Using EXEC authentication sources

classic Classic list List threaded Threaded
6 messages Options
| Threaded
Open this post in threaded view
|

Using EXEC authentication sources

Nate .
Hello, I'm trying to test something different in my environment. I read
that you can use external authenticators using EXEC. I have tried a basic
setup and am running into a problem. I'm not super clear on what the logs
are trying to tell me. I feel like the documents I'm reading must be
outdated or wrong like many of the website out there.
I am simply trying to use a PHP script to return Accept; no matter what is
called. Just to test this out.
*auth.php contents:*

> <?PHP echo "Accept"; ?>


Here is my run. You can see an attempt to connect from my device:

> root@freeradius:/etc/freeradius# freeradius -X
> FreeRADIUS Version 3.0.16
> Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License
> For more information about these matters, see the file named COPYRIGHT
> Starting - reading configuration files ...
> including dictionary file /usr/share/freeradius/dictionary
> including dictionary file /usr/share/freeradius/dictionary.dhcp
> including dictionary file /usr/share/freeradius/dictionary.vqp
> including dictionary file /etc/freeradius/3.0/dictionary
> including configuration file /etc/freeradius/3.0/radiusd.conf
> including configuration file /etc/freeradius/3.0/proxy.conf
> including configuration file /etc/freeradius/3.0/clients.conf
> including files in directory /etc/freeradius/3.0/mods-enabled/
> including configuration file /etc/freeradius/3.0/mods-enabled/always
> including configuration file /etc/freeradius/3.0/mods-enabled/eap
> including configuration file /etc/freeradius/3.0/mods-enabled/passwd
> including configuration file /etc/freeradius/3.0/mods-enabled/linelog
> including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
> including configuration file /etc/freeradius/3.0/mods-enabled/mschap
> including configuration file /etc/freeradius/3.0/mods-enabled/soh
> including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
> including configuration file /etc/freeradius/3.0/mods-enabled/files
> including configuration file /etc/freeradius/3.0/mods-enabled/chap
> including configuration file /etc/freeradius/3.0/mods-enabled/pap
> including configuration file /etc/freeradius/3.0/mods-enabled/expiration
> including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
> including configuration file /etc/freeradius/3.0/mods-enabled/realm
> including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
> including configuration file /etc/freeradius/3.0/mods-enabled/utf8
> including configuration file /etc/freeradius/3.0/mods-enabled/detail
> including configuration file /etc/freeradius/3.0/mods-enabled/exec
> including configuration file /etc/freeradius/3.0/mods-enabled/echo
> including configuration file /etc/freeradius/3.0/mods-enabled/expr
> including configuration file /etc/freeradius/3.0/mods-enabled/digest
> including configuration file /etc/freeradius/3.0/mods-enabled/logintime
> including configuration file /etc/freeradius/3.0/mods-enabled/unix
> including configuration file /etc/freeradius/3.0/mods-enabled/unpack
> including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
> including configuration file
> /etc/freeradius/3.0/mods-enabled/dynamic_clients
> including configuration file /etc/freeradius/3.0/mods-enabled/replicate
> including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
> including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
> including files in directory /etc/freeradius/3.0/policy.d/
> including configuration file /etc/freeradius/3.0/policy.d/eap
> including configuration file
> /etc/freeradius/3.0/policy.d/moonshot-targeted-ids
> including configuration file /etc/freeradius/3.0/policy.d/control
> including configuration file /etc/freeradius/3.0/policy.d/canonicalization
> including configuration file /etc/freeradius/3.0/policy.d/operator-name
> including configuration file /etc/freeradius/3.0/policy.d/dhcp
> including configuration file /etc/freeradius/3.0/policy.d/filter
> including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
> including configuration file /etc/freeradius/3.0/policy.d/debug
> including configuration file /etc/freeradius/3.0/policy.d/cui
> including configuration file /etc/freeradius/3.0/policy.d/accounting
> including files in directory /etc/freeradius/3.0/sites-enabled/
> including configuration file /etc/freeradius/3.0/sites-enabled/default
> including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel
> main {
>  security {
>   user = "freerad"
>   group = "freerad"
>   allow_core_dumps = no
>  }
> name = "freeradius"
> prefix = "/usr"
> localstatedir = "/var"
> logdir = "/var/log/freeradius"
> run_dir = "/var/run/freeradius"
> }
> main {
> name = "freeradius"
> prefix = "/usr"
> localstatedir = "/var"
> sbindir = "/usr/sbin"
> logdir = "/var/log/freeradius"
> run_dir = "/var/run/freeradius"
> libdir = "/usr/lib/freeradius"
> radacctdir = "/var/log/freeradius/radacct"
> hostname_lookups = no
> max_request_time = 120
> cleanup_delay = 5
> max_requests = 16384
> pidfile = "/var/run/freeradius/freeradius.pid"
> checkrad = "/usr/sbin/checkrad"
> debug_level = 0
> proxy_requests = yes
>  log {
>   stripped_names = no
>   auth = yes
>   auth_badpass = no
>   auth_goodpass = no
>   colourise = yes
>   msg_denied = "You are already logged in - access denied"
>  }
>  resources {
>  }
>  security {
>   max_attributes = 200
>   reject_delay = 1.000000
>   status_server = yes
>  }
> }
> radiusd: #### Loading Realms and Home Servers ####
>  proxy server {
>   retry_delay = 5
>   retry_count = 3
>   default_fallback = no
>   dead_time = 120
>   wake_all_if_all_dead = no
>  }
>  home_server localhost {
>   ipaddr = 127.0.0.1
>   port = 1812
>   type = "auth"
>   secret = <<< secret >>>
>   response_window = 20.000000
>   response_timeouts = 1
>   max_outstanding = 65536
>   zombie_period = 40
>   status_check = "status-server"
>   ping_interval = 30
>   check_interval = 30
>   check_timeout = 4
>   num_answers_to_alive = 3
>   revive_interval = 120
>   limit {
>   max_connections = 16
>   max_requests = 0
>   lifetime = 0
>   idle_timeout = 0
>   }
>   coa {
>   irt = 2
>   mrt = 16
>   mrc = 5
>   mrd = 30
>   }
>  }
>  home_server_pool my_auth_failover {
> type = fail-over
> home_server = localhost
>  }
>  realm example.com {
> auth_pool = my_auth_failover
>  }
>  realm LOCAL {
>  }
> radiusd: #### Loading Clients ####
>  client localhost {
>   ipaddr = 127.0.0.1
>   require_message_authenticator = no
>   secret = <<< secret >>>
>   nas_type = "other"
>   proto = "*"
>   limit {
>   max_connections = 16
>   lifetime = 0
>   idle_timeout = 30
>   }
>  }
>  client localhost_ipv6 {
>   ipv6addr = ::1
>   require_message_authenticator = no
>   secret = <<< secret >>>
>   limit {
>   max_connections = 16
>   lifetime = 0
>   idle_timeout = 30
>   }
>  }
>  client 192.168.17.20/32 {
>   ipaddr = 192.168.17.20
>   ipv4addr = 192.168.17.20
>   require_message_authenticator = no
>   secret = <<< secret >>>
>   shortname = "HPWireless"
>   limit {
>   max_connections = 16
>   lifetime = 0
>   idle_timeout = 30
>   }
>  }
> Debugger not attached
>  # Creating Auth-Type = mschap
>  # Creating Auth-Type = digest
>  # Creating Auth-Type = eap
>  # Creating Auth-Type = PAP
>  # Creating Auth-Type = CHAP
>  # Creating Auth-Type = MS-CHAP
> radiusd: #### Instantiating modules ####
>  modules {
>   # Loaded module rlm_always
>   # Loading module "reject" from file
> /etc/freeradius/3.0/mods-enabled/always
>   always reject {
>   rcode = "reject"
>   simulcount = 0
>   mpp = no
>   }
>   # Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always
>   always fail {
>   rcode = "fail"
>   simulcount = 0
>   mpp = no
>   }
>   # Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always
>   always ok {
>   rcode = "ok"
>   simulcount = 0
>   mpp = no
>   }
>   # Loading module "handled" from file
> /etc/freeradius/3.0/mods-enabled/always
>   always handled {
>   rcode = "handled"
>   simulcount = 0
>   mpp = no
>   }
>   # Loading module "invalid" from file
> /etc/freeradius/3.0/mods-enabled/always
>   always invalid {
>   rcode = "invalid"
>   simulcount = 0
>   mpp = no
>   }
>   # Loading module "userlock" from file
> /etc/freeradius/3.0/mods-enabled/always
>   always userlock {
>   rcode = "userlock"
>   simulcount = 0
>   mpp = no
>   }
>   # Loading module "notfound" from file
> /etc/freeradius/3.0/mods-enabled/always
>   always notfound {
>   rcode = "notfound"
>   simulcount = 0
>   mpp = no
>   }
>   # Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always
>   always noop {
>   rcode = "noop"
>   simulcount = 0
>   mpp = no
>   }
>   # Loading module "updated" from file
> /etc/freeradius/3.0/mods-enabled/always
>   always updated {
>   rcode = "updated"
>   simulcount = 0
>   mpp = no
>   }
>   # Loaded module rlm_eap
>   # Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
>   eap {
>   default_eap_type = "md5"
>   timer_expire = 60
>   ignore_unknown_eap_types = no
>   cisco_accounting_username_bug = no
>   max_sessions = 16384
>   }
>   # Loaded module rlm_passwd
>   # Loading module "etc_passwd" from file
> /etc/freeradius/3.0/mods-enabled/passwd
>   passwd etc_passwd {
>   filename = "/etc/passwd"
>   format = "*User-Name:Crypt-Password:"
>   delimiter = ":"
>   ignore_nislike = no
>   ignore_empty = yes
>   allow_multiple_keys = no
>   hash_size = 100
>   }
>   # Loaded module rlm_linelog
>   # Loading module "linelog" from file
> /etc/freeradius/3.0/mods-enabled/linelog
>   linelog {
>   filename = "/var/log/freeradius/linelog"
>   escape_filenames = no
>   syslog_severity = "info"
>   permissions = 384
>   format = "This is a log message for %{User-Name}"
>   reference = "messages.%{%{reply:Packet-Type}:-default}"
>   }
>   # Loading module "log_accounting" from file
> /etc/freeradius/3.0/mods-enabled/linelog
>   linelog log_accounting {
>   filename = "/var/log/freeradius/linelog-accounting"
>   escape_filenames = no
>   syslog_severity = "info"
>   permissions = 384
>   format = ""
>   reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
>   }
>   # Loading module "linelog_recv_request" from file
> /etc/freeradius/3.0/mods-enabled/linelog
>   linelog linelog_recv_request {
>   filename = "syslog"
>   escape_filenames = no
>   syslog_facility = "local0"
>   syslog_severity = "debug"
>   permissions = 384
>   format = "action = Recv-Request, %{pairs:request:}"
>   }
>   # Loading module "linelog_send_accept" from file
> /etc/freeradius/3.0/mods-enabled/linelog
>   linelog linelog_send_accept {
>   filename = "syslog"
>   escape_filenames = no
>   syslog_facility = "local0"
>   syslog_severity = "debug"
>   permissions = 384
>   format = "action = Send-Accept, %{pairs:request:}"
>   }
>   # Loading module "linelog_send_reject" from file
> /etc/freeradius/3.0/mods-enabled/linelog
>   linelog linelog_send_reject {
>   filename = "syslog"
>   escape_filenames = no
>   syslog_facility = "local0"
>   syslog_severity = "debug"
>   permissions = 384
>   format = "action = Send-Reject, %{pairs:request:}"
>   }
>   # Loading module "linelog_send_proxy_request" from file
> /etc/freeradius/3.0/mods-enabled/linelog
>   linelog linelog_send_proxy_request {
>   filename = "syslog"
>   escape_filenames = no
>   syslog_facility = "local0"
>   syslog_severity = "debug"
>   permissions = 384
>   format = "action = Send-Proxy-Request, %{pairs:proxy-request:}"
>   }
>   # Loading module "linelog_recv_proxy_response" from file
> /etc/freeradius/3.0/mods-enabled/linelog
>   linelog linelog_recv_proxy_response {
>   filename = "syslog"
>   escape_filenames = no
>   syslog_facility = "local0"
>   syslog_severity = "debug"
>   permissions = 384
>   reference = "messages.%{proxy-reply:Response-Packet-Type}"
>   }
>   # Loaded module rlm_radutmp
>   # Loading module "sradutmp" from file
> /etc/freeradius/3.0/mods-enabled/sradutmp
>   radutmp sradutmp {
>   filename = "/var/log/freeradius/sradutmp"
>   username = "%{User-Name}"
>   case_sensitive = yes
>   check_with_nas = yes
>   permissions = 420
>   caller_id = no
>   }
>   # Loaded module rlm_mschap
>   # Loading module "mschap" from file
> /etc/freeradius/3.0/mods-enabled/mschap
>   mschap {
>   use_mppe = yes
>   require_encryption = no
>   require_strong = no
>   with_ntdomain_hack = yes
>    passchange {
>    }
>   allow_retry = yes
>   winbind_retry_with_normalised_username = no
>   }
>   # Loaded module rlm_soh
>   # Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
>   soh {
>   dhcp = yes
>   }
>   # Loaded module rlm_attr_filter
>   # Loading module "attr_filter.post-proxy" from file
> /etc/freeradius/3.0/mods-enabled/attr_filter
>   attr_filter attr_filter.post-proxy {
>   filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
>   key = "%{Realm}"
>   relaxed = no
>   }
>   # Loading module "attr_filter.pre-proxy" from file
> /etc/freeradius/3.0/mods-enabled/attr_filter
>   attr_filter attr_filter.pre-proxy {
>   filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
>   key = "%{Realm}"
>   relaxed = no
>   }
>   # Loading module "attr_filter.access_reject" from file
> /etc/freeradius/3.0/mods-enabled/attr_filter
>   attr_filter attr_filter.access_reject {
>   filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
>   key = "%{User-Name}"
>   relaxed = no
>   }
>   # Loading module "attr_filter.access_challenge" from file
> /etc/freeradius/3.0/mods-enabled/attr_filter
>   attr_filter attr_filter.access_challenge {
>   filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
>   key = "%{User-Name}"
>   relaxed = no
>   }
>   # Loading module "attr_filter.accounting_response" from file
> /etc/freeradius/3.0/mods-enabled/attr_filter
>   attr_filter attr_filter.accounting_response {
>   filename =
> "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
>   key = "%{User-Name}"
>   relaxed = no
>   }
>   # Loaded module rlm_files
>   # Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files
>   files {
>   filename = "/etc/freeradius/3.0/mods-config/files/authorize"
>   acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
>   preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy"
>   }
>   # Loaded module rlm_chap
>   # Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap
>   # Loaded module rlm_pap
>   # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
>   pap {
>   normalise = yes
>   }
>   # Loaded module rlm_expiration
>   # Loading module "expiration" from file
> /etc/freeradius/3.0/mods-enabled/expiration
>   # Loaded module rlm_cache
>   # Loading module "cache_eap" from file
> /etc/freeradius/3.0/mods-enabled/cache_eap
>   cache cache_eap {
>   driver = "rlm_cache_rbtree"
>   key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
>   ttl = 15
>   max_entries = 0
>   epoch = 0
>   add_stats = no
>   }
>   # Loaded module rlm_realm
>   # Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
>   realm IPASS {
>   format = "prefix"
>   delimiter = "/"
>   ignore_default = no
>   ignore_null = no
>   }
>   # Loading module "suffix" from file
> /etc/freeradius/3.0/mods-enabled/realm
>   realm suffix {
>   format = "suffix"
>   delimiter = "@"
>   ignore_default = no
>   ignore_null = no
>   }
>   # Loading module "realmpercent" from file
> /etc/freeradius/3.0/mods-enabled/realm
>   realm realmpercent {
>   format = "suffix"
>   delimiter = "%"
>   ignore_default = no
>   ignore_null = no
>   }
>   # Loading module "ntdomain" from file
> /etc/freeradius/3.0/mods-enabled/realm
>   realm ntdomain {
>   format = "prefix"
>   delimiter = "\\"
>   ignore_default = no
>   ignore_null = no
>   }
>   # Loaded module rlm_detail
>   # Loading module "auth_log" from file
> /etc/freeradius/3.0/mods-enabled/detail.log
>   detail auth_log {
>   filename =
> "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
>   header = "%t"
>   permissions = 384
>   locking = no
>   escape_filenames = no
>   log_packet_header = no
>   }
>   # Loading module "reply_log" from file
> /etc/freeradius/3.0/mods-enabled/detail.log
>   detail reply_log {
>   filename =
> "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
>   header = "%t"
>   permissions = 384
>   locking = no
>   escape_filenames = no
>   log_packet_header = no
>   }
>   # Loading module "pre_proxy_log" from file
> /etc/freeradius/3.0/mods-enabled/detail.log
>   detail pre_proxy_log {
>   filename =
> "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
>   header = "%t"
>   permissions = 384
>   locking = no
>   escape_filenames = no
>   log_packet_header = no
>   }
>   # Loading module "post_proxy_log" from file
> /etc/freeradius/3.0/mods-enabled/detail.log
>   detail post_proxy_log {
>   filename =
> "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
>   header = "%t"
>   permissions = 384
>   locking = no
>   escape_filenames = no
>   log_packet_header = no
>   }
>   # Loaded module rlm_utf8
>   # Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8
>   # Loading module "detail" from file
> /etc/freeradius/3.0/mods-enabled/detail
>   detail {
>   filename =
> "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
>   header = "%t"
>   permissions = 384
>   locking = no
>   escape_filenames = no
>   log_packet_header = no
>   }
>   # Loaded module rlm_exec
>   # Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec
>   exec {
>   wait = no
>   input_pairs = "request"
>   shell_escape = yes
>   timeout = 10
>   }
>   # Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo
>   exec echo {
>   wait = yes
>   program = "/bin/echo %{User-Name}"
>   input_pairs = "request"
>   output_pairs = "reply"
>   shell_escape = yes
>   }
>   # Loaded module rlm_expr
>   # Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr
>   expr {
>   safe_characters =
> "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
> /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
>   }
>   # Loaded module rlm_digest
>   # Loading module "digest" from file
> /etc/freeradius/3.0/mods-enabled/digest
>   # Loaded module rlm_logintime
>   # Loading module "logintime" from file
> /etc/freeradius/3.0/mods-enabled/logintime
>   logintime {
>   minimum_timeout = 60
>   }
>   # Loaded module rlm_unix
>   # Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix
>   unix {
>   radwtmp = "/var/log/freeradius/radwtmp"
>   }
> Creating attribute Unix-Group
>   # Loaded module rlm_unpack
>   # Loading module "unpack" from file
> /etc/freeradius/3.0/mods-enabled/unpack
>   # Loading module "ntlm_auth" from file
> /etc/freeradius/3.0/mods-enabled/ntlm_auth
>   exec ntlm_auth {
>   wait = yes
>   program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
> --username=%{mschap:User-Name} --password=%{User-Password}"
>   shell_escape = yes
>   }
>   # Loaded module rlm_dynamic_clients
>   # Loading module "dynamic_clients" from file
> /etc/freeradius/3.0/mods-enabled/dynamic_clients
>   # Loaded module rlm_replicate
>   # Loading module "replicate" from file
> /etc/freeradius/3.0/mods-enabled/replicate
>   # Loading module "radutmp" from file
> /etc/freeradius/3.0/mods-enabled/radutmp
>   radutmp {
>   filename = "/var/log/freeradius/radutmp"
>   username = "%{User-Name}"
>   case_sensitive = yes
>   check_with_nas = yes
>   permissions = 384
>   caller_id = yes
>   }
>   # Loaded module rlm_preprocess
>   # Loading module "preprocess" from file
> /etc/freeradius/3.0/mods-enabled/preprocess
>   preprocess {
>   huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
>   hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
>   with_ascend_hack = no
>   ascend_channels_per_line = 23
>   with_ntdomain_hack = no
>   with_specialix_jetstream_hack = no
>   with_cisco_vsa_hack = no
>   with_alvarion_vsa_hack = no
>   }
>   instantiate {
>   }
>   # Instantiating module "reject" from file
> /etc/freeradius/3.0/mods-enabled/always
>   # Instantiating module "fail" from file
> /etc/freeradius/3.0/mods-enabled/always
>   # Instantiating module "ok" from file
> /etc/freeradius/3.0/mods-enabled/always
>   # Instantiating module "handled" from file
> /etc/freeradius/3.0/mods-enabled/always
>   # Instantiating module "invalid" from file
> /etc/freeradius/3.0/mods-enabled/always
>   # Instantiating module "userlock" from file
> /etc/freeradius/3.0/mods-enabled/always
>   # Instantiating module "notfound" from file
> /etc/freeradius/3.0/mods-enabled/always
>   # Instantiating module "noop" from file
> /etc/freeradius/3.0/mods-enabled/always
>   # Instantiating module "updated" from file
> /etc/freeradius/3.0/mods-enabled/always
>   # Instantiating module "eap" from file
> /etc/freeradius/3.0/mods-enabled/eap
>    # Linked to sub-module rlm_eap_md5
>    # Linked to sub-module rlm_eap_leap
>    # Linked to sub-module rlm_eap_gtc
>    gtc {
>     challenge = "Password: "
>     auth_type = "PAP"
>    }
>    # Linked to sub-module rlm_eap_tls
>    tls {
>     tls = "tls-common"
>    }
>    tls-config tls-common {
>     verify_depth = 0
>     ca_path = "/etc/freeradius/3.0/certs"
>     pem_file_type = yes
>     private_key_file = "/etc/freeradius/3.0/certs/server.key"
>     certificate_file = "/etc/freeradius/3.0/certs/server.pem"
>     ca_file = "/etc/freeradius/3.0/certs/ca.pem"
>     private_key_password = <<< secret >>>
>     dh_file = "/etc/freeradius/3.0/certs/dh"
>     random_file = "/dev/urandom"
>     fragment_size = 1024
>     include_length = yes
>     auto_chain = yes
>     check_crl = no
>     check_all_crl = no
>     cipher_list = "DEFAULT"
>     cipher_server_preference = no
>     ecdh_curve = "prime256v1"
>     tls_max_version = ""
>     tls_min_version = "1.0"
>     cache {
>     enable = yes
>     lifetime = 48
>     max_entries = 255
>     }
>     verify {
>     skip_if_ocsp_ok = no
>     }
>     ocsp {
>     enable = no
>     override_cert_url = yes
>     url = "http://127.0.0.1/ocsp/"
>     use_nonce = yes
>     timeout = 0
>     softfail = no
>     }
>    }
>    # Linked to sub-module rlm_eap_ttls
>    ttls {
>     tls = "tls-common"
>     default_eap_type = "md5"
>     copy_request_to_tunnel = no
>     use_tunneled_reply = no
>     virtual_server = "inner-tunnel"
>     include_length = yes
>     require_client_cert = no
>    }
> tls: Using cached TLS configuration from previous invocation
>    # Linked to sub-module rlm_eap_peap
>    peap {
>     tls = "tls-common"
>     default_eap_type = "mschapv2"
>     copy_request_to_tunnel = no
>     use_tunneled_reply = no
>     proxy_tunneled_request_as_eap = yes
>     virtual_server = "inner-tunnel"
>     soh = no
>     require_client_cert = no
>    }
> tls: Using cached TLS configuration from previous invocation
>    # Linked to sub-module rlm_eap_mschapv2
>    mschapv2 {
>     with_ntdomain_hack = no
>     send_error = no
>    }
>   # Instantiating module "etc_passwd" from file
> /etc/freeradius/3.0/mods-enabled/passwd
> rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
>   # Instantiating module "linelog" from file
> /etc/freeradius/3.0/mods-enabled/linelog
>   # Instantiating module "log_accounting" from file
> /etc/freeradius/3.0/mods-enabled/linelog
>   # Instantiating module "linelog_recv_request" from file
> /etc/freeradius/3.0/mods-enabled/linelog
>   # Instantiating module "linelog_send_accept" from file
> /etc/freeradius/3.0/mods-enabled/linelog
>   # Instantiating module "linelog_send_reject" from file
> /etc/freeradius/3.0/mods-enabled/linelog
>   # Instantiating module "linelog_send_proxy_request" from file
> /etc/freeradius/3.0/mods-enabled/linelog
>   # Instantiating module "linelog_recv_proxy_response" from file
> /etc/freeradius/3.0/mods-enabled/linelog
>   # Instantiating module "mschap" from file
> /etc/freeradius/3.0/mods-enabled/mschap
> rlm_mschap (mschap): using internal authentication
>   # Instantiating module "attr_filter.post-proxy" from file
> /etc/freeradius/3.0/mods-enabled/attr_filter
> reading pairlist file
> /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
>   # Instantiating module "attr_filter.pre-proxy" from file
> /etc/freeradius/3.0/mods-enabled/attr_filter
> reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
>   # Instantiating module "attr_filter.access_reject" from file
> /etc/freeradius/3.0/mods-enabled/attr_filter
> reading pairlist file
> /etc/freeradius/3.0/mods-config/attr_filter/access_reject
> [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item
> "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
> [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item
> "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
>   # Instantiating module "attr_filter.access_challenge" from file
> /etc/freeradius/3.0/mods-enabled/attr_filter
> reading pairlist file
> /etc/freeradius/3.0/mods-config/attr_filter/access_challenge
>   # Instantiating module "attr_filter.accounting_response" from file
> /etc/freeradius/3.0/mods-enabled/attr_filter
> reading pairlist file
> /etc/freeradius/3.0/mods-config/attr_filter/accounting_response
>   # Instantiating module "files" from file
> /etc/freeradius/3.0/mods-enabled/files
> reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
> reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
> reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
>   # Instantiating module "pap" from file
> /etc/freeradius/3.0/mods-enabled/pap
>   # Instantiating module "expiration" from file
> /etc/freeradius/3.0/mods-enabled/expiration
>   # Instantiating module "cache_eap" from file
> /etc/freeradius/3.0/mods-enabled/cache_eap
> rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
> loaded and linked
>   # Instantiating module "IPASS" from file
> /etc/freeradius/3.0/mods-enabled/realm
>   # Instantiating module "suffix" from file
> /etc/freeradius/3.0/mods-enabled/realm
>   # Instantiating module "realmpercent" from file
> /etc/freeradius/3.0/mods-enabled/realm
>   # Instantiating module "ntdomain" from file
> /etc/freeradius/3.0/mods-enabled/realm
>   # Instantiating module "auth_log" from file
> /etc/freeradius/3.0/mods-enabled/detail.log
> rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
> detail output
>   # Instantiating module "reply_log" from file
> /etc/freeradius/3.0/mods-enabled/detail.log
>   # Instantiating module "pre_proxy_log" from file
> /etc/freeradius/3.0/mods-enabled/detail.log
>   # Instantiating module "post_proxy_log" from file
> /etc/freeradius/3.0/mods-enabled/detail.log
>   # Instantiating module "detail" from file
> /etc/freeradius/3.0/mods-enabled/detail
>   # Instantiating module "logintime" from file
> /etc/freeradius/3.0/mods-enabled/logintime
>   # Instantiating module "preprocess" from file
> /etc/freeradius/3.0/mods-enabled/preprocess
> reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups
> reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
>  } # modules
> radiusd: #### Loading Virtual Servers ####
> server { # from file /etc/freeradius/3.0/radiusd.conf
> } # server
> server default { # from file /etc/freeradius/3.0/sites-enabled/default
>  # Loading authenticate {...}
>  # Loading authorize {...}
> Ignoring "sql" (see raddb/mods-available/README.rst)
>  # Loading preacct {...}
>  # Loading accounting {...}
>  # Loading post-proxy {...}
>  # Loading post-auth {...}
> } # server default
> server inner-tunnel { # from file
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
>  # Loading authenticate {...}
>  # Loading authorize {...}
>  # Loading session {...}
>  # Loading post-proxy {...}
>  # Loading post-auth {...}
>  # Skipping contents of 'if' as it is always 'false' --
> /etc/freeradius/3.0/sites-enabled/inner-tunnel:351
> } # server inner-tunnel
> radiusd: #### Opening IP addresses and Ports ####
> listen {
>   type = "auth"
>   ipaddr = *
>   port = 0
>    limit {
>     max_connections = 64
>     lifetime = 0
>     idle_timeout = 30
>    }
> }
> listen {
>   type = "acct"
>   ipaddr = *
>   port = 0
>    limit {
>     max_connections = 16
>     lifetime = 0
>     idle_timeout = 30
>    }
> }
> listen {
>   type = "auth"
>   ipv6addr = ::
>   port = 0
>    limit {
>     max_connections = 64
>     lifetime = 0
>     idle_timeout = 30
>    }
> }
> listen {
>   type = "acct"
>   ipv6addr = ::
>   port = 0
>    limit {
>     max_connections = 16
>     lifetime = 0
>     idle_timeout = 30
>    }
> }
> listen {
>   type = "auth"
>   ipaddr = 127.0.0.1
>   port = 18120
> }
> Listening on auth address * port 1812 bound to server default
> Listening on acct address * port 1813 bound to server default
> Listening on auth address :: port 1812 bound to server default
> Listening on acct address :: port 1813 bound to server default
> Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
> Listening on proxy address * port 47468
> Listening on proxy address :: port 55657
> Ready to process requests
> (0) Received Access-Request Id 202 from 192.168.17.20:34228 to
> 192.168.16.222:1812 length 317
> (0)   Acct-Multi-Session-Id =
> "D8-9D-67-4E-87-C7-E8-50-8B-47-D5-3E-5D-92-16-FF-00-0D-0F-9F"
> (0)   Acct-Session-Id = "4682f798-000000ce"
> (0)   NAS-Port = 165
> (0)   NAS-Port-Type = Wireless-802.11
> (0)   NAS-Identifier = "SNIP"
> (0)   NAS-IP-Address = 192.168.17.100
> (0)   Framed-MTU = 1496
> (0)   User-Name = "SNIP"
> (0)   Calling-Station-Id = "E8-50-8B-47-D5-3E"
> (0)   Called-Station-Id = "D8-9D-67-4E-87-C7"
> (0)   Service-Type = Framed-User
> (0)   EAP-Message = 0x0217000b016e74726f6e65
> (0)   Colubris-AVPair = "ssid=Debug"
> (0)   Colubris-AVPair = "incoming-vlan-id=10"
> (0)   Colubris-AVPair = "group=SNIP"
> (0)   Colubris-AVPair = "phytype=IEEE802dot11n"
> (0)   Attr-26.8744.250 = 0x00000003
> (0)   Attr-26.8744.249 = 0xc0a810de
> (0)   Message-Authenticator = 0x0b9fd7938dc7305078278a87ed366e46
> (0) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (0)   authorize {
> (0)     policy filter_username {
> (0)       if (&User-Name) {
> (0)       if (&User-Name)  -> TRUE
> (0)       if (&User-Name)  {
> (0)         if (&User-Name =~ / /) {
> (0)         if (&User-Name =~ / /)  -> FALSE
> (0)         if (&User-Name =~ /@[^@]*@/ ) {
> (0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (0)         if (&User-Name =~ /\.\./ ) {
> (0)         if (&User-Name =~ /\.\./ )  -> FALSE
> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (0)         if (&User-Name =~ /\.$/)  {
> (0)         if (&User-Name =~ /\.$/)   -> FALSE
> (0)         if (&User-Name =~ /@\./)  {
> (0)         if (&User-Name =~ /@\./)   -> FALSE
> (0)       } # if (&User-Name)  = notfound
> (0)     } # policy filter_username = notfound
> (0)     [preprocess] = ok
> (0)     [chap] = noop
> (0)     [mschap] = noop
> (0)     [digest] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "SNIP", looking up realm NULL
> (0) suffix: No such realm "NULL"
> (0)     [suffix] = noop
> (0) eap: Peer sent EAP Response (code 2) ID 23 length 11
> (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (0)     [eap] = ok
> (0)   } # authorize = ok
> (0) Found Auth-Type = eap
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0)   authenticate {
> (0) eap: Peer sent packet with method EAP Identity (1)
> (0) eap: Calling submodule eap_md5 to process data
> (0) eap_md5: Issuing MD5 Challenge
> (0) eap: Sending EAP Request (code 1) ID 24 length 22
> (0) eap: EAP session adding &reply:State = 0xf310d045f308d462
> (0)     [eap] = handled
> (0)   } # authenticate = handled
> (0) Using Post-Auth-Type Challenge
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0)   Challenge { ... } # empty sub-section is ignored
> (0) Sent Access-Challenge Id 202 from 192.168.16.222:1812 to
> 192.168.17.20:34228 length 0
> (0)   EAP-Message = 0x01180016041099564c863948c0f66ffff4c4a1bac5c5
> (0)   Message-Authenticator = 0x00000000000000000000000000000000
> (0)   State = 0xf310d045f308d46253aa7f33ae26dff2
> (0) Finished request
> Waking up in 4.9 seconds.
> (1) Received Access-Request Id 55 from 192.168.17.20:34228 to
> 192.168.16.222:1812 length 330
> (1)   Acct-Multi-Session-Id =
> "D8-9D-67-4E-87-C7-E8-50-8B-47-D5-3E-5D-92-16-FF-00-0D-0F-9F"
> (1)   Acct-Session-Id = "4682f798-000000ce"
> (1)   NAS-Port = 165
> (1)   NAS-Port-Type = Wireless-802.11
> (1)   NAS-Identifier = "SNIP"
> (1)   NAS-IP-Address = 192.168.17.100
> (1)   Framed-MTU = 1496
> (1)   User-Name = "SNIP"
> (1)   Calling-Station-Id = "E8-50-8B-47-D5-3E"
> (1)   Called-Station-Id = "D8-9D-67-4E-87-C7"
> (1)   Service-Type = Framed-User
> (1)   EAP-Message = 0x021800060315
> (1)   State = 0xf310d045f308d46253aa7f33ae26dff2
> (1)   Colubris-AVPair = "ssid=Debug"
> (1)   Colubris-AVPair = "incoming-vlan-id=10"
> (1)   Colubris-AVPair = "group=SNIP"
> (1)   Colubris-AVPair = "phytype=IEEE802dot11n"
> (1)   Attr-26.8744.250 = 0x00000003
> (1)   Attr-26.8744.249 = 0xc0a810de
> (1)   Message-Authenticator = 0x7dff6a06c09c6eda1367b54d8578d965
> (1) session-state: No cached attributes
> (1) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (1)   authorize {
> (1)     policy filter_username {
> (1)       if (&User-Name) {
> (1)       if (&User-Name)  -> TRUE
> (1)       if (&User-Name)  {
> (1)         if (&User-Name =~ / /) {
> (1)         if (&User-Name =~ / /)  -> FALSE
> (1)         if (&User-Name =~ /@[^@]*@/ ) {
> (1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (1)         if (&User-Name =~ /\.\./ ) {
> (1)         if (&User-Name =~ /\.\./ )  -> FALSE
> (1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (1)         if (&User-Name =~ /\.$/)  {
> (1)         if (&User-Name =~ /\.$/)   -> FALSE
> (1)         if (&User-Name =~ /@\./)  {
> (1)         if (&User-Name =~ /@\./)   -> FALSE
> (1)       } # if (&User-Name)  = notfound
> (1)     } # policy filter_username = notfound
> (1)     [preprocess] = ok
> (1)     [chap] = noop
> (1)     [mschap] = noop
> (1)     [digest] = noop
> (1) suffix: Checking for suffix after "@"
> (1) suffix: No '@' in User-Name = "SNIP", looking up realm NULL
> (1) suffix: No such realm "NULL"
> (1)     [suffix] = noop
> (1) eap: Peer sent EAP Response (code 2) ID 24 length 6
> (1) eap: No EAP Start, assuming it's an on-going EAP conversation
> (1)     [eap] = updated
> (1)     [files] = noop
> (1)     update control {
> (1)       Executing: /usr/bin/php -f /etc/freeradius/auth.php
> '%{User-Name}' '%{User-Password}' '%{Client-IP-Address}':
> (1)       EXPAND %{User-Name}
> (1)          --> SNIP
> (1)       EXPAND %{User-Password}
> (1)          -->
> (1)       EXPAND %{Client-IP-Address}
> (1)          --> 192.168.17.20
> (1)       Program returned code (0) and output 'Accept'
> (1)       Auth-Type := Accept
> (1)     } # update control = noop
> (1)     [expiration] = noop
> (1)     [logintime] = noop
> (1) pap: WARNING: Auth-Type already set.  Not setting to PAP
> (1)     [pap] = noop
> (1)   } # authorize = updated
> (1) Found Auth-Type = Accept
> (1) Auth-Type = Accept, accepting the user
> (1) # Executing section post-auth from file
> /etc/freeradius/3.0/sites-enabled/default
> (1)   post-auth {
> (1)     update {
> (1)       No attributes updated
> (1)     } # update = noop
> (1)     [exec] = noop
> (1)     policy remove_reply_message_if_eap {
> (1)       if (&reply:EAP-Message && &reply:Reply-Message) {
> (1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> (1)       else {
> (1)         [noop] = noop
> (1)       } # else = noop
> (1)     } # policy remove_reply_message_if_eap = noop
> (1)   } # post-auth = noop
> (1) Login OK: [SNIP] (from client HPWireless port 165 cli
> E8-50-8B-47-D5-3E)
> (1) Sent Access-Accept Id 55 from 192.168.16.222:1812 to
> 192.168.17.20:34228 length 0
> (1) Finished request
> Waking up in 4.9 seconds.
> (0) Cleaning up request packet ID 202 with timestamp +6
> (1) Cleaning up request packet ID 55 with timestamp +6
> Ready to process requests
> root@freeradius:/etc/freeradius#


I feel like I must have the Executing script in the wrong location maybe? I
am running using TTLS-PAP on the client(ignoring the certificate on the
clients end) and it gives me an authentication failure.

Any insight would be greatly appreciated. Thanks for reading.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Using EXEC authentication sources

Alan DeKok-2
On Sep 30, 2019, at 11:06 AM, Nate . <[hidden email]> wrote:
>
> Hello, I'm trying to test something different in my environment. I read
> that you can use external authenticators using EXEC. I have tried a basic
> setup and am running into a problem. I'm not super clear on what the logs
> are trying to tell me. I feel like the documents I'm reading must be
> outdated or wrong like many of the website out there.
> I am simply trying to use a PHP script to return Accept; no matter what is
> called. Just to test this out.
> *auth.php contents:*

  You can't just return "accept' when the client is using EAP.  You MUST allow the full EAP conversation to run to completion.

> I feel like I must have the Executing script in the wrong location maybe? I
> am running using TTLS-PAP on the client(ignoring the certificate on the
> clients end) and it gives me an authentication failure.

  Put the accept into the inner-tunnel virtual server.  It will work for TTLS + PAP, but not for TTLS + MS-CHAP, or PEAP.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Using EXEC authentication sources

Nate .
Sorry, things are still busy around here. I did not catch that, thank you!
I must have edited the wrong file by accident. For the most part things are
working great. I am only struggling with one last thing; I am trying to
pass the variable for the devices mac address to the script. I am able to
collect the username, IP, and their entered pap password perfectly fine.
It's just the MacAddr that appears to be blank every time.

I thought I was referencing it properly using Calling-Station-Id..

authorize {
        update control {
                Auth-Type := `/usr/bin/php -f /etc/freeradius/auth.php
'%{User-Name}' '%{User-Password}' '%{Client-IP-Address}'
'%{Calling-Station-Id}'`
        }
}

A side question I have as well. Do you happen to know of a way to pass
these parameters securely? or a way to prevent Injection attacks using this
execution method?

Thanks again for the help,


On Mon, Sep 30, 2019 at 11:18 AM Alan DeKok <[hidden email]>
wrote:

> On Sep 30, 2019, at 11:06 AM, Nate . <[hidden email]> wrote:
> >
> > Hello, I'm trying to test something different in my environment. I read
> > that you can use external authenticators using EXEC. I have tried a basic
> > setup and am running into a problem. I'm not super clear on what the logs
> > are trying to tell me. I feel like the documents I'm reading must be
> > outdated or wrong like many of the website out there.
> > I am simply trying to use a PHP script to return Accept; no matter what
> is
> > called. Just to test this out.
> > *auth.php contents:*
>
>   You can't just return "accept' when the client is using EAP.  You MUST
> allow the full EAP conversation to run to completion.
>
> > I feel like I must have the Executing script in the wrong location
> maybe? I
> > am running using TTLS-PAP on the client(ignoring the certificate on the
> > clients end) and it gives me an authentication failure.
>
>   Put the accept into the inner-tunnel virtual server.  It will work for
> TTLS + PAP, but not for TTLS + MS-CHAP, or PEAP.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Using EXEC authentication sources

Alan DeKok-2
On Oct 3, 2019, at 4:30 PM, Nate . <[hidden email]> wrote:
>
> Sorry, things are still busy around here. I did not catch that, thank you!
> I must have edited the wrong file by accident. For the most part things are
> working great. I am only struggling with one last thing; I am trying to
> pass the variable for the devices mac address to the script. I am able to
> collect the username, IP, and their entered pap password perfectly fine.
> It's just the MacAddr that appears to be blank every time.
>
> I thought I was referencing it properly using Calling-Station-Id..

  As always, read the debug output to see where Calling-Station-ID shows up.

> authorize {
>        update control {
>                Auth-Type := `/usr/bin/php -f /etc/freeradius/auth.php
> '%{User-Name}' '%{User-Password}' '%{Client-IP-Address}'
> '%{Calling-Station-Id}'`
>        }
> }
>
> A side question I have as well. Do you happen to know of a way to pass
> these parameters securely? or a way to prevent Injection attacks using this
> execution method?

  Don't exec a program where anything can read the program arguments.  Use an interpreted module like rlm_perl or rlm_pyhthon

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Using EXEC authentication sources

Nate .
The Calling-Station-ID shows up in the outer portion, eap & "default", but
not the inner-tunnel. I just don't understand how I'm supposed to set a
custom variable to pass to the inner tunnel for use like this.

I'll have to look at the python module when I have the free time, sounds
much nicer than what I'm being told to do.. I'm required to use PHP for
this job, so I can't just go with the python module unless it was
warranted unfortunately. I've expressed my concerns about the security of
this method, but they do not care and want it done this way. Their argument
is that the server will be locked down with hardware only access once it is
completed. My task is simply to collect the user login and device identity,
passing it onto their secondary system for processing, then it will respond
with Ok or Fail.


On Thu, Oct 3, 2019 at 9:20 PM Alan DeKok <[hidden email]> wrote:

> On Oct 3, 2019, at 4:30 PM, Nate . <[hidden email]> wrote:
> >
> > Sorry, things are still busy around here. I did not catch that, thank
> you!
> > I must have edited the wrong file by accident. For the most part things
> are
> > working great. I am only struggling with one last thing; I am trying to
> > pass the variable for the devices mac address to the script. I am able to
> > collect the username, IP, and their entered pap password perfectly fine.
> > It's just the MacAddr that appears to be blank every time.
> >
> > I thought I was referencing it properly using Calling-Station-Id..
>
>   As always, read the debug output to see where Calling-Station-ID shows
> up.
>
> > authorize {
> >        update control {
> >                Auth-Type := `/usr/bin/php -f /etc/freeradius/auth.php
> > '%{User-Name}' '%{User-Password}' '%{Client-IP-Address}'
> > '%{Calling-Station-Id}'`
> >        }
> > }
> >
> > A side question I have as well. Do you happen to know of a way to pass
> > these parameters securely? or a way to prevent Injection attacks using
> this
> > execution method?
>
>   Don't exec a program where anything can read the program arguments.  Use
> an interpreted module like rlm_perl or rlm_pyhthon
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Using EXEC authentication sources

Alan DeKok-2
On Oct 4, 2019, at 9:21 AM, Nate . <[hidden email]> wrote:
>
> The Calling-Station-ID shows up in the outer portion, eap & "default", but
> not the inner-tunnel. I just don't understand how I'm supposed to set a
> custom variable to pass to the inner tunnel for use like this.

  You don't.  You read "man unlang", which tells you how to reference an outer attribute from the inner-tunnel.  Instead of

        Calling-Station-Id

do

        outer.request:Calling-Station-Id

  There examples of this kind of thing all through the default configuration files, including "inner-tunnel".

> I'll have to look at the python module when I have the free time, sounds
> much nicer than what I'm being told to do.. I'm required to use PHP for
> this job, so I can't just go with the python module unless it was
> warranted unfortunately. I've expressed my concerns about the security of
> this method, but they do not care and want it done this way. Their argument
> is that the server will be locked down with hardware only access once it is
> completed. My task is simply to collect the user login and device identity,
> passing it onto their secondary system for processing, then it will respond
> with Ok or Fail.

  Exec also has performance issues.  But if they prefer PHP to Python, they don't care about that either.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html