PAM authentication not working
Deepti kulkarni
deepti.kdeeps at gmail.com
Fri Feb 8 21:32:39 CET 2013
Sorry about the incomplete previous email,
Try by adding
jwinius Auth-Type = pam
Cleartext-Password := xxx
Deepti
On Fri, Feb 8, 2013 at 12:31 PM, Deepti kulkarni <deepti.kdeeps at gmail.com>wrote:
> Try by adding
> jwinius Cleartext-Password := xxx
>
>
>
> On Fri, Feb 8, 2013 at 11:41 AM, Jaap Winius <jwinius at umrk.nl> wrote:
>
>> Hi folks,
>>
>> Having managed to get freeradius 2.10 to run on Debian squeeze with a
>> username and password defined in /etc/freeradius/users, I was hoping to
>> take a step forward by getting it to authenticate users through PAM. But,
>> that's not working out as I had hoped.
>>
>> Could sombody please tell me what's missing, or what I'm doing wrong? So
>> far I have done the following:
>>
>> 1.) Copied a set of 4096-bit MD5 SSL certificates that were used in the
>> previous configuration to the /etc/freeradius/certs directory. To generate
>> them, each time I used "LongStringNumberOne" for both the input and output
>> passwords.
>> Among the encryption files generated are ca.pem, dh, server.key and
>> server.pem. The ca.pem file was also copied to my laptop's /etc/certs
>> directory and is used with wpasupplicant for testing the system.
>>
>> 2.) Added the following lines to the end of /etc/freeradius/clients:
>>
>> client 192.168.2.0/24 {
>> secret = LongStringNumberTwo
>> shortname = mynet
>> }
>>
>> 3.) Added the following line to the end of /etc/freeradius/users:
>>
>> DEFAULT Auth-Type = Pam
>>
>> 4.) In /etc/freeradius/eap.conf I changed the values of the following two
>> attributes to:
>>
>> default_eap_type = ttls
>> private_key_password = LongStringNumberOne
>>
>> 5.) In /etc/freeradius/radiusd.conf I changed the value of the following
>> attribute to:
>>
>> user = root
>>
>> 6.) In both /etc/freeradius/sites-enabled/**default and
>> /etc/freeradius/sites-enabled/**inner-tunnel, I uncommented the "pam"
>> entry in section "authenticate".
>>
>> 7.) Some sources suggest changing it, but I chose to leave the contents
>> of /etc/pam.d/radiusd unmodified:
>>
>> @include common-auth
>> @include common-account
>> @include common-password
>> @include common-session
>>
>> 8.) My NAS is a Linksys is a WRT54GS running DD-WRT v24 firmware and is
>> configured as follows:
>>
>> Wireless Mode AP
>> Wireless Network Mode Mixed
>> Wireless Network Name (SSID) mynet
>> Wireless Channel 6 - 2.437 GHz
>> Wireless SSID Broadcast Enable
>> Network Configuration Bridged
>>
>> Security Mode WPA2 Enterprise
>> WPA Algorithms TKIP+AES
>> RADIUS Server Address 192.168.2.12
>> RADIUS Server Port 1812
>> RADIUS Shared Secret LongStringNumberTwo
>> Key Renewal Interval (in sec.) 3600
>>
>> Unfortunately, after starting the server in debugging mode with
>> "freeradius -X", my client's authentication attempts get rejected and I get
>> the following output from the freeradius server:
>>
>> ==============================**===========
>>
>> rad_recv: Access-Request packet from host 192.168.2.2 port 1025, id=0,
>> length=245
>> Cleaning up request 6 ID 0 with timestamp +12
>> WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!**!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!**
>> !!!!!!!!!!
>> WARNING: !! EAP session for state 0x2ecb21dd28cc340c did not finish!
>> WARNING: !! Please read http://wiki.freeradius.org/
>> Certificate_Compatibility
>> WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!**!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!**
>> !!!!!!!!!!
>> User-Name = "jwinius"
>> NAS-IP-Address = 192.168.2.2
>> Called-Station-Id = "0014bf72f676"
>> Calling-Station-Id = "00110a81fb2b"
>> NAS-Identifier = "0014bf72f676"
>> NAS-Port = 17
>> Framed-MTU = 1400
>> State = 0x2ecb21dd28cc340c8873b5871c63**7572
>> NAS-Port-Type = Wireless-802.11
>> EAP-Message = 0x020700701500170301002073bdd7**
>> 051dfb44f3caccd4c92...
>> Message-Authenticator = 0x6cbe906a70bc7ee95f9ad3365a04**71b0
>> # Executing section authorize from file /etc/freeradius/sites-enabled/
>> default
>> +- entering group authorize {...}
>> ++[preprocess] returns ok
>> ++[chap] returns noop
>> ++[mschap] returns noop
>> ++[digest] returns noop
>> [suffix] No '@' in User-Name = "jwinius", looking up realm NULL
>> [suffix] No such realm "NULL"
>> ++[suffix] returns noop
>> [eap] EAP packet type response id 7 length 112
>> [eap] Continuing tunnel setup.
>> ++[eap] returns ok
>> Found Auth-Type = EAP
>> # Executing group from file /etc/freeradius/sites-enabled/**default
>> +- entering group authenticate {...}
>> [eap] Request found, released from the list
>> [eap] EAP/ttls
>> [eap] processing type ttls
>> [ttls] Authenticate
>> [ttls] processing EAP-TLS
>> [ttls] eaptls_verify returned 7
>> [ttls] Done initial handshake
>> [ttls] eaptls_process returned 7
>> [ttls] Session established. Proceeding to decode tunneled attributes.
>> [ttls] Got tunneled request
>> EAP-Message = 0x0201001604109f00ed2b3ff2dd51**11997f0ba6cee99e
>> FreeRADIUS-Proxied-To = 127.0.0.1
>> [ttls] Sending tunneled request
>> EAP-Message = 0x0201001604109f00ed2b3ff2dd51**11997f0ba6cee99e
>> FreeRADIUS-Proxied-To = 127.0.0.1
>> User-Name = "jwinius"
>> State = 0xdbd7fca1dbd6f80c791225e3340e**a6e4
>> server inner-tunnel {
>> # Executing section authorize from file /etc/freeradius/sites-enabled/
>> inner-tunnel
>> +- entering group authorize {...}
>> ++[chap] returns noop
>> ++[mschap] returns noop
>> [suffix] No '@' in User-Name = "jwinius", looking up realm NULL
>> [suffix] No such realm "NULL"
>> ++[suffix] returns noop
>> ++[control] returns noop
>> [eap] EAP packet type response id 1 length 22
>> [eap] No EAP Start, assuming it's an on-going EAP conversation
>> ++[eap] returns updated
>> [files] users: Matched entry DEFAULT at line 211
>> ++[files] returns ok
>> ++[expiration] returns noop
>> ++[logintime] returns noop
>> ++[pap] returns noop
>> Found Auth-Type = EAP
>> # Executing group from file /etc/freeradius/sites-enabled/**inner-tunnel
>> +- entering group authenticate {...}
>> [eap] Request found, released from the list
>> [eap] EAP/md5
>> [eap] processing type md5
>> rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication
>> [eap] Handler failed in EAP/md5
>> [eap] Failed in EAP select
>> ++[eap] returns invalid
>> Failed to authenticate the user.
>> } # server inner-tunnel
>> [ttls] Got tunneled reply code 3
>> EAP-Message = 0x04010004
>> Message-Authenticator = 0x0000000000000000000000000000**0000
>> [ttls] Got tunneled Access-Reject
>> [eap] Handler failed in EAP/ttls
>> rlm_eap_ttls: Freeing handler for user jwinius
>> [eap] Failed in EAP select
>> ++[eap] returns invalid
>> Failed to authenticate the user.
>> Using Post-Auth-Type Reject
>> # Executing group from file /etc/freeradius/sites-enabled/**default
>> +- entering group REJECT {...}
>> [attr_filter.access_reject] expand: %{User-Name} -> jwinius
>> attr_filter: Matched entry DEFAULT at line 11
>> ++[attr_filter.access_reject] returns updated
>> Delaying reject of request 7 for 1 seconds
>> Going to the next request
>> Waking up in 0.9 seconds.
>> Sending delayed reject for request 7
>> Sending Access-Reject of id 0 to 192.168.2.2 port 1025
>> EAP-Message = 0x04070004
>> Message-Authenticator = 0x0000000000000000000000000000**0000
>>
>> ==============================**===========
>>
>> Any idea what I'm doing wrong?
>>
>> Thanks,
>>
>> Jaap
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
>> list/users.html <http://www.freeradius.org/list/users.html>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130208/f1530aaa/attachment.html>
More information about the Freeradius-Users
mailing list