custom auth script just for pap
(too old to reply)
Alan DeKok
2018-11-16 11:39:23 UTC
Is there a way to add a custom auth script just for PAP?

if (User-Password) {
... run script ...

Alan DeKok.

List info/subscribe/unsubscribe? Se
Alan DeKok
2018-11-16 11:45:39 UTC
Does that go in authorize or authenticate?
At some point, it helps to understand the system you're configuring. Read the technical guide here:


You shouldn't just ask a question every time you run into a problem.

Alan DeKok.

List info/subscribe/unsubscribe? See http://ww
Alan DeKok
2018-11-16 14:03:08 UTC
I have read all 58 pages of the Technical Guide and scanned through the "main page" (which is basically a copy).
I still don't know how to implement a custom authorisation.
a) log in with eap-mschapv2 and only if Access-Accept, run a custom script to do an MFA which could cause the result to become an Access-Reject.
b) log in with pap and run a custom auth script (which does MFA) which results in an access-Accept or Reject.
I couldn't find anywhere in the documentation to help me with this. Could you point me to the page? I think I understand that it is probably best done in the Authenticate section
There is no documentation that says "how to implement Christian Salways configuration".

You have to put the pieces together yourself. The RADIUS ecosystem is complex enough that it is *impossible* to give guides for every possible thing that everyone could possibly want to do.

There *is* documentation that says:

a) how to check for things

b) how to do things

I gave you an example of how to check for User-Password (i.e. PAP), and do something. If you read the configuration and examples, you will see that there is detailed documentation for how to run external programs. See the "exec" module.

Then, put the two pieces together. "If user password, run my custom exec module".

Yes, I could give you line by line instructions for how to do this. And yes, I could spend *24 hours a day* doing that for people. And yes, you would not learn anything. And yes, you would be unable to maintain the system you built.

This is not just me being obtuse. This is me insisting that you *understand* not only how to configure the server, but also how to *solve problems*. Just asking questions on the mailing list isn't an option.

Alan DeKok.

List info/subscribe/unsubscribe? See
Alan DeKok
2018-11-16 14:40:18 UTC
I don't want to come across ungrateful. You and the team are doing a fantastic job at looking after freeRadius and no, I'm not expecting documentation on "how to implement Christian Salways configuration" (although that would be awesome if i could put a request in).
The problem is when you say "there is no documentation saying how to do what I want", that really comes across as "how to implement Christian Salways configuration"
I know there is an exec module. I used it to add AD Groups to a Reply in the Class field
post-auth {
foreach &reply:memberOf {
update {
&reply:Class += "%{exec:/etc/raddb/extract-ad-group.sh %{Foreach-Variable-0}}"
That's not an "exec" module. That's a dynamic expansion.
but this exec is inside quotes. what you have explained sounds like it can go out of quotes which i doubt since exec can also stand on its own.
authorize {
if (User-Name) {
exec: "/path/to/file '%{User-Name}' '%{User-Password}'" <-- im guessing this is meant to return an exit code that means Accept/Reject
Nothing in the documentation says that this kind of thing is possible. The "man unlang" documentation is very clear on the format of the configuration files. The hundreds of examples show nothing like what you're doing here.

You can't just *invent* syntax and expect it to work.
There is no where I could find in the docs or examples that gives this format.
Because it isn't allowed. The documentation should be VERY clear on what is allowed.

This shouldn't be difficult. When I say "use the exec module", you should already understand what a "module" is, and where it's configured. The documentation makes this abundantly clear.

See the "mods-available" directory. And perhaps unsurprisingly, there's a file called "exec". Which describes what the "exec" module is, and how to use it.

This is really a major problem. If you've read the docs and still aren't clear what a "module" is, or where the module configuration lives, then that's a problem which is difficult for me to solve.

Alan DeKok.

List info/subscribe/unsubscribe? See http://www.freeradius.org