help w/ pam_radius_auth

Gun Akkor gakkor at patton.com
Thu Aug 10 16:47:34 CEST 2006 

Hello,

I am new to the list and a newbie on RADIUS. My problem is 
not directly related to using freeradius, but rather 
accessing a RADIUS server via the pam_radius_auth module. 
Since this module seems to be supported/maintained under 
freeradius, I hope to get some help from the list members.

I have a (cistron-based, running on an Ubuntu box) RADIUS 
server configured w/ IP address 192.168.200.1. Under 
"users" file, there is a default entry to authenticate 
users against the system /etc/passwd file. Under "clients" 
file, there is an entry for IP address 192.168.200.10 w/ a 
shared secret "somesecret". There is a user "gakkor" w/ 
password "dummy" in the /etc/passwd file in the box that 
the server resides. I am running the server in debug mode 
"/usr/sbin/radiusd -sfxxyz -l stdout"

I have a client machine, running a Linux based system. If 
I use the test client "radtest" w/

#> radtest gakkor dummy 192.168.200.1 101 somesecret

everything works fine. I get the following debug output 
from the server:

radrecv: Packet from host 192.168.200.10 code=1, id=219, 
length=58
     User-Name = "gakkor"
     User-Password = 
"\326)\312g\tEL\351\033\031\271\234vmE\206"
     NAS-IP-Address = 192.168.200.10
     NAS-Port = 101
   users: Matched DEFAULT at line 136
   auth: System
Sending Ack of id 219 to 192.168.200.10
Login OK: [gakkor/dummy] (from nas nas1/S101)

Now, instead of the radtest, I want to use an application 
called "authmanager" which makes a call to the 
pam_sm_authenticate method of the pam_radius_auth module, 
with the same username/password. The "server" file under 
/etc/raddb (on client side) has an entry "192.168.200.1 
somesecret". So, the shared secrest are the same both for 
the client and server. The /etc/pam.conf file has an entry

authmanager auth    required 
      /usr/lib/pam_radius_auth.so skip_passwd

However, I see that the password sent to the server 
becomes garbled and authentication fails. Here is the 
output from the server in this scenario....

radrecv: Packet from host 192.168.200.10 code=1, id=94, 
length=79
     User-Name = "gakkor"
     User-Password = 
"b\364f\330\214\250\271\274\"G\2258\371\217\\\330"
     NAS-IP-Address = 192.168.200.10
     NAS-Identifier = "authmanager"
     NAS-Port = 229
     NAS-Port-Type = Virtual
     Service-Type = Authenticate-Only
   users: Matched DEFAULT at line 136
   auth: System
Sending Reject of id 94 to 192.168.200.10
Login incorrect: [gakkor/];:/A@] (from nas nas1/S229)

Notice, that the debug output has unprintable characters 
for password... The syslog message on the client side 
says:

pam_radius_auth: packet from RADIUS server 192.168.200.1 
fails verification: The shared secret is probably 
incorrect.
  
This seems like a problem with the MD5 hashing or 
byte-order. The client and server both are little-endian. 
And as far as I can tell from the PAM module code that the 
default case id also litle-endian as far as the byte-order 
is concerned.

Any suggestions as to where I might be going wrong?

Thanks in advance,
Gun Akkor

Staff Scientist,
Patton Electronics, Co.
Gaithersburg, MD
gakkor AT patton DOT com

More information about the Freeradius-Users mailing list