Home / server / Questions / 498553
Accepted
Romeo Mihalcea
Asked: 2013-04-12 12:43:29 +0800 CST

freeradius server adding additional check

  • 772

I successfully managed to deploy a freeradius server and created a python script which does an additional check on the user (incoming request). I checked the internet (resources for freeradius are pretty horrible) and only found a thread which explains some basics about adding a python script to the process.

Right now I have it inside /etc/freeradius/sites-enabled/default under the authorize section:

update control {
       Auth-Type := `/usr/bin/python /etc/test.py '%{User-Name}' '%{User-Password}'`
}

My test.py file spits Reject or Accept. I also have sql authentication setup with freeradius and the problem is that, if my script returns Accept any other authorization request under is ignored; response will still be an Accept even if sql check rejects the user.

From what I understand I should pass a noop instead of Accept to allow freeradius to continue and only pass Reject if I need to reject the user but If I respond with noop the server complains.

Any ideas? Maybe I need to add my code to the Authentication. section? How?

freeradius

1 Answers

  1. Best Answer

    ...if my script returns Accept any other authorization request under is ignored

    Yes. That is by design. You're telling FreeRADIUS to Accept that user. It won't bother with anything else in your authorize section. I believe you are correct in that you want your script to return a noop instead of an Accept if you want other authorization methods to be used in conjunction with it.

    You should review the unlang manpage if you haven't already as well as the rlm_python manpage. Also read all comments in the configuration files.

    You've haven't specified what you're trying to make FreeRADIUS do at a conceptual level so I'm not really sure how to advise you further. I however have had excellent results with the FreeRADIUS-Users mailing list. It is frequented by the developers and many people that have a deep understanding of FreeRADIUS and it's capability. I would read their FAQ prior to posting (users that don't are often banned), describe what you want to do both at a broad, conceptual level and at the implementation level (like you've done here) and make sure you submit the entirety of your debugging output.

    The reason I suggest you go to the mailing list is I suspect there is a better way to accompish your goals but I'm not familiar enough with rlm_python to suggest a way forward. Regardless, it doesn't seem right to use the unlang rules to call a python script...

    • 0