Freeradius and PHP auth script

freeradius
kwintin picture kwintin · Mar 3, 2012 · Viewed 24.5k times · Source

I'm trying to authenticate freeradius users against a PHP script, with no success. I've been trying for hours to config this right, and all the threads I found with Google are either deadlinked or obsolete...

radiusd.conf

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct

#  Name of the running server
name = freeradius

#  Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}

# Should likely be ${localstatedir}/lib/radiusd
db_dir = ${raddbdir}

libdir = /usr/lib/freeradius

pidfile = ${run_dir}/${name}.pid

# user/group: The name (or #number) of the user/group to run radiusd as.
user = freerad
group = freerad

#  max_request_time: The maximum time (in seconds) to handle a request.
max_request_time = 30

#  cleanup_delay: The time to wait (in seconds) before cleaning up
#  a reply which was sent to the NAS.
cleanup_delay = 5

#  max_requests: The maximum number of requests which the server keeps
#  track of.  This should be 256 multiplied by the number of clients.
#  e.g. With 4 clients, this number should be 1024.
max_requests = 1024

#  listen: Make the server listen on a particular IP address, and send
#  replies out from that address. This directive is most useful for
#  hosts with multiple IP addresses on one interface.
listen {
    type = auth
    ipaddr = *
    port = 0
}

#  This second "listen" section is for listening on the accounting
#  port, too.
listen {
    ipaddr = *
    port = 0
    type = acct
}

hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions    = yes

log {
    destination = files
    file = ${logdir}/radius.log
    syslog_facility = daemon
    stripped_names = no
    auth = no
    auth_badpass = no
    auth_goodpass = no
}

checkrad = ${sbindir}/checkrad

security {
    max_attributes = 200
    reject_delay = 1
    status_server = yes
}

proxy_requests  = off

# CLIENTS CONFIGURATION
client 0.0.0.0/0 {
    secret = secret
    shortname = wireless
}

# THREAD POOL CONFIGURATION
thread pool {
    start_servers = 5
    max_servers = 32
    min_spare_servers = 3
    max_spare_servers = 10
    max_requests_per_server = 0
}

# MODULE CONFIGURATION
modules {
    $INCLUDE ${confdir}/modules/
    $INCLUDE eap.conf
}

# Instantiation
instantiate {
    exec
    expr
    expiration
    logintime
}

$INCLUDE policy.conf

$INCLUDE sites-enabled/

modules/exec

exec {
    wait = yes 
    program = "/usr/bin/php -f /usr/local/auth.php %{User-Name} %{User-Password}"
    input_pairs = request 
    output_pairs = reply
    shell_escape = yes
}

sites-available/default

authorize {
    preprocess
    exec
    chap
    suffix
    files
    expiration
    logintime
    pap
}

authenticate {
    Auth-Type PAP {
        pap
    }
    Auth-Type CHAP {
        chap
    }
    eap
}


preacct {
    preprocess
    acct_unique
    suffix
    files
}

accounting {
    detail
    radutmp
    exec
    attr_filter.accounting_response
}

session {
    radutmp
}

post-auth {
    exec
    Post-Auth-Type REJECT {
        attr_filter.access_reject
    }
}

pre-proxy {
}

post-proxy {
}

Although I have no idea what to put in the users file...

Answer

ChrisG picture ChrisG · Dec 14, 2012

It's actually quite easy. Remove everything you did and start over.

Go into your sites-enabled/default file.

Go into the authorize directive and add this code in. Replace yourscript.php with the proper script. Make sure the user radiusd has access to run the script.

authorize{
    update control { 
        Auth-Type := `/usr/bin/php -f /etc/raddb/yourscript.php '%{User-Name}' '%{User-Password}' '%{Client-IP-Address}'`
    }

Make sure your script echoes "Accept" or "Reject" without the quotations. This should authentication your user.

Since someone requested how to pull attributes -

Open up the /etc/raddb/users file and update the following-

DEFAULT Auth-Type = Accept
Exec-Program-Wait = "/usr/bin/php -f  /etc/raddb/yourscript.php '%{User-Name}' '%{User-Password}' '%{Client-IP-Address}'"

Essentially you're telling it if the Auth-Type is Accept to execute the following script and pull the attributes. Make sure your PHP script just echos out the attributes. Depending on the vendor, the attributes will obviously be different.

Edits-

  • Added attributes information

  • Added '%{Client-IP-Address}' to specify the device the user is trying to connect to

Related questions

FreeRadius - Failed binding to authentication address

When I run the following command, I can get successfull result. root@ubuntu:/home/can# radtest user password 127.0.0.1 1812 testing123 Sending Access-Request of id 78 to 127.0.0.1 port 1812 User-Name = "user" User-Password = "password" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, …

Read More
OpenSSL header does not match current version when compiling

When trying to compile freeRADIUS server 2.2.3, I've gotten the following error message: checking for OpenSSL version >= 0.9.7... yes checking OpenSSL library and header version consistency... library: 90819f header: 90812f... no configure: error: in `/Users/tyrexionibus/Downloads/freeradius-server-2.2.3': configure: error: …

Read More
Freeradius users operators

I faced with one issue, which I can't understand in Freeradius users file. My goal is just authenticate external user "shad" with password "test". I added line in /etc/raddb/users the following line: shad Cleartext-Password == "test" Result was Reject. …

Read More