3.40. <AuthBy EXTERNAL>

<AuthBy EXTERNAL> passes all requests to an external program, which is responsible for determining how to handle the request. It is implemented in AuthEXTERNAL.pm.

3.40.1. Command

This parameter specifies the command to run. The command can include special formatting characters. For more information, see Section 3.3. Special formatters. There is no default, and a Command must be specified. For more information about interpreting stdin, stdout, and exit status, see Section 3.40.2. Interpreting command stdin, stdout, and exit status.
# Interface to an external system
Command /usr/local/bin/doReq %T

3.40.2. Interpreting command stdin, stdout, and exit status

When the external command is run, all the attributes in the request will be formatted and passed to its standard input (stdin), one per line, in the format:
<tab> Attribute-Name = attribute_value
Each line output by the command on stdout is interpreted as a list of comma separated attribute-value pairs in the format:
Attribute-Name = attribute_value
and are returned in the reply message (if any). Any output lines that cannot be interpreted in that form are put in a Reply-Message attribute and returned in the reply message (if any). (This last behaviour is for backwards compatibility only and will not be supported indefinitely).
The exit status of the external command determines what type of reply is to be sent in response to the request:
  • 0 means reply with an acceptance. For Access-Requests, an Access-Accept will be sent. For Accounting-Requests, an Accounting-Response will be sent.
  • 1 means reply with a rejection. For Access-Requests, an Access-Reject is sent. For Accounting-Requests, no response is sent.
  • 2 means do not send any reply. This will also make the Realm fall through to the next AuthBy module if you specified more than one for this Realm. For more information, see Section 3.38.1. AuthByPolicy.
  • 3 means reply with an Access-Challenge for Access-Request. For Accounting- Requests, no response is sent.
  • Any other value means that no reply is sent and no further action is taken.
<AuthBy EXTERNAL> will wait for the external process to complete before handling more requests, so you should use this carefully, and avoid using long-running commands. If you cannot avoid long-running EXTERNAL commands, you can use the Fork parameter to force <AuthBy EXTERNAL> to fork before calling the external command. This may improve performance.
<AuthBy EXTERNAL> understands also the same parameters as <AuthBy xxxxxx>. For more information, see Section 3.32. <AuthBy xxxxxx>.

3.40.3. DecryptPassword

This optional parameter makes AuthBy EXTERNAL decrypt the User-Password attribute before passing it to the external program. If you do not specify this, User-Password will be passed exactly as received in the request (i.e. encrypted by MD5 according to the RADIUS standard).
This is not able to decrypt CHAP or MSCHAP passwords.
# Pass plaintext passwords to the external program

3.40.4. ResultInOutput

If this optional parameter is set, AuthBy EXTERNAL will determine the type of the reply from the first line of the stdout output of the external program, rather than the exit code of the external program.
The following codes are recognised:
    Reply with an Access-Accept
    Reply with an Access-Reject
    Do not reply
    Reply with an Access-Challenge
    Reply with an Access-Reject, and do not consider any other DEFAULT users in a chained Auth-Type request