PAM authentication not working

Deepti kulkarni deepti.kdeeps at gmail.com
Fri Feb 8 21:31:27 CET 2013 

Try by adding
jwinius Cleartext-Password := xxx



On Fri, Feb 8, 2013 at 11:41 AM, Jaap Winius <jwinius at umrk.nl> wrote:

> Hi folks,
>
> Having managed to get freeradius 2.10 to run on Debian squeeze with a
> username and password defined in /etc/freeradius/users, I was hoping to
> take a step forward by getting it to authenticate users through PAM. But,
> that's not working out as I had hoped.
>
> Could sombody please tell me what's missing, or what I'm doing wrong? So
> far I have done the following:
>
> 1.) Copied a set of 4096-bit MD5 SSL certificates that were used in the
> previous configuration to the /etc/freeradius/certs directory. To generate
> them, each time I used "LongStringNumberOne" for both the input and output
> passwords.
> Among the encryption files generated are ca.pem, dh, server.key and
> server.pem. The ca.pem file was also copied to my laptop's /etc/certs
> directory and is used with wpasupplicant for testing the system.
>
> 2.) Added the following lines to the end of /etc/freeradius/clients:
>
>   client 192.168.2.0/24 {
>       secret     = LongStringNumberTwo
>       shortname  = mynet
>   }
>
> 3.) Added the following line to the end of /etc/freeradius/users:
>
>   DEFAULT Auth-Type = Pam
>
> 4.) In /etc/freeradius/eap.conf I changed the values of the following two
> attributes to:
>
>   default_eap_type = ttls
>   private_key_password = LongStringNumberOne
>
> 5.) In /etc/freeradius/radiusd.conf I changed the value of the following
> attribute to:
>
>   user = root
>
> 6.) In both /etc/freeradius/sites-enabled/**default and
> /etc/freeradius/sites-enabled/**inner-tunnel, I uncommented the "pam"
> entry in section "authenticate".
>
> 7.) Some sources suggest changing it, but I chose to leave the contents of
> /etc/pam.d/radiusd unmodified:
>
>   @include common-auth
>   @include common-account
>   @include common-password
>   @include common-session
>
> 8.) My NAS is a Linksys is a WRT54GS running DD-WRT v24 firmware and is
> configured as follows:
>
>   Wireless Mode                  AP
>   Wireless Network Mode          Mixed
>   Wireless Network Name (SSID)   mynet
>   Wireless Channel               6 - 2.437 GHz
>   Wireless SSID Broadcast        Enable
>   Network Configuration          Bridged
>
>   Security Mode                  WPA2 Enterprise
>   WPA Algorithms                 TKIP+AES
>   RADIUS Server Address          192.168.2.12
>   RADIUS Server Port             1812
>   RADIUS Shared Secret           LongStringNumberTwo
>   Key Renewal Interval (in sec.) 3600
>
> Unfortunately, after starting the server in debugging mode with
> "freeradius -X", my client's authentication attempts get rejected and I get
> the following output from the freeradius server:
>
> ==============================**===========
>
> rad_recv: Access-Request packet from host 192.168.2.2 port 1025, id=0,
> length=245
> Cleaning up request 6 ID 0 with timestamp +12
> WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!**!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!**
> !!!!!!!!!!
> WARNING: !! EAP session for state 0x2ecb21dd28cc340c did not finish!
> WARNING: !! Please read http://wiki.freeradius.org/
> Certificate_Compatibility
> WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!**!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!**
> !!!!!!!!!!
>         User-Name = "jwinius"
>         NAS-IP-Address = 192.168.2.2
>         Called-Station-Id = "0014bf72f676"
>         Calling-Station-Id = "00110a81fb2b"
>         NAS-Identifier = "0014bf72f676"
>         NAS-Port = 17
>         Framed-MTU = 1400
>         State = 0x2ecb21dd28cc340c8873b5871c63**7572
>         NAS-Port-Type = Wireless-802.11
>         EAP-Message = 0x020700701500170301002073bdd7**
> 051dfb44f3caccd4c92...
>         Message-Authenticator = 0x6cbe906a70bc7ee95f9ad3365a04**71b0
> # Executing section authorize from file /etc/freeradius/sites-enabled/
> default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "jwinius", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 7 length 112
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/**default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/ttls
> [eap] processing type ttls
> [ttls] Authenticate
> [ttls] processing EAP-TLS
> [ttls] eaptls_verify returned 7
> [ttls] Done initial handshake
> [ttls] eaptls_process returned 7
> [ttls] Session established.  Proceeding to decode tunneled attributes.
> [ttls] Got tunneled request
>         EAP-Message = 0x0201001604109f00ed2b3ff2dd51**11997f0ba6cee99e
>         FreeRADIUS-Proxied-To = 127.0.0.1
> [ttls] Sending tunneled request
>         EAP-Message = 0x0201001604109f00ed2b3ff2dd51**11997f0ba6cee99e
>         FreeRADIUS-Proxied-To = 127.0.0.1
>         User-Name = "jwinius"
>         State = 0xdbd7fca1dbd6f80c791225e3340e**a6e4
> server inner-tunnel {
> # Executing section authorize from file /etc/freeradius/sites-enabled/
> inner-tunnel
> +- entering group authorize {...}
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "jwinius", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> ++[control] returns noop
> [eap] EAP packet type response id 1 length 22
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> [files] users: Matched entry DEFAULT at line 211
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns noop
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/**inner-tunnel
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/md5
> [eap] processing type md5
> rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication
> [eap] Handler failed in EAP/md5
> [eap] Failed in EAP select
> ++[eap] returns invalid
> Failed to authenticate the user.
> } # server inner-tunnel
> [ttls] Got tunneled reply code 3
>         EAP-Message = 0x04010004
>         Message-Authenticator = 0x0000000000000000000000000000**0000
> [ttls] Got tunneled Access-Reject
> [eap] Handler failed in EAP/ttls
> rlm_eap_ttls: Freeing handler for user jwinius
> [eap] Failed in EAP select
> ++[eap] returns invalid
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> # Executing group from file /etc/freeradius/sites-enabled/**default
> +- entering group REJECT {...}
> [attr_filter.access_reject]         expand: %{User-Name} -> jwinius
>  attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 7 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 7
> Sending Access-Reject of id 0 to 192.168.2.2 port 1025
>         EAP-Message = 0x04070004
>         Message-Authenticator = 0x0000000000000000000000000000**0000
>
> ==============================**===========
>
> Any idea what I'm doing wrong?
>
> Thanks,
>
> Jaap
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html <http://www.freeradius.org/list/users.html>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130208/55cd83d8/attachment-0001.html>

More information about the Freeradius-Users mailing list