'Reply with Access-Reject from exec'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Reply with Access-Reject from exec
From:       Adnan Miljkovic <adnan () green ! ba>
Date:       2013-11-30 22:59:15
Message-ID: CAF3cVrH=F271SVy0pS+Szs5ARKQRmZJ8CPft4v-M4-BCUda-nQ () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hello,

I am using exec to check users again an external script. Up until now I am
able to successfully authenticating the user and send back several
attributes that are used by the NAS. So when user data are OK, everything
is fine.

My problem is how to deny access to the user, how to send "Access-Reject"?
What should I send back in my exec program.

Possible my setup is wrong? my current setup:

authorize {
.....
    update control {
        Auth-Type := CheckUser
    }
.....
}

authenticate {
....
        Auth-Type CheckUser {
                checkuser
        }
.....
}


The output "Access-Accept" is always send back to NAS:
==================================================
++[sql] = notfound
++update control {
++} # update control = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = CheckUser
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group CheckUser {
[checkuser]     expand: %{User-Name} -> student.name
[checkuser]     expand: %{User-Password} -> password
Exec output: fail     = 1
Exec plaintext: fail     = 1
[checkuser] Exec: program returned: 0
++[checkuser] = ok
+} # group CheckUser = ok
# Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
+group post-auth {
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 117 to 127.0.0.1 port 57009
==================================================

I am using version 2.2.2.

All help is much appreciated.

[Attachment #5 (text/html)]

<div dir="ltr">Hello,<div><br></div><div>I am using exec to check users again an \
external script. Up until now I am able to successfully authenticating the user and \
send back several attributes that are used by the NAS. So when user data are OK, \
everything is fine.</div> <div><br></div><div>My problem is how to deny access to the \
user, how to send &quot;Access-Reject&quot;? What should I send back in my exec \
program.</div><div><br></div><div>Possible my setup is wrong? my current setup:</div> \
<div><br></div><div>authorize {<br></div><div>.....</div><div><div>    update control \
{</div><div>        Auth-Type := CheckUser</div><div>    \
}</div></div><div>.....</div><div>}</div><div><br></div><div><div>authenticate \
{</div> <div>....</div><div>        Auth-Type CheckUser {</div><div>                \
checkuser</div><div>        \
}</div></div><div>.....</div><div>}</div><div><br></div><div><br></div><div>The \
output &quot;Access-Accept&quot; is always send back to NAS:</div> \
<div>==================================================</div><div><div>++[sql] = \
notfound</div><div>++update control {</div><div>++} # update control = \
noop</div><div>++[expiration] = noop</div><div>++[logintime] = noop</div> <div>[pap] \
WARNING! No &quot;known good&quot; password found for the user.  Authentication may \
fail because of this.</div><div>++[pap] = noop</div><div>+} # group authorize = \
ok</div><div>Found Auth-Type = CheckUser</div> <div># Executing group from file \
/usr/local/etc/raddb/sites-enabled/default</div><div>+group CheckUser \
{</div><div>[checkuser]     expand: %{User-Name} -&gt; <a \
href="http://student.name">student.name</a></div><div>[checkuser]     expand: \
%{User-Password} -&gt; password</div> <div>Exec output: fail     = 1</div><div>Exec \
plaintext: fail     = 1</div><div>[checkuser] Exec: program returned: \
0</div><div>++[checkuser] = ok</div><div>+} # group CheckUser = ok</div><div># \
Executing section post-auth from file \
/usr/local/etc/raddb/sites-enabled/default</div> <div>+group post-auth \
{</div><div>++[exec] = noop</div><div>+} # group post-auth = noop</div><div>Sending \
Access-Accept of id 117 to 127.0.0.1 port \
57009</div></div><div>==================================================<br> \
</div><div><br></div><div>I am using version 2.2.2.</div><div><br></div><div>All help \
is much appreciated.</div></div>



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic