SV: Controlling with Auth-Type a client must use

Fri Jul 23 08:01:43 CEST 2010

Hello Alan 

Thanks for the answer.
But I allready did that !!!

I configured my passwd module with kmdov3 works fine.
I added the kmdov3 in the top pf the authorize section of sites-enabled/default
         preprocess

        #
        #  If you want to have a log of authentication requests,
        #  un-comment the following line, and the 'detail auth_log'
        #  section, above.
#       auth_log

        kmdov3
        ...
        ..
        Unix
        ...
        ..
        Pap

But still the unix authorization is used and the client is rejected because of the invalid shell.
Is it not possible to force a single client to use only one type of authorization etc. Kmdov3 ?
Do I need to add something to the authentication section?

Here is the full debug log of the client call and you can see that kmdov3 returns OK but the unix on fails with the invalid shell

rad_recv: Access-Request packet from host 131.165.80.37 port 9183, id=169, length=61
        User-Name = "jmd"
        User-Password = "password"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 8158
        NAS-Port-Type = Virtual
Fri Jul 23 07:57:40 2010 : Info: +- entering group authorize {...}
Fri Jul 23 07:57:40 2010 : Info: ++[preprocess] returns ok
Fri Jul 23 07:57:40 2010 : Info: [kmdov3] Added crypt-Password: 'TLw0SiK4QfQxg' to config_items 
Fri Jul 23 07:57:40 2010 : Info: ++[kmdov3] returns ok
Fri Jul 23 07:57:40 2010 : Info: [radius_group] Added Radius1-Group: 'wcs-superadmin' to request_items 
Fri Jul 23 07:57:40 2010 : Info: ++[radius_group] returns ok
Fri Jul 23 07:57:40 2010 : Info: ++[chap] returns noop
Fri Jul 23 07:57:40 2010 : Info: ++[mschap] returns noop
Fri Jul 23 07:57:40 2010 : Info: [suffix] No '@' in User-Name = "jmd", looking up realm NULL
Fri Jul 23 07:57:40 2010 : Info: [suffix] No such realm "NULL"
Fri Jul 23 07:57:40 2010 : Info: ++[suffix] returns noop
Fri Jul 23 07:57:40 2010 : Info: [eap] No EAP-Message, not doing EAP
Fri Jul 23 07:57:40 2010 : Info: ++[eap] returns noop
Fri Jul 23 07:57:40 2010 : Auth: [unix] [jmd]: invalid shell [/bin/bash1]
Fri Jul 23 07:57:40 2010 : Info: ++[unix] returns reject
Fri Jul 23 07:57:40 2010 : Info: Using Post-Auth-Type Reject
Fri Jul 23 07:57:40 2010 : Info: +- entering group REJECT {...}
Fri Jul 23 07:57:40 2010 : Info: [attr_filter.access_reject]    expand: %{User-Name} -> jmd
Fri Jul 23 07:57:40 2010 : Debug:  attr_filter: Matched entry DEFAULT at line 11
Fri Jul 23 07:57:40 2010 : Info: ++[attr_filter.access_reject] returns updated
Fri Jul 23 07:57:40 2010 : Info: Delaying reject of request 1 for 1 seconds
Fri Jul 23 07:57:40 2010 : Debug: Going to the next request
Fri Jul 23 07:57:40 2010 : Debug: Waking up in 0.9 seconds.
Fri Jul 23 07:57:41 2010 : Info: Sending delayed reject for request 1
Sending Access-Reject of id 169 to 131.165.80.37 port 9183
Fri Jul 23 07:57:41 2010 : Debug: Waking up in 4.9 seconds.
Fri Jul 23 07:57:46 2010 : Info: Cleaning up request 1 ID 169 with timestamp +89
Fri Jul 23 07:57:46 2010 : Info: Ready to process requests.

Best regards
Jan Madsen

-----Oprindelig meddelelse-----
Fra: freeradius-users-bounces+jmd=kmd.dk at lists.freeradius.org [mailto:freeradius-users-bounces+jmd=kmd.dk at lists.freeradius.org] På vegne af Alan DeKok
Sendt: 22. juli 2010 14:20
Til: FreeRadius users mailing list
Emne: Re: Controlling with Auth-Type a client must use

Madsen.Jan JMD wrote:
> I’m using the module passwd working fine, and I have enabled unix
> authentication in my default section.

  Don't.  Use "pap".  It can do crypt authentication.

> Thu Jul 22 13:22:21 2010 : Auth: [unix] [jmd]: invalid shell [/usr/bin/bash]
> Thu Jul 22 13:22:21 2010 : Info: ++[unix] returns reject

  Which is what the Unix module does.

> But what I want to do is to set the client ONLY to use kmdov3 as my
> authentication and not the Unix one. Is this possible?

  No.  You want "crypt" authentication, without checking /etc/passwd.
Use the "pap" module.

  When you say "only to use kmdov3 as my authentication", it means you
have confused authorization and authentication.  They are *very* different.

> I have been trying to use the Auth-Type attribute, but can’t figure out
> how to tell that I want to use the kmdov3 authentication type.

  Don't.  Don't set Auth-Type.  In the default configuration, all you
need to do is:

1) configure the kmdov3 module in raddb/modules
2) list "kmdov3" in the "authorize" section *before* the "pap" module
3) authentication *will* work

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html