Google authenticator : Access-Reject

Eero Volotinen eero.volotinen at iki.fi
Wed Apr 25 09:55:02 CEST 2018


well. radius secret can be wrong also for your client.

radius secret is in client.conf and its tied to client ip address. check it
out and test again.

anyway. in your config you need use only google code, not password.

Eero

ke 25. huhtik. 2018 klo 10.49 <servernemesis at tutanota.com> kirjoitti:

> Hello,
>
> No because if I login with SSH, it works :
>
> Apr 25 09:45:10 SRV-FREERADIUS sshd(pam_google_authenticator)[1885]:
> Accepted google_authenticator for user
> Apr 25 09:45:11 SRV-FREERADIUS sshd[1885]: Accepted password for user from
> 192.168.50.68 port 50020 ssh2
> Apr 25 09:45:11 SRV-FREERADIUS sshd[1885]: pam_unix(sshd:session): session
> opened for user user by (uid=0)
> Apr 25 09:45:11 SRV-FREERADIUS systemd-logind[535]: New session 11 of user
> user.
>
> I don't get why it's not working with the radius...
>
> 25. Avr 2018 09:46 de eero.volotinen at iki.fi <mailto:eero.volotinen at iki.fi
> >:
>
>
> > It means that code is wrong? is the server using ntp and clock is sync
> and
> > mobile is in sync.
> >
> > Try following: log into user. delete .google* file from user home
> directory.
> >
> > run google-authenticator without params and select time based token/auth
> > and add new authenticator code to google auth in phone
> >
> > Eero
> >
> > ke 25. huhtik. 2018 klo 10.39 <> servernemesis at tutanota.com <mailto:
> servernemesis at tutanota.com>> > kirjoitti:
> >
> >> PS : If I disable the domain suffix for the users on the server (being
> >> able to login with just "user"), I get
> >>
> >> Apr 25 09:27:42 SRV-FREERADIUS radiusd(pam_google_authenticator)[1661]:
> >> Invalid verification code for user
> >>
> >>
> >> 25. Avr 2018 09:15 de >> servernemesis at tutanota.com <mailto:
> servernemesis at tutanota.com>>>  <mailto:
> >> servernemesis at tutanota.com <mailto:servernemesis at tutanota.com>>> >:
> >>
> >>
> >> > I tried
> >> >
> >> > #
> >> > # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
> >> > #
> >> >
> >> > # We fall back to the system default in /etc/pam.d/common-*
> >> > #
> >> >
> >> > #@include common-auth
> >> > #@include common-account
> >> > #@include common-password
> >> > #@include common-session
> >> > auth required  /usr/local/lib/security/pam_google_authenticator.so
> >> >
> >> > and
> >> >
> >> > #
> >> > # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
> >> > #
> >> >
> >> > # We fall back to the system default in /etc/pam.d/common-*
> >> > #
> >> >
> >> > #@include common-auth
> >> > #@include common-account
> >> > #@include common-password
> >> > #@include common-session
> >> > auth requisite /usr/local/lib/security/pam_google_authenticator.so
> >> forward_pass
> >> > auth required pam_unix.so use_first_pass
> >> >
> >> > In both cases :
> >> >
> >> > Apr 25 09:05:43 SRV-FREERADIUS
> radiusd(pam_google_authenticator)[6847]:
> >> user("user") not found
> >> > Apr 25 09:05:43 SRV-FREERADIUS
> radiusd(pam_google_authenticator)[6847]:
> >> No secret configured for user user, asking for code anyway.
> >> > Apr 25 09:05:43 SRV-FREERADIUS
> radiusd(pam_google_authenticator)[6847]:
> >> Invalid verification code for user
> >> >
> >> >
> >> >
> >> > 24. Avr 2018 19:21 de > >> eero.volotinen at iki.fi <mailto:
> eero.volotinen at iki.fi>>>  <mailto:
> >> eero.volotinen at iki.fi <mailto:eero.volotinen at iki.fi>>> >> :
> >> >
> >> >
> >> >> You need to enable pam logging on google authenticator.
> >> >>
> >> >> what is content of /etc/pam.d/radiusd ?
> >> >>
> >> >> Eero
> >> >>
> >> >> ti 24. huhtik. 2018 klo 17.29 <>> >> servernemesis at tutanota.com
> <mailto:servernemesis at tutanota.com>>>  <mailto:
> >> servernemesis at tutanota.com <mailto:servernemesis at tutanota.com>>> >>> >
> kirjoitti:
> >> >>
> >> >>> Thanks, it looks better but it's still failing :
> >> >>>
> >> >>> Ready to process requests
> >> >>> (0) Received Access-Request Id 113 from 127.0.0.1:34793 to
> >> 127.0.0.1:1812
> >> >>> length 92
> >> >>> (0)   User-Name = ">>> >> user at mydomain.com <mailto:
> user at mydomain.com>>>  <>> mailto:user at mydomain.com <mailto:mailto:
> user at mydomain.com>>> >>>>
> >> <>>> >> mailto:user at mydomain.com <mailto:mailto:user at mydomain.com>>>
> <>> mailto:mailto:user at mydomain.com <mailto:mailto:mailto:
> user at mydomain.com>>> >>>> >"
> >> >>> (0)   User-Password = "password123456"
> >> >>> (0)   NAS-IP-Address = 127.0.1.1
> >> >>> (0)   NAS-Port = 18120
> >> >>> (0)   Message-Authenticator = 0xd028fefb31c1de33ebec1d53011953ce
> >> >>> (0) # Executing section authorize from file
> >> >>> /etc/freeradius/3.0/sites-enabled/default
> >> >>> (0)   authorize {
> >> >>> (0)     policy filter_username {
> >> >>> (0)       if (&User-Name) {
> >> >>> (0)       if (&User-Name)  -> TRUE
> >> >>> (0)       if (&User-Name)  {
> >> >>> (0)         if (&User-Name =~ / /) {
> >> >>> (0)         if (&User-Name =~ / /)  -> FALSE
> >> >>> (0)         if (&User-Name =~ /@[^@]*@/ ) {
> >> >>> (0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> >> >>> (0)         if (&User-Name =~ /\.\./ ) {
> >> >>> (0)         if (&User-Name =~ /\.\./ )  -> FALSE
> >> >>> (0)         if ((&User-Name =~ /@/) && (&User-Name !~
> >> /@(.+)\.(.+)$/))  {
> >> >>> (0)         if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/))
> >> >>> -> FALSE
> >> >>> (0)         if (&User-Name =~ /\.$/)  {
> >> >>> (0)         if (&User-Name =~ /\.$/)   -> FALSE
> >> >>> (0)         if (&User-Name =~ /@\./)  {
> >> >>> (0)         if (&User-Name =~ /@\./)   -> FALSE
> >> >>> (0)       } # if (&User-Name)  = notfound
> >> >>> (0)     } # policy filter_username = notfound
> >> >>> (0)     [preprocess] = ok
> >> >>> (0)     [chap] = noop
> >> >>> (0)     [mschap] = noop
> >> >>> (0)     [digest] = noop
> >> >>> (0) suffix: Checking for suffix after "@"
> >> >>> (0) suffix: Looking up realm "mydomain.com" for User-Name = "
> >> >>> >> user at mydomain.com <mailto:user at mydomain.com>>>  <>> mailto:
> user at mydomain.com <mailto:mailto:user at mydomain.com>>> >>>>  <>>> mailto:
> >> user at mydomain.com <mailto:user at mydomain.com>>>  <>> mailto:mailto:
> user at mydomain.com <mailto:mailto:mailto:user at mydomain.com>>> >>>> >"
> >> >>> (0) suffix: Found realm "mydomain.com"
> >> >>> (0) suffix: Adding Stripped-User-Name = "user"
> >> >>> (0) suffix: Adding Realm = "mydomain.com"
> >> >>> (0) suffix: Authentication realm is LOCAL
> >> >>> (0)     [suffix] = ok
> >> >>> (0) eap: No EAP-Message, not doing EAP
> >> >>> (0)     [eap] = noop
> >> >>> (0) files: users: Matched entry DEFAULT at line 221
> >> >>> (0)     [files] = ok
> >> >>> (0)     [expiration] = noop
> >> >>> (0)     [logintime] = noop
> >> >>> (0) pap: WARNING: No "known good" password found for the user.  Not
> >> >>> setting Auth-Type
> >> >>> (0) pap: WARNING: Authentication will fail unless a "known good"
> >> password
> >> >>> is available
> >> >>> (0)     [pap] = noop
> >> >>> (0)   } # authorize = ok
> >> >>> (0) Found Auth-Type = pam
> >> >>> (0) # Executing group from file
> >> /etc/freeradius/3.0/sites-enabled/default
> >> >>> (0)   authenticate {
> >> >>> (0) pam: Using pamauth string "radiusd" for pam.conf lookup
> >> >>> (0) pam: ERROR: pam_authenticate failed: Authentication failure
> >> >>> (0)     [pam] = reject
> >> >>> (0)   } # authenticate = reject
> >> >>> (0) Failed to authenticate the user
> >> >>> (0) Using Post-Auth-Type Reject
> >> >>> (0) # Executing group from file
> >> /etc/freeradius/3.0/sites-enabled/default
> >> >>> (0)   Post-Auth-Type REJECT {
> >> >>> (0) attr_filter.access_reject: EXPAND %{User-Name}
> >> >>> (0) attr_filter.access_reject:    --> >>> >> user at mydomain.com
> <mailto:user at mydomain.com>>>  <mailto:
> >> user at mydomain.com <mailto:user at mydomain.com>>> >>>>  <mailto:
> >> >>> >> user at mydomain.com <mailto:user at mydomain.com>>>  <>> mailto:
> user at mydomain.com <mailto:mailto:user at mydomain.com>>> >>>> >
> >> >>> (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
> >> >>> (0)     [attr_filter.access_reject] = updated
> >> >>> (0)     [eap] = noop
> >> >>> (0)     policy remove_reply_message_if_eap {
> >> >>> (0)       if (&reply:EAP-Message && &reply:Reply-Message) {
> >> >>> (0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> >> >>> (0)       else {
> >> >>> (0)         [noop] = noop
> >> >>> (0)       } # else = noop
> >> >>> (0)     } # policy remove_reply_message_if_eap = noop
> >> >>> (0)   } # Post-Auth-Type REJECT = updated
> >> >>> (0) Delaying response for 1.000000 seconds
> >> >>> Waking up in 0.3 seconds.
> >> >>> Waking up in 0.6 seconds.
> >> >>> (0) Sending delayed response
> >> >>> (0) Sent Access-Reject Id 113 from 127.0.0.1:1812 to
> 127.0.0.1:34793
> >> >>> length 20
> >> >>> Waking up in 3.9 seconds.
> >> >>> (0) Cleaning up request packet ID 113 with timestamp +11
> >> >>> Ready to process requests
> >> >>>
> >> >>>
> >> >>> 24. Avr 2018 16:40 de >>> >> aland at deployingradius.com <mailto:
> aland at deployingradius.com>>>  <mailto:
> >> aland at deployingradius.com <mailto:aland at deployingradius.com>>> >>>>
> <mailto:
> >> >>> >> aland at deployingradius.com <mailto:aland at deployingradius.com>>>
> <>> mailto:aland at deployingradius.com <mailto:mailto:
> aland at deployingradius.com>>> >>>> >:
> >> >>>
> >> >>>
> >> >>> > On Apr 24, 2018, at 10:23 AM, <> >>> >>
> servernemesis at tutanota.com <mailto:servernemesis at tutanota.com>
> >> <>> mailto:servernemesis at tutanota.com <mailto:mailto:
> servernemesis at tutanota.com>>> >>>>  <mailto:
> >> >>> >> servernemesis at tutanota.com <mailto:servernemesis at tutanota.com>>>
> <>> mailto:servernemesis at tutanota.com <mailto:mailto:
> servernemesis at tutanota.com>>> >>>> >>
> >> > <> >>> >> servernemesis at tutanota.com <mailto:
> servernemesis at tutanota.com>>>  <>> mailto:servernemesis at tutanota.com
> <mailto:mailto:servernemesis at tutanota.com>>> >>>>
> >> <mailto:
> >> >>> >> servernemesis at tutanota.com <mailto:servernemesis at tutanota.com>>>
> <>> mailto:servernemesis at tutanota.com <mailto:mailto:
> servernemesis at tutanota.com>>> >>>> >>
> >> > wrote:
> >> >>> >>
> >> >>> >> My FR server is domain joined, and his krb5 realm is
> mydomain.com
> >> >>> >> I don't know where I could specify the domain for PAM.
> >> >>> >
> >> >>> >   I didn't tell you to specify the domain for PAM.
> >> >>> >
> >> >>> >> I'm not sure what you mean by "If it doesn't know about the
> domain,
> >> >>> then add a realm for "mydomain.com".  Make it LOCAL (see
> proxy.conf)."
> >> >>> >> Should I edit the /etc/pam.d/radiusd ? What's proxy.conf ?
> >> >>> >
> >> >>> >   You know you're on the FreeRADIUS mailing list, right?
> proxy.conf
> >> is
> >> >>> for FreeRADIUS, not PAM.
> >> >>> >
> >> >>> >   No, don't edit the /etc/pam.d/radiusd file.  If I had meant to
> edit
> >> >>> that file, I would have told you to edit that file.
> >> >>> >
> >> >>> >   Look in the /etc/raddb (or on debian / Ubuntu) /etc/freeradius
> >> >>> directory.  The proxy.conf file is there.  Read it.
> >> >>> >
> >> >>> >   Alan DeKok.
> >> >>> >
> >> >>> >
> >> >>> > -
> >> >>> > List info/subscribe/unsubscribe? See >
> >> >>> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>  <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>>>  <
> >> >>> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>  <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >>>> >
> >> >>> -
> >> >>> List info/subscribe/unsubscribe? See
> >> >>> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>  <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >
> >> >> -
> >> >> List info/subscribe/unsubscribe? See >>
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>>  <
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>>> >
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>
> > -
> > List info/subscribe/unsubscribe? See >
> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list