Google authenticator : Access-Reject

Eero Volotinen eero.volotinen at iki.fi
Tue Apr 24 12:44:05 CEST 2018 

well. check out all logs and run freeradius in debug mode -XXX (if I
remember switch correctly)

Eero

ti 24. huhtik. 2018 klo 12.34 <servernemesis at tutanota.com> kirjoitti:

> I log with the fqdn (use_fully_qualified_names true in sssd)
> But I tried without and same problem.
>
> >
> Try radtest without @doman part, as It is not part of usernameEero
> 24. Avr 2018 12:08 de servernemesis at tutanota.com <mailto:
> servernemesis at tutanota.com>:
>
>
> > PS :
> >  With this line in /etc/pam.d/sshd :
> > "auth required  /usr/local/lib/security/pam_google_authenticator.so"
> > I'm able to do ssh login with my google auth code.
> >
> >
> > 24. Avr 2018 11:48 de > servernemesis at tutanota.com <mailto:
> servernemesis at tutanota.com>> :
> >
> >
> >>
> >> Hello,
> >>
> >> I followed this tutorial (>>
> https://www.techdrabble.com/citrix/14-2factor-with-google-authenticator-and-netscaler
> <
> https://www.techdrabble.com/citrix/14-2factor-with-google-authenticator-and-netscaler>>>
> ) and managed to get it running on Debian 9 with FR 3.0.12 thanks to the
> help here. But I have another issue : when I try to authenticate with
> password + googleauth code, I got rejected.
> >> I'm able to log on the FR server with domain credentials without
> problem. The google auth code gets generated without issue either.
> >>
> >> Radtest:
> >> radtest >> user at mydomain.com <mailto:user at mydomain.com>>>
> password123456 localhost 18120 testing123
> >> Sent Access-Request Id 226 from 0.0.0.0:38763 to 127.0.0.1:1812 length
> 92
> >>         User-Name = ">> user at mydomain.com <mailto:user at mydomain.com>>>
> "
> >>         User-Password = "password123456"
> >>         NAS-IP-Address = 127.0.1.1
> >>         NAS-Port = 18120
> >>         Message-Authenticator = 0x00
> >>         Cleartext-Password = "password123456"
> >> Received Access-Reject Id 226 from 127.0.0.1:1812 to 0.0.0.0:0 length
> 20
> >> (0) -: Expected Access-Accept got Access-Reject
> >>
> >>
> >> Log:
> >> Ready to process requests
> >> Waking up in 0.3 seconds.
> >> (0) Received Access-Request Id 226 from 127.0.0.1:38763 to
> 127.0.0.1:1812 length 92
> >> (0)   User-Name = ">> user at mydomain.com <mailto:user at mydomain.com>>> "
> >> (0)   User-Password = "password123456"
> >> (0)   NAS-IP-Address = 127.0.1.1
> >> (0)   NAS-Port = 18120
> >> (0)   Message-Authenticator = 0x53b836642c653e776b0d9f8a542fca3a
> >> (0) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> >> (0) pap: WARNING: No "known good" password found for the user.  Not
> setting Auth-Type
> >> (0) pap: WARNING: Authentication will fail unless a "known good"
> password is available
> >> (0) # Executing group from file
> /etc/freeradius/3.0/sites-enabled/default
> >> Waking up in 0.3 seconds.
> >> Waking up in 0.2 seconds.
> >> (0) pam: ERROR: pam_authenticate failed: Authentication failure
> >> (0) # Executing group from file
> /etc/freeradius/3.0/sites-enabled/default
> >> Waking up in 0.7 seconds.
> >> (0) Sent Access-Reject Id 226 from 127.0.0.1:1812 to 127.0.0.1:38763
> length 20
> >> Waking up in 3.9 seconds.
> >> Ready to process requests
> >>
> >> Regards
> >>
> >>
> >>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list