radius to pam with 2FA from duo
Alan DeKok
aland at deployingradius.com
Fri Jul 26 20:48:55 CEST 2019
On Jul 26, 2019, at 12:55 PM, Andrew Meyer via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> Hello,
> I am trying to get FreeRADIUS working with 2FA. I have it mostly setup. I can see in the debug output that saying my user exists in the system. However I'm still getting Access-Reject from my client.
>
> Here is the output from FreeRADIUS (using the FreeRADIUS repo)
> (0) Received Access-Request Id 98 from 10.150.1.190:37142 to 10.150.1.153:1812 length 92
> (0) User-Name = "test"
> (0) User-Password = "Password!1234"
> (0) NAS-IP-Address = 10.150.1.190
> (0) NAS-Port = 0
> (0) Message-Authenticator = 0xef25474df3491218de56a2d8874cfe47
> ...
> (0) pam: Using pamauth string "radiusd" for pam.conf lookup
> (0) pam: ERROR: pam_authenticate failed: Error in service module
> (0) [pam] = reject
That error comes from PAM, not from FreeRADIUS.
> [root at radius01 ~]# cat /etc/pam.d/radiusd
> #%PAM-1.0
> #auth include password-auth
> auth requisite pam_duo.so forward_pass
> account required pam_nologin.so
> account include password-auth
> password include password-auth
> session include password-auth
> [root at radius01 ~]#
Something in that config is wrong, or is saying "no user".
What's wrong? I don't know. PAM is fanatical about producing useless errors. And it's been ~15 years since I did anything with PAM.
> Should I have changed the radius pam config file? Should I have changed the password-auth config file instead? Eventually I want this work with SSH.
I have no idea. Ask the PAM people how their software works.
Alan DeKok.
More information about the Freeradius-Users
mailing list