使用exec模块拒绝后，Post Auth Reject不起作用

Question

我有FreeRADIUS版本3.0.21，我正在尝试使用外部FreeRADIUS脚本验证用户，脚本工作正常，我的问题是它在从脚本拒绝后没有插入到radpostauth表中，这是当我获得拒绝用户时的调试模式

0) Received Access-Request Id 71 from 127.0.0.1:47913 to 127.0.0.1:1812 length 100
(0)   User-Name = "Aboserifaban"
(0)   User-Password = "123456"
(0)   Calling-Station-Id = "4e:f9:5e:77:0c:9a"
(0)   NAS-Port = 102
(0)   NAS-IP-Address = 103.200.57.138
(0)   Framed-Protocol = PPP
(0)   Framed-IP-Address = 192.168.0.1
(0)   NAS-Identifier = "nas"
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "Aboserifaban", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) files: users: Matched entry DEFAULT at line 48
(0) files: EXPAND /usr/bin/php /var/www/html/cloudradius/captiveportal/auth_new.php "%{User-Name}" "%{User-Password}" "%{Calling-Station-Id}" "%{NAS-Port-Id}" "%{NAS-IP-Address}" "%{Framed-Protocol}" "%{Framed-IP-Address}"
(0) files:    --> /usr/bin/php /var/www/html/cloudradius/captiveportal/auth_new.php "Aboserifaban" "123456" "4e:f9:5e:77:0c:9a" "" "103.200.57.138" "PPP" "192.168.0.1"
(0)     [files] = ok
(0) sql: EXPAND %{User-Name}
(0) sql:    --> Aboserifaban
(0) sql: SQL-User-Name set to 'Aboserifaban'
rlm_sql (sql): Reserved connection (0)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'Aboserifaban' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'Aboserifaban' ORDER BY id
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql:   Cleartext-Password := "123456"
(0) sql:   Simultaneous-Use := 1
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql:    --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'Aboserifaban' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'Aboserifaban' ORDER BY id
rlm_sql (sql): Reserved connection (1)
rlm_sql (sql): Released connection (1)
Need 6 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'cloudradius' on Localhost via UNIX socket, server version 5.5.65-MariaDB, protocol version 10
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'Aboserifaban' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'Aboserifaban' ORDER BY priority
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (0)
(0)     [sql] = ok
(0)     if (User-Name =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) {
(0)     if (User-Name =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i)  -> FALSE
(0)     [pap] = updated
(0)   } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: User authenticated successfully
(0)     [pap] = ok
(0)   } # Auth-Type PAP = ok
(0) # Executing section session from file /usr/local/etc/raddb/sites-enabled/default
(0)   session {
(0) sql: EXPAND %{User-Name}
(0) sql:    --> Aboserifaban
(0) sql: SQL-User-Name set to 'Aboserifaban'
rlm_sql (sql): Reserved connection (2)
(0) sql: EXPAND SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
(0) sql:    --> SELECT COUNT(*) FROM radacct WHERE username = 'Aboserifaban' AND acctstoptime IS NULL
(0) sql: Executing select query: SELECT COUNT(*) FROM radacct WHERE username = 'Aboserifaban' AND acctstoptime IS NULL
rlm_sql (sql): Released connection (2)
(0)     [sql] = ok
(0)   } # session = ok
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(0)   post-auth {
(0) exec: Executing: /usr/bin/php /var/www/html/cloudradius/captiveportal/auth_new.php "Aboserifaban" "123456" "4e:f9:5e:77:0c:9a" "" "103.200.57.138" "PPP" "192.168.0.1":
(0) exec: ERROR: Program returned code (1) and output 'Reply-Message := "Your Account has been expired."'
(0)     [exec] = reject
(0)   } # post-auth = reject
(0) Delaying response for 1.000000 seconds
Waking up in 0.1 seconds.
Waking up in 0.7 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 71 from 127.0.0.1:1812 to 127.0.0.1:47913 length 52
(0)   Reply-Message := "Your Account has been expired."
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 71 with timestamp +3
Ready to process requests


as  you see above it rejected the user but it seems the SQL module not running  ,
this is my configuration in  POST-Auth section in default file
post-auth {

  exec
  sql
Post-Auth-Type REJECT {

update reply {
            Reply-Message = "Rejected: invalid username or password..!"
}

                # log failed authentications in SQL, too.
exec
sql

}



}

当我在Post-auth部分中停止exec，并且它工作正常并且将结果插入到radpostauth表中时，请帮助我解决这个问题，谢谢提前致以最好的问候

Answer 1

我相信，你应该把过滤器放在Post-auth-type Reject部分。这应该能做好你的工作。