this going):
exec {
program = /usr/bin/authenticate.pl
wait = yes
input_pairs = request
output_pairs = reply
}
When i run radtest, this is what I see in the logs
User-Name = tkid
User-Password = hlsearch
NAS-IP-Address = 127.0.0.1
NAS-Port = 1645
+- entering group authorize
++[preprocess] returns ok
Exec-Program output: Error: Password check passed
Exec-Program: returned: 0
++[exec] returns ok
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [tkid/hlsearch] (from client localhost port 1645)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - tkid
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 149 with timestamp +10
Ready to process requests.
In essence, all I want is authentication and not authorization. How do
I accomplish that here?
Thanks for your help in advance.
Thanks,
-- Tauseef
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec use
Yes... but from the debug output you posted, it looks like you deleted everything *else* The debug output I pasted was not in its entirety. I did not paste any preceding output since it looked fine to me. No errors. Could you explain why you think that? None of the documentation or default configuration files say that. Note that the module return code OK or success does NOT mean let the user in without checking their password. That is a revelation to me. You set Auth-Type just like setting any other attribute. See man unlang for examples. I will definitely look through the documentation. Is there a specfic Auth-Type that would be appropriate for my simple case. I guess what I am asking is, can you give me an example of an Auth-Type other than the Perl example? On Wed, Mar 19, 2008 at 1:59 PM, Alan DeKok [EMAIL PROTECTED] wrote: T Kid82 wrote: I got this from the comments in exec-program-wait (which has been deprecated) where it explains how to use rlm_exec. It says, An entry for the module 'rlm_exec' must be added to the file 'radiusd.conf' with the path of the script. Yes... but from the debug output you posted, it looks like you deleted everything *else*. Why would this let all users through? I thought that since I am always returning 3 to the server, that this would let all users pass through. Could you explain why you think that? None of the documentation or default configuration files say that. Note that the module return code OK or success does NOT mean let the user in without checking their password. you didn't set Auth-Type Where do I set the Auth-Type. Can you provide a sample code snippet on how to do this? Or perhaps a link to the doc. You set Auth-Type just like setting any other attribute. See man unlang for examples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_exec use
Hi everyone,
I have been trying to get RADIUS to run a perl script which would
authenticate users (and yes I have tried rlm_perl but I decided
against it). So far all I have in the perl script itself is
#!/usr/bin/perl
use strict;
use Data::Dumper;
exit 3;
--
This is what my debug output says when I run radtest:
rad_recv: Access-Request packet from host 127.0.0.1 port 33397,
id=236, length=56
User-Name = matt
User-Password = testing
NAS-IP-Address = 127.0.0.1
NAS-Port = 1645
+- entering group authorize
Exec-Program output:
Exec-Program: returned: 3
++[exec] returns ok
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [matt/testing] (from client localhost port 1645)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - matt
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
-
This is what I have in my radiusd.conf
authorize {
exec
}
authentication {
Auth-Type Exec {
exec
}
}
---
I would think this should let all users pass through but it doesnt
seem to be doing that. What am I missing here?
Thanks in advance for your help,
-- Tauseef
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec use
You have put significant effort into butchering the default
configuration. Why?
I got this from the comments in exec-program-wait (which has been
deprecated) where it explains how to use rlm_exec. It says,
An entry for the module 'rlm_exec' must be added to the file
'radiusd.conf' with the path of the script.
authorize {
...
exec
...
}
I also added
exec {
program = /usr/local/etc/raddb/authenticate
wait = yes
input_pairs = request
output_pairs = reply
}
to my radiusd.conf which is also from the comments in exec-program-wait
Why would this let all users through?
I thought that since I am always returning 3 to the server, that this
would let all users pass through.
you didn't set Auth-Type
Where do I set the Auth-Type. Can you provide a sample code snippet on
how to do this? Or perhaps a link to the doc.
If you think this isn't necessary, then you need to spend more time
understanding how the server works.
I dont know either way. Thats why I decided to mail the list. I have
looked through quite a bit of documentation but I didnt find much on
this particular module
On Wed, Mar 19, 2008 at 1:17 AM, Alan DeKok [EMAIL PROTECTED] wrote:
T Kid82 wrote:
I have been trying to get RADIUS to run a perl script which would
authenticate users (and yes I have tried rlm_perl but I decided
against it).
Why? It is *much* more efficient than exec'ing a program.
...
Exec-Program output:
Exec-Program: returned: 3
++[exec] returns ok
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
That would seem to be clear.
This is what I have in my radiusd.conf
authorize {
exec
}
authentication {
Auth-Type Exec {
exec
}
You have put significant effort into butchering the default
configuration. Why?
I would think this should let all users pass through but it doesnt
seem to be doing that. What am I missing here?
Why would this let all users through? The debug output is clear: you
didn't set Auth-Type. So authentication fails.
The default configuration Just Does the Right Thing. If you're going
to drastically edit the configuration, then you need to understand how
the server works. In this case, fix the problem printed out by the
debug log: set Auth-Type. If you think this isn't necessary, then you
need to spend more time understanding how the server works.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
