Re: rlm_exec question
Anybody know about these two things that I asked? 1. I have log incoming authentication requests set to yes but they do not seem to be getting logged (in the radiusd.log file). Ideally I would like to see the same level of verbosity as the radiusd -X mode gives on standard out in my logs. Is there anyway to do that without actually running the server in debug mode? 2. Is there a config setting for locking out a user temporarily if they make more than say 5 unsuccessful login attempts in a short time span? Thanks. On Thu, Apr 17, 2008 at 1:15 AM, T Kid82 [EMAIL PROTECTED] wrote: Thank you Alan, your recommendation worked perfectly. It has permanently cured me of fleas :p Two other things I wanted to ask the experts on here. 1. I have log incoming authentication requests set to yes but they do not seem to be getting logged (in the radiusd.log file). Ideally I would like to see the same level of verbosity as the radiusd -X mode gives on standard out in my logs. Is there anyway to do that without actually running the server in debug mode? 2. Is there a config setting for locking out a user temporarily if they make more than say 5 unsuccessful login attempts in a short time span? Thanks again. -- Tauseef On Sun, Apr 13, 2008 at 11:32 PM, Alan DeKok [EMAIL PROTECTED] wrote: T Kid82 wrote: First I added a files sub-section the modules section within radiusd.conf files { Auth-Type := Exec } There is already a files subsection. It configures the users file. You should put the Auth-Type entry there, instead of in radiusd.conf. Oh, and read the documentation for the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec question
Thank you Alan, your recommendation worked perfectly. It has permanently cured me of fleas :p Two other things I wanted to ask the experts on here. 1. I have log incoming authentication requests set to yes but they do not seem to be getting logged (in the radiusd.log file). Ideally I would like to see the same level of verbosity as the radiusd -X mode gives on standard out in my logs. Is there anyway to do that without actually running the server in debug mode? 2. Is there a config setting for locking out a user temporarily if they make more than say 5 unsuccessful login attempts in a short time span? Thanks again. -- Tauseef On Sun, Apr 13, 2008 at 11:32 PM, Alan DeKok [EMAIL PROTECTED] wrote: T Kid82 wrote: First I added a files sub-section the modules section within radiusd.conf files { Auth-Type := Exec } There is already a files subsection. It configures the users file. You should put the Auth-Type entry there, instead of in radiusd.conf. Oh, and read the documentation for the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_exec question
Hi everyone, I am trying to accomplish a very simple task using RADIUS as an authentication proxy. All I need it to do is use the username/password combo sent in, run a perl script to validate those credentials and return a pass or fail. I have my perl script setup to return all the right codes as the radiusd.conf specifies. ( 0 : fail, 0 : ok , etc...) I have added the following changes to the radiusd.conf file, everything else is as it is out of the box. authorize { preprocess exec } authenticate { Auth-Type Exec { exec } } In the modules section I added my program name / perl script (the location is just a temp thing to get this going): exec { program = /usr/bin/authenticate.pl wait = yes input_pairs = request output_pairs = reply } When i run radtest, this is what I see in the logs User-Name = tkid User-Password = hlsearch NAS-IP-Address = 127.0.0.1 NAS-Port = 1645 +- entering group authorize ++[preprocess] returns ok Exec-Program output: Error: Password check passed Exec-Program: returned: 0 ++[exec] returns ok auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [tkid/hlsearch] (from client localhost port 1645) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - tkid attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 149 with timestamp +10 Ready to process requests. In essence, all I want is authentication and not authorization. How do I accomplish that here? Thanks for your help in advance. Thanks, -- Tauseef - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec question
Hi Ivan, I tried two variations. First I added a files sub-section the modules section within radiusd.conf files { Auth-Type := Exec } and in the authorize section I put in authorize { preprocess files } This is what I saw in the radius logs User-Name = tkid User-Password = hlsearch NAS-IP-Address = 127.0.0.1 NAS-Port = 1645 +- entering group authorize ++[preprocess] returns ok ++[files] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [tkid/hlsearch] (from client localhost port 1645) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - tkid attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Waking up in 4.9 seconds. Cleaning up request 0 ID 79 with timestamp +20 Ready to process requests. I also tried adding the DEFAULT as you asked so i made an addition to the files module files { DEFAULT Auth-Type := Exec } I got a radiusd.conf syntax error Expecting section start brace '{' after DEFAULT Auth-Type Let me know what else I need to get going here. It would be great if you can let me know specifically where I have to add config settings since I am not very familiar with freeradius yet. I would really prefer to run a perl script rather than doing a .pm since I tried that before and just kept getting too many errors. I'll consider that once all the options of a perl script have been exhausted. Thanks everyone for your help. -- Tauseef 2008/4/13 Ivan Kalik [EMAIL PROTECTED]: Add files to authorize and put DEFAULT Auth-Type := Exec in it. Ivan Kalik Kalik Informatika ISP Dana 13/4/2008, T Kid82 [EMAIL PROTECTED] piše: Hi everyone, I am trying to accomplish a very simple task using RADIUS as an authentication proxy. All I need it to do is use the username/password combo sent in, run a perl script to validate those credentials and return a pass or fail. I have my perl script setup to return all the right codes as the radiusd.conf specifies. ( 0 : fail, 0 : ok , etc...) I have added the following changes to the radiusd.conf file, everything else is as it is out of the box. authorize { preprocess exec } authenticate { Auth-Type Exec { exec } } In the modules section I added my program name / perl script (the location is just a temp thing to get this going): exec { program = /usr/bin/authenticate.pl wait = yes input_pairs = request output_pairs = reply } When i run radtest, this is what I see in the logs User-Name = tkid User-Password = hlsearch NAS-IP-Address = 127.0.0.1 NAS-Port = 1645 +- entering group authorize ++[preprocess] returns ok Exec-Program output: Error: Password check passed Exec-Program: returned: 0 ++[exec] returns ok auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [tkid/hlsearch] (from client localhost port 1645) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - tkid attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 149 with timestamp +10 Ready to process requests. In essence, all I want is authentication and not authorization. How do I accomplish that here? Thanks for your help in advance. Thanks, -- Tauseef - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec use
Yes... but from the debug output you posted, it looks like you deleted everything *else* The debug output I pasted was not in its entirety. I did not paste any preceding output since it looked fine to me. No errors. Could you explain why you think that? None of the documentation or default configuration files say that. Note that the module return code OK or success does NOT mean let the user in without checking their password. That is a revelation to me. You set Auth-Type just like setting any other attribute. See man unlang for examples. I will definitely look through the documentation. Is there a specfic Auth-Type that would be appropriate for my simple case. I guess what I am asking is, can you give me an example of an Auth-Type other than the Perl example? On Wed, Mar 19, 2008 at 1:59 PM, Alan DeKok [EMAIL PROTECTED] wrote: T Kid82 wrote: I got this from the comments in exec-program-wait (which has been deprecated) where it explains how to use rlm_exec. It says, An entry for the module 'rlm_exec' must be added to the file 'radiusd.conf' with the path of the script. Yes... but from the debug output you posted, it looks like you deleted everything *else*. Why would this let all users through? I thought that since I am always returning 3 to the server, that this would let all users pass through. Could you explain why you think that? None of the documentation or default configuration files say that. Note that the module return code OK or success does NOT mean let the user in without checking their password. you didn't set Auth-Type Where do I set the Auth-Type. Can you provide a sample code snippet on how to do this? Or perhaps a link to the doc. You set Auth-Type just like setting any other attribute. See man unlang for examples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_exec use
Hi everyone, I have been trying to get RADIUS to run a perl script which would authenticate users (and yes I have tried rlm_perl but I decided against it). So far all I have in the perl script itself is #!/usr/bin/perl use strict; use Data::Dumper; exit 3; -- This is what my debug output says when I run radtest: rad_recv: Access-Request packet from host 127.0.0.1 port 33397, id=236, length=56 User-Name = matt User-Password = testing NAS-IP-Address = 127.0.0.1 NAS-Port = 1645 +- entering group authorize Exec-Program output: Exec-Program: returned: 3 ++[exec] returns ok auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [matt/testing] (from client localhost port 1645) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - matt attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds - This is what I have in my radiusd.conf authorize { exec } authentication { Auth-Type Exec { exec } } --- I would think this should let all users pass through but it doesnt seem to be doing that. What am I missing here? Thanks in advance for your help, -- Tauseef - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec use
You have put significant effort into butchering the default configuration. Why? I got this from the comments in exec-program-wait (which has been deprecated) where it explains how to use rlm_exec. It says, An entry for the module 'rlm_exec' must be added to the file 'radiusd.conf' with the path of the script. authorize { ... exec ... } I also added exec { program = /usr/local/etc/raddb/authenticate wait = yes input_pairs = request output_pairs = reply } to my radiusd.conf which is also from the comments in exec-program-wait Why would this let all users through? I thought that since I am always returning 3 to the server, that this would let all users pass through. you didn't set Auth-Type Where do I set the Auth-Type. Can you provide a sample code snippet on how to do this? Or perhaps a link to the doc. If you think this isn't necessary, then you need to spend more time understanding how the server works. I dont know either way. Thats why I decided to mail the list. I have looked through quite a bit of documentation but I didnt find much on this particular module On Wed, Mar 19, 2008 at 1:17 AM, Alan DeKok [EMAIL PROTECTED] wrote: T Kid82 wrote: I have been trying to get RADIUS to run a perl script which would authenticate users (and yes I have tried rlm_perl but I decided against it). Why? It is *much* more efficient than exec'ing a program. ... Exec-Program output: Exec-Program: returned: 3 ++[exec] returns ok auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user That would seem to be clear. This is what I have in my radiusd.conf authorize { exec } authentication { Auth-Type Exec { exec } You have put significant effort into butchering the default configuration. Why? I would think this should let all users pass through but it doesnt seem to be doing that. What am I missing here? Why would this let all users through? The debug output is clear: you didn't set Auth-Type. So authentication fails. The default configuration Just Does the Right Thing. If you're going to drastically edit the configuration, then you need to understand how the server works. In this case, fix the problem printed out by the debug log: set Auth-Type. If you think this isn't necessary, then you need to spend more time understanding how the server works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html